Data subject access request procedure

  1. Data subject access request: basis for application
  2. Data subject access request: process
  3. Step 1: aplicant's initial request
  4. Step 2: check request and allocate (7 days)
  5. Step 3: search for applicant's data (7 days)
  6. Step 4: retrieve applicant's data (7 days)
  7. Step 5: send applicant's data (6 days)
  8. Appeal or review

Data subject access request: basis for application

Under the Data Protection Act (external website) an individual can find out what information on computer and in some paper records we hold about them. This is called the right of subject access and includes facts and opinions expressed about the individual.

Under section 7 of the Data Protection Act 1998 an applicant is entitled to know:

  • whether his/her personal data is being processed
  • description of the data
  • source
  • purpose of processing
  • recipients/classes of recipients
  • personal data itself
  • the logic behind an automated decision

Data subject access request: process

The data subject access request (DSAR) process takes 28 days.

Step 1: aplicant's initial request

An applicant can apply for their personal data by phone, letter, fax or email. If routine, an officaer cna deal with the request directly with the applicant.

If a formal request (ie corporate or requires legal input regarding exemptions), then pass it to the information asset administrator (IAA).

Step 2: check request and allocate (7 days)

The IAA will check and/or clarify the request and encourage the applicant to complete formal subject access request including fees notice.

The IAA will record the request on Servicemail. The clock will stop until we receive the applicant's fee.  Fees shuold be paid to to BUDL40 P798.

The IAA will then pass to the appropriate information asset owner (IAO).

Step 3: search for applicant's data (7 days)

IAO acts in accordance with applicant’s instructions and carries out search for applicant’s personal data.

Step 4: retrieve applicant's data (7 days)

The IAO will retrieve the applicant’s personal data, apply any exemptions and consults with third parties as necessary in conjunction with the data protection officer (DPO).

Step 5: send applicant's data (6 days)

The IAO will send the non-exempt material directly to applicant, using the letter template, within 28 days of payment. The IAO/DPO should retain a copy of disclosed and exempt material and inform IAA to update Servicemail.

Appeal or review

Any appeal should be passed to the complaints officer.