Data Subject Rights and Requests Policy and Procedure

Data Subject Rights and Requests Policy and Procedure

This document sets out the lawful requirements for access requests along with Progress to Excellence Ltd.’s (PtoE) policy for responding and processing subject access requests under the General Data Protection Regulation (GDPR), as of May 25 2018.

The GDPR clarifies that the reason for allowing data subjects to access their personal data is so that they are aware of and can verify the lawfulness of the processing.

The GDPR provides the following rights for data subjects:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Fee(s) and Objection

Legally, PtoE must provide a copy of the requested information (or changes/ restrictions etc) free of charge. However, there can be a ‘reasonable fee’ charge when a request is manifestly unfounded or excessive, particularly if it is repetitive.

A reasonable fee may also be charged to comply with requests for further copies of the same information. This does not mean that PtoE can charge for all subsequent access requests.

The fee must be based on the administrative cost of providing the information.

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, PtoE reserves the right to:

  • Charge a reasonable fee taking into account the administrative costs of providing the information
  • Refuse to respond.

When refusing a request, PtoE acknowledges that the data subject must be informed of the reasons why action is not being taken and also made aware of their right to complain to the supervisory authority and to a judicial remedy.

This must be done so without undue delay, at the latest, within one month. This complies with all requests, as detailed in the above bulleted list.

Supplying of Information

Firstly, it is the right of PtoE to request as much proof of identification, within ‘reasonable means’, that it feels necessary to ensure the supplicant is who they say they are. It is imperative that identity is checked before any information is supplied.

If the person requesting the information is a relative/representative of the data subject concerned, then the relative/representative is entitled to personal data about themselves but must supply the data subject’s consent for the release of their personal data. If they have been appointed to act for on behalf of the data subject under the Mental Capacity Act 2005, they must confirm their capacity to act on the data subject’s behalf and explain how they are entitled to access the information.

All requests/rectifications should be submitted to PtoE’s appointed Data Protection Officer (DPO), Michael Williams.

In the event of a request being submitted, the DPO will link in with Peninsula Business Services to ascertain the best way to proceed, so as to provide the requested information efficiently and effectively yet legally.

If the request is made electronically, PtoE will provide the information in a commonly used electronic format.

PtoE declares that all requests should be submitted via one of the following:

Email

Michael Williams – Data Protection Officer – Michael.williams@progresstoexcellence.co.uk

Post

FAO Data Protection Officer,

Progress to Excellence Ltd,

G8 Pacific Road,

Birkenhead,

CH41 1LJ.

Requests should contain details for the Data Protection Officer to utilise for contact.

Right of Access

Data subjects have the right to access their personal data and supplementary information. The right of access allows data subjects to be aware of and verify the lawfulness of the processing.

Under the GDPR, data subjects have the right to obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information – this largely refers to the information that should be provided in a privacy notice.

Information must be provided without delay and at the latest within one month of receipt of the request.

The period of compliance may be able to be extended by a further two months where requests are complex or numerous. If this is the case, the individual whom the request was made by must be informed within one month of the receipt of the request and explain why the extension is necessary.

When producing data through a subject access request, the following information needs to be produced:

  • A description of the personal data, the purpose for which it is processed, recipients, retention period and rights of rectification, erasure, restriction and objections
  • A copy of the information comprising the data
  • Details of the source of the data.

Right of Rectification

Data subjects have the right to have inaccurate personal data rectified without undue delay. The GDPR dictates that this should occur within one month, or two months for complex requests. If no action is to be taken, PtoE is required to explain why to the data subject, informing them of their right to complain and to a judicial remedy.

Data subjects may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.

If PtoE receive a request for rectification, the organisation will take reasonable steps to confirm that the data is accurate and to rectify the data if necessary.

PtoE will take into account the arguments and evidence provided by the data subject, weighing up the nature of the data and its usage.

Following on from a rectification request, from a separate perspective, PtoE will consider and investigate how the error occurred in the first place. Ensuring that it does not happen again.

