Last updated: 21st May 2018
Subject Access Request Procedure
All personal data processed by The Right Mortgage Limited (“The Firm”) is within the scope of this procedure.
This procedure excludes personal data that is asked for as a matter of routine by data subjects i.e. Name, address etc.
Data subjects are entitled to ask:
- Whether The Right Mortgage Limited is processing any personal data about that individual and, if so, to be given:
- a description of the personal data;
- the purposes for which it is being processed; and,
- details of who will be allowed to see the personal data.
- To be provided with a copy of the information and to be told about the sources from which The Right Mortgage Limited derived the information.
The Data Protection Officer is responsible for the application and effective working of this procedure, and for reporting to the Board of Directors on Subject Access Requests (SARs).
3. Personal Data of the Subject
An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them in which case any third-party identifiers will be redacted).
- In addition to a copy of their personal data, The Firm will provide data subjects with the following information:
- the purposes of processing data;
- the categories of personal data concerned;
- the recipients or categories of recipient The Firm discloses the personal data to;
- The Firm’s retention period for storing the personal data or, where this is not possible, The Firm’s criteria for determining how long it will be stored for;
- the existence of the data subject’s right to request rectification, erasure or restriction or to object to such processing;
- the right of the data subject to lodge a complaint with the ICO;
- information about the source of the data, where it was not obtained directly from the data subject;
- the existence of automated decision-making (including profiling); and
- the safeguards The Firm provides when transferring personal data to a third country or international organisation.
- Subject Access Requests can be made verbally or in writing to The Firm’s Data Protection Officer.
- The data subject must provide evidence as to identity, in the form of a current passport/driving license to the Data Protection Officer upon request who will in turn verify the identity of the data subject before complying with the request.
- The data subject must identify the data that is being requested and where it is being held and this information must be evidenced within the SAR. Note that the data subject is entitled to ask for all data that The Firm holds, without specifying that data.
- The date by which the identification checks and the specification of the data sought must be recorded; The Firm has one month from this date to provide the requested information. The Firm reserves the right to extend the time to respond by a further two months if the request is complex or The Firm have received a number of requests from the data subject. The Firm will let the data subject know within one month of receiving their request and explain why the extension is necessary.
- The SAR is immediately forwarded to the Data Protection Officer who will ensure that the requested data is collected within the time period.
Collection will entail:
- Collating the data specified by the data subject;
- Searching all databases and all relevant filing systems including all back up and archived files, whether computerised or manual, and including all e-mail folders and archives.
- The Data Protection Officer maintains a record of requests for data and of its receipt, including dates. Note that data may not be altered or destroyed in order to avoid disclosing it.
- The Data Protection Officer is responsible for reviewing all provided documents to identify whether any third parties are identified in it and for either excising identifying third party information from the documentation or obtaining written consent from the third party for their identity to be revealed.
- If the requested data falls under one of the following exemptions, it does not have to be provided:
- Crime prevention and detection;
- Confidential references given by The Right Mortgage Limited (not ones given to The Right Mortgage Limited);
- Information covered by legal professional privilege.
- The information is provided to the data subject in electronic format unless otherwise requested and all the items provided are listed on a schedule that shows the data subject’s name and the date on which the information is delivered.
- The GDPR requires that the information The Firm provides to a data subject is in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
- The Firm will not charge a fee to process a subject access request unless the request is manifestly unfounded or excessive in which case The Firm reserves the right to charge a “reasonable fee” for the administrative costs of complying with the request. The Firm may also charge a reasonable fee if a data subject requests further copies of their data following a request.
- The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that a data subject feels comfortable allowing someone else to act for them. In these cases, The Firm will need to be satisfied that the third party making the request is entitled to act on behalf of the data subject, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
- If The Firm believes the data subject may not understand what information would be disclosed to a third party who has made a subject access request on their behalf, The Firm may send the response directly to the data subject rather than to the third party. The data subject may then choose to share the information with the third party after having had a chance to review it.
- Where the data subject is a child and they are too young to understand the implications of subject access rights, it is still the right of the child rather than of anyone else such as a parent or guardian; therefore, it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.
Before responding to a subject access request for information held about a child, The Firm will consider whether the child is mature enough to understand their rights.
5. Complying with a request
The Firm can refuse to comply with a SAR if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If The Firm considers that a request is manifestly unfounded or excessive The Firm can:
- request a “reasonable fee” to deal with the request; or
- refuse to deal with the request.
In either case The Firm will justify their decision.