Vowchurch and District Group Parish Council
Subject Access Policy
Adopted by the Council on 21st June 2018
This policy was adopted by the Parish Council in order to comply with the requirements of the General Data Protection Regulations (GDPR), which come into force on 25 May 2018.
Individuals have the right to access personal data that may be held on them by the Council. This is referred to as “Subject Access”. Details are set out in the Privacy Notice on the Council’s website.
This policy is in place to ensure that internal procedures on handling of Subject Access Requests (SARs) are accurate and complied with and includes:
• Responsibilities (who, what) • Timing
- Changes to data
- Handling requests for rectification, erasure or restriction of processing.The Council will ensure that personal data is easily accessible at all times in order to ensure a timely response to SARs.The Council has implemented standards on responding to SARs.Upon receipt of a SARThe data subject will be asked to contact the Parish Clerk.The identity of the data subject will be verified and if needed, any further evidence on the identity of the data subject may be requested.The access request will be verified to establish what personal data is being requested? If not additional information will be requested.Requests will be considered to ensure that they are not unfounded or excessive (in particular because of their repetitive character). If they are, the Council may refuse to act on the request.Receipt of the SAR will be promptly acknowledged.Whether the Council processes the data requested will be established. If the Council does not process such data, the data subject will be informed accordingly.Data will not be changed as a result of the SAR. Routine changes as part of the processing activities concerned may be permitted.
The data requested will be verified to establish if it involves data on other data subjects.
This data will be filtered before the requested data is supplied to the data subject; if data cannot be filtered, other data subjects will be contacted to give consent to the supply of their data as part of the SAR.
Responding to a SAR
The Council will respond to a SAR within one month after receipt of the request. If more time is needed to respond to complex requests, an extension of another two months is permissible, and this will be communicated to the data subject in a timely manner within the first month.
If the council cannot provide the information requested, it will inform the data subject on this decision without delay and at the latest within one month of receipt of the request.
If a SAR is submitted in electronic form, any personal data will be preferably provided by electronic means as well.
If data on the data subject is processed, the Council will ensure as a minimum the following information in the SAR response:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom personal data has been disclosed;
- where possible, the envisaged period for which personal data will be stored, or, ifnot possible, the criteria used to determine that period;
- the existence of the right to request rectification or erasure of personal data orrestriction of processing of personal data concerning the data subject or to objectto such processing;
- the right to lodge a complaint with the Information Commissioners Office (“ICO”);
- if the data has not been collected from the data subject the source of such data;
- provide a copy of the personal data undergoing processing.