PtoE will let the data subject know if, as an organisation, it is satisfied that the personal data is accurate, and will tell them that data will not be amended. PtoE will explain the decision, and informing them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek to enforce their rights through a judicial remedy.

Right of Erasure

The right to erasure (‘the right to be forgotten’) enables data subjects the right to request that personal data be deleted or removed where there is no compelling reason for its continued processing.

The right to erasure does not provide an absolute ‘right to be forgotten’ and can occur where, for example:

  • The personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • The data subject withdraws consent.

In the instance of PtoE, the majority of data collected is for legal basis and monitoring purposes. Collecting and processing the data ensures that PtoE can legally support learners, employers and stakeholders through accredited qualifications.

PtoE acknowledges that any request for erasure must be acted upon without undue delay and at the latest within one month of receipt.

The time limit to deal with a request should be calculated from the day after receiving the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, PtoE will have until the next working day to respond.

This means that the exact number of days you have to comply with a request varies, depending on the month in which the request is made.

Right to Restrict Processing

Article 18 of the GDPR gives data subjects the right to restrict the processing of their personal data in certain circumstances. This means that a data subject can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.

Data subjects have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information being held or how the data has been processed.

In most cases PtoE will not be required to restrict a data subject’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.

In the instance of PtoE, the majority of data collected is for legal basis and monitoring purposes. Collecting and processing the data ensures that PtoE can legally support learners, employers and stakeholders through accredited qualifications. Therefore, any requests for the restriction of processing would need to be carefully considering as they could have a serious impact on the delivery of an accredited qualification.

Data subjects have the right to request the restriction of processing of their personal data in the following circumstances:

  • The data subject contests the accuracy of their personal data and PtoE are verifying the accuracy of the data
  • The data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and the data subject opposes erasure and requests restriction instead
  • PtoE no longer need the personal data but the data subject requires it to be kept in order to establish, exercise or defend a legal claim
  • The data subject has objected to PtoE processing their data under Article 21(1), and PtoE are considering whether there are legitimate grounds to override those of the data subject.

Although, this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing:

  • If a data subject has challenged the accuracy of their data and asked for PtoE to rectify it (Article 16), they also have a right to request that PtoE restrict processing whilst considering the rectification request
  • If a data subject exercises their right to object under Article 21(1), they also have a right to request that PtoE restrict processing whilst considering the objection request.

Therefore, as a matter of good practice PtoE acknowledges that processing should be restricted whilst the accuracy or the legitimate grounds for processing the personal data is in question. The requester should though be aware that by restricting processing they are limiting the service that PtoE can provide them.

The GDPR suggests a number of different methods that could be used to restrict data, such as:

  • Temporarily moving the data to another processing system
  • Making the data unavailable to users
  • Temporarily removing published data from a website.

It would not be financially viable for PtoE to move data to another processing system and the organisation would not usually publish personal data on the company website, therefore, for PtoE, the best way to restrict processing would be to lock data and make it unavailable to users. This would be done through a combination of internal IT/management information and use of external IT support company, CNS IT Ltd.

PtoE is aware that it must not process the restricted data in any way except to store it unless:

  • Consent gained from the data subject
  • It is for the establishment, exercise or defence of legal claims
  • It is for the protection of the rights of another data subject (natural or legal)
  • It is for reasons of important public interest.

If the, now restricted data, has previously been disclosed to others, PtoE will contact each recipient and inform them of the restriction of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, PtoE will inform the data subject about these recipients.

The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

In many cases the restriction of processing is only temporary, specifically when the restriction is on the grounds that:

  • The data subject has disputed the accuracy of the personal data and PtoE is investigating this
  • The data subject has objected to PtoE processing their data on the basis that it is necessary for the performance of a task carried out in the public interest or the purposes of legitimate interests, and PtoE is considering whether the organisation has legitimate grounds override those of the individual.

Once PtoE has made a decision on the accuracy of the data, or whether the organisation’s legitimate grounds override those of the data subject, PtoE may decide to lift the restriction. For the restriction to be lifted, PtoE acknowledges that the data subject must be informed beforehand.

