This policy was approved at the Parish Council Monthly Meeting on 5 February 2020
Introduction and policy statement
This policy sets out how Coxhoe Parish Council under the General Data Protection Regulations will provide an easy accessible mechanism through which a Subject Access Request can be submitted and responded to.
This Policy links to the Council’s Information Data Protection Policy. A subject access request (SAR) is a written request made by or on behalf of an individual for the information which they are entitled to ask for under section 7 of the Data Protection Act 1998. The request does not have to be in any particular form.
Submitting a Subject Access Request
All Subject Access Requests should be made in writing (either letter or electronic format) to the Clerk.
Upon receipt of a Subject Access Request:
The Clerk will endeavour to acknowledge all Subject Access Requests in writing (either letter or electronic format) within 10 working days. This will be to acknowledge that the Council has received the request.
The Clerk will in the first instance determine whether a request has been made under the Data Protection legislation. If the request falls under the Data Protection legislation the request will be processed. If the request does not fall under the legislation the Council will respond the data subject to inform them that no further action can be taken.
The Clerk will verify the identity of the data subject and if needed will request any further evidence on the identity of the data subject. This may include, for example, passport, driving licence, tenancy agreement or utility bill.
The request will be checked to see it if sufficiently substantiated and that it is clear what data is requested. If it is not clear additional information will be requested.
The request will be verified to check to see if it is unfounded or excessive and if so the Clerk may refuse to act upon the request or charge a reasonable fee.
Any request that may involve data on other data subjects, this data will be filtered prior to supply of the data. If the data cannot be removed a consent form will be required from the other data subjects prior to any supply of data.
Responding to a Subject Access Request
All requests will be responded to within one calendar month after receipt of the request. If the request is more complex, an extension of two further calendar months will apply. The data subject will be informed.
If the Council is unable to provide the information requested the data subject will be informed within one calendar month of receipt of the request.
As far as possible all requests will be responded to in the format is was received, either in writing or electronic format.
All information provided will be in an ‘intelligible form’ and will be supplied in a permanent form unless where it is impossible or would involve undue effort. In this case alternative arrangements will be agreed for example to view the personal data on screen or inspect files on premises.
A database will be maintained of all Subject Access Requests allowing the Clerk to report to Council on the volume of requests and compliance against the statutory timescale.
Reporting Procedure, Records and Confidentiality
Confidentiality should be maintained at all times. Information should be handled and disseminated on a need to know basis only. All Subject Access Requests will be reported to the Council by the Clerk as soon as reasonably possible but with all and any personal details removed. Records will be kept securely and confidentially by the Parish Clerk.