IFM Electronic Ltd - Subject Access Request (SAR) Policy
IFM Electronic Ltd is aware of its obligations as a Data Controller, with primary responsibility for, and a duty of care towards the personal data within its control.
Data Subjects whose personal data is held by IFM Electronic Ltd are entitled to ask Data Controllers:
- Whether the Data Controller is processing any personal data about that individual and, if so, to be given:
o a description of the personal data
o the purposes for which they are being processed
o information on any organisation to whom that personal data is being, or might be disclosed
- to be told about the sources from which the Data Controller derived the information so long as those sources are available to the Controller; and
- For a copy of the information held, in response to a valid request to that effect
Form of the Request
A request for Personal Data is a known as a Subject Access Request. However, it may not always be necessary to treat a request for information as a formal request under the General Data Protection Regulation (GDPR).
If the request for information is one which IFM Electronic Ltd would normally deal with within the normal course of business, e.g. a request for a copy of a statement by a bank customer, IFM Electronic Ltd will consider whether this is a formal subject access request under GDPR, or whether it can be managed as a ‘business-as-usual’ process.
Note - In order to be valid, a Subject Access Request should be in writing, and should include sufficient information to identify the Data Subject to the Data Controller’s satisfaction. The Data Controller will issue the Data Subject with a Data Subject Access Request Form in order for them to complete this to clarify their request and to confirm their identity. This will be a mandatory requirement for the request to be considered valid.
The Data Controller will also issue the Data Subject with a Data Subject Access Request Privacy Notice informing them of their rights and further information about the nature of the processing undertaken by IFM Electronic Ltd.
When these criteria are satisfied, the Subject Access Request is considered valid, and the 1 month response period commences.
IFM Electronic Ltd will strive to respond to a valid request as quickly as possible, but nonetheless within this 1-month period.
Communicating with the Data Subject
IFM Electronic Ltd will communicate directly with the Data Subject once a valid Subject Access Request has been received.
Rather than having to provide a copy of all data held by the Controller, this contact may help the Data Subject to specify the exact information he or she wishes to receive, thereby reducing both effort and the time and cost required to collate and provide the data being sought.
However, we acknowledge that, where the Data Subject is adamant that he or she wishes to receive a copy of everything the Data Controller holds about them, then we will fulfil a complete and exhaustive search of the computerised and manually-held data in the organisation.
Unless there is a legitimate option to reduce the scope of the Request, a search of all databases and all relevant filing systems (manual files) which are relevant under the GDPR will be carried out throughout the organisation.
There is no obligation to search back-up files, on the basis that the data in back-up is a copy of the data already held either on the ‘active’ systems, or in archive.
IFM Electronic Ltd will organise the response to the Request by giving one individual the responsibility for issuing requests for information throughout the organisation and receiving all the returns. This co-ordinator role will normally fall to the Data Protection Officer, where one has been appointed.
The co-ordinator will then have the job of printing out all computerised information which has been returned to them by each department. They will also have received photocopies of all relevant manual files and will therefore collate two sets of material, one being a computer printout and the other being a photocopied manual file.
The manual files which are relevant to the GDPR are those which pass the conditions set out in the definition of a relevant filing system. The key criterion is whether the file in question forms part of a structured set. The set has to be structured by reference to the Requestor or characteristics relating to Requestor. If, for example, the manual files are organised in alphabetical name order, or by payroll number, they will form a structured set.
Restrictions following receipt of a request
Compliance with the GDPR is not intended to interfere with the normal running of a Data Controller’s business following the receipt of a valid request.
We are not permitted to make changes to the requested information (during the normal course of operation). This includes the correction of any incorrect data held as the principle is that the individual has a right to request the actual information held about them (whether or not it is accurate or correct at the time of the request).
Third party data
Once the information has been collected, the Request Co-ordinator will consider their obligations to other data subjects.
The Co-ordinator will put themselves ‘in the shoes’ of the individual making the Subject Access Request. They have to read every single page of information to see whether it reveals the identity of any third party, when viewed from the perspective of the person making the request. If the identity of a third party is already known to the Data Subject, then the data containing the information relating to the third party can be revealed to the Data Subject, because he/she is already aware of that information.
However, where the identity of a third party is not already known to the Data Subject in the context revealed by the documents, the Request Co-ordinator will consider whether the request requires the disclosure of the information relating to the third party, or whether it is possible to separate this information from the other information to be disclosed. For example, by blanking out (redacting) the name of the individual or blanking out other identifying particulars or any other material. It would be sufficient to disguise the identity of the third party from the Data Subject.
At this point, all other information which is likely to come into the hands of the Data Subject must be considered as well. If the identifying material can be blanked out with black marker pen and the rest of the information on that page can be handed over without revealing the identity of the third party, then this information will be included in fulfilling the Subject Access Request.
Some material is exempt from inclusion in the response to a Subject Access Request.
This includes the content of negotiations with the Data Subject. If the Data Controller is negotiating with the Data Subject at the time at which the Data Subject makes the Subject Access Request, the Data Controller does not have to reveal requested information if to do so would be likely to prejudice those negotiations. Once the negotiations are complete and have been put into effect, the whole file becomes subject to Subject Access in the normal way.