This means that if PtoE is informing the individual that the organisation is lifting the restriction (on the grounds that PtoE is satisfied that the data is accurate, or that there are legitimate grounds override theirs) PtoE are legally obliged to inform them of the reasons for the refusal to act upon their rights under Articles 16 or 21.

PtoE will also need to inform them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek a judicial remedy.

PtoE acknowledges that any request to restrict processing must be acted upon without undue delay and at the latest within one month of receipt.

The time limit to deal with a request should be calculated from the day after receiving the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, PtoE will have until the next working day to respond.

This means that the exact number of days you have to comply with a request varies, depending on the month in which the request is made.

The right to data portability

The right to data portability allows data subjects to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

The right to data portability only applies:

  • To personal data a data subject has provided to a controller
  • Where the processing is based on the data subject’s consent or for the performance of a contract
  • When processing is carried out by automated means.

PtoE is aware that personal data must be provided in a commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.

If the data subject requests so, PtoE understands that it may be required to transmit the data directly to another organisation, if this is technically feasible. However, PtoE reserves the right not adopt or maintain processing systems that are technically compatible with other organisations.

If the personal data concerns more than one data subject, PtoE will consider whether providing the information would prejudice the rights of any other data subject.

PtoE will respond without undue delay, and within one month. This can be extended by two months where the request is complex or PtoE receives a number of requests. PtoE will inform the requester within one month of the receipt of the request and explain why the extension is necessary.

Where PtoE will not be taking action in response to a request, PtoE will explain why to the data subject, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

The right to object

Individuals have the right to object to:

  • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
  • Direct marketing (including profiling)
  • Processing for purposes of scientific/historical research and statistics.

Data subjects must have an objection on “grounds relating to their particular situation”.

PtoE will stop processing the personal data unless:

  • The organisation can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual
  • The processing is for the establishment, exercise or defence of legal claims

PtoE informs individuals of their right to object “at the point of first communication” and in the privacy notice.

In the event an objection is made in regards to personal data for direct marketing purposes, PtoE will action right away, and free of charge

Rights in relation to automated decision making and profiling

The GDPR restricts PtoE from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

Article 22(1)

The GDPR has provisions on:

  • Automated individual decision-making (making a decision solely by automated means without any human involvement)
  • Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

The GDPR applies to all automated individual decision-making and profiling.

PtoE can only carry out this type of decision-making with legal or similarly significant effects if the decision is:

  • Necessary for the entry into or performance of a contract
  • Authorised by Union or Member state law applicable to the controller
  • Based on the individual’s explicit consent.

PtoE must identify whether any of the processing falls under Article 22 and, if so, make sure that the organisation:

  • Gives individuals information about the processing
  • Introduces simple ways for them to request human intervention or challenge a decision
  • Carries out regular checks to make sure that the systems are working as intended.

For something to be solely automated there must be no human involvement in the decision-making process. The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects. These types of effect are not defined in the GDPR, but the decision must have a serious negative impact on an individual to be caught by this provision.

A legal effect is something that adversely affects someone’s legal rights. Similarly significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.

Solely automated individual decision-making – including profiling – with legal or similarly significant effects is restricted, although this restriction can be lifted in certain circumstances.

If special category personal data is being used, PtoE can only carry out processing described in Article 22(1) if:

  • The individual has given explicit consent
  • The processing is necessary for reasons of substantial public interest

Article 22 applies to solely automated individual decision-making, including profiling, with legal or similarly significant effects.

If processing does not match this definition then PtoE can continue to carry out profiling and automated decision-making. But must still comply with the GDPR principles.

PtoE must identify and record the lawful basis for the processing and have processes in place so people can exercise their rights. Individuals have a right to object to profiling in certain circumstances. PtoE has a duty bring details of this right specifically to their attention.

If you have any questions relating to our GDPR and privacy notices or any concerns please contact our designated Data Protection Officer or alternatively, please complete the GDPR Request Form.