Emails are subject to Subject Access, as are archived computerised and manual data. It must be remembered that CCTV footage and tapes of telephone conversations will also be included within the scope of the request and must be searched on receipt of a Subject Access Request if the data subject so requires.
Other general exemptions to subject access are national security and the prevention or detection of crime, or the apprehension or prosecution of offenders.
Where the personal data contain health information, there is a duty on the Data Controller to consult an appropriate health professional before the information can be released to the Data Subject. This is to avoid disclosing information about adverse health conditions to a Data Subject where the disclosure may be harmful or distressing to the Data Subject, or to another person.
This requirement does not apply where the Data Subject has already had access to the information, or where the Data Subject originally provided the information himself or herself.
We recognise that failure to respond to a Subject Access Request within the 1 month period gives rise to the ability of the individual to complain to the Information Commissioners Office (ICO) and may well give rise to an investigation by the Commissioner.
In addition, failure to respond within 1 month will be a breach of the GDPR.
Permanent and Intelligible Form
If it is possible to do so, IFM Electronic Ltd will liaise with the Data Subject as to the form in which we hand over the information to the Data Subject.
The default position is that the Data Subject gets a hard copy of the information in a “permanent and intelligible format” (which may make it necessary for any internal codes released with the information to be explained), unless the supply of such a copy is not possible or would involve a disproportionate effort, or the Data Subject agrees otherwise. Any terms which are not intelligible without an explanation, must be accompanied by an explanation (e.g. a Glossary of Terms).
Finally, once the response to the Subject Access Request has been finalised, the Request co-ordinator will make a full copy of the material to be retained for our own reference.
The copy of the requested material will be dispatched by secure, registered delivery, and we will seek timely confirmation from the Data Subject on receipt of the material.
These records will be used as reference material should, in the future, there is any dispute as to the content or timeliness of the response provided to the Data Subject.
Policy for Specific Rights of Data Subjects (as related to the Articles below).
The following documents our specific policies for the following rights of data subjects:
Rights to be Informed – Articles 12-14
IFM Electronic Ltd adhere to the Data Subjects right to be informed of the processing that we undertake:
- Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
- We provide individuals with information including: your purposes for processing their personal data, our retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
- We provide privacy information to individuals at the time we collect their personal data from them.
- If we obtain personal data from other sources, we provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
- There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
- The information we provide to people is concise, transparent, intelligible, easily accessible, and is provided in clear and plain language.
- We provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
- We regularly review, and where necessary, update our privacy information.
- Prior notification is provided where the processing of an individual’s personal data is required.
Right to Access – Article 15
IFM Electronic Ltd will provide the following information to the Data Subject upon validating their identity and the overall validity of the access request:
- The purposes of the processing.
- The categories of personal data concerned.
- The recipients to whom the personal data have been or will be disclosed.
- The period for which the personal data will be stored.
- The right to rectification, erasure, restriction or objection.
- The right to lodge a complaint with a supervisory authority
- Where the personal data are not collected from the data subject, any available information as to their source.
Right to Rectification – Article 16
IFM Electronic Ltd will action this request on from the Data Subject upon validating their identity and the overall validity of their request. We will therefore:
- Rectify inaccurate information providing we can validate the inaccuracies highlighted by the data subject or any other inaccuracies that we may subsequently discover in the process of dealing with the request
- Update and complete any incomplete data
Right to Erasure (right to be ‘forgotten’) – Article 17
IFM Electronic Ltd will adhere to the rights of data subjects in the following cases:
- The data is no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The data subject withdraws the consent on which the processing is based and where there is no other legal ground for the processing.
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing.
- The personal data have been unlawfully processed.
- The personal data has to be erased for compliance with a legal obligation.
- The personal data have been collected in relation to the offer of information society services
Note – We will not comply with the rights of data subjects in relation to this Article when:
- The data is required to exercise the right of freedom of expression and information
- The data is required for processing to meet a legal obligation
- The data is required for the performance of a task carried out in the public interest or in the exercise of official authority
- The data is used for archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
- The data is required for processing to meet a possible future litigation (i.e. for the establishment, exercise or defence of legal claims)
- The data is still being used for the legitimate purpose it was originally processed for and that legal basis still applies e.g. contract necessity (even if the data subject states they have withdrawn their consent for that processing)
Right to Restriction of Processing – Article 18
IFM Electronic Ltd will adhere to the rights of data subjects and restrict the processing providing:
- The accuracy of the personal data is contested by the data subject.
- The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
- The controller no longer needs the personal data for the purposes of the original processing, but the data is required by the data subject for the establishment, exercise or defence of legal claims.
- The data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right of Data Portability – Article 20
IFM Electronic Ltd will adhere to the rights of data subjects in the following manner:
- The data controller must provide the data subject with a copy of personal data in a structured, commonly used and machine-readable format.
- The data controller must not hinder the transmission of personal data to a new data controller.
- The right of data portability only applies where:
o data is processed by automated means; and
o the data subject has provided consent to the processing or the processing is necessary to fulfil a contract; and
o the data was provided by the data subject.
Right to Object – Article 21
IFM Electronic Ltd will adhere to the rights of data subjects when the data subject has the right to object to the following:
- Processing for a task in the public interest;
- Processing based on legitimate interests:
o processing of personal data for direct marketing;
o processing of data for profiling;
o processing of data by automated means;
o processing for scientific or historical purposes.