Individuals have a number of rights in relation to their personal data under the Data Protection Act and EU General Data Protection Regulation (GDPR) including:
- Right to be informed e.g. have access to information on how their data is being processed in a concise, easily accessible and easy to understand format
Right to access their personal data
- Rights to rectification, restriction and erasure of their personal data
- Right to portability – be provided their data in a portable format
- Right to object (including the right to object to automated decision making)
This procedure documents Pat Robson & Co.’s processes for responding to these rights effectively and within appropriate timescales.
2 Overview of rights
2.1 Right to be informed
The right to be informed encompasses Pat Robson & Co.’s obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how personal data is used. Further information on how this right is enabled is included within the Data Protection Policy.
2.2 Right of access and portability
Individuals have the right to access their personal data and other related information. In addition to the right of access, the right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. This right applies:
- to personal data an individual has provided to the organisation
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means
Wherever possible, Pat Robson & Co. will ensure that it provides individuals with access to personal data in a format that allows this portability right to be ensured.
2.3 Right to rectification
The GDPR gives individuals the right to have their personal data rectified if it is inaccurate or incomplete. In addition, Pat Robson & Co. will inform any third parties that this data has been passed on to, of this rectification, wherever possible. Pat Robson & Co. will also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
2.3 Right to restriction
Individuals have a right to ‘block’ or suppress processing of personal data in the following circumstances:
- Where an individual contests the accuracy of the personal data, data processing should be restricted until the accuracy of the personal data can be verified
- Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and whether your organisation’s legitimate grounds override those of the individual is being considered
- When processing is unlawful and the individual opposes erasure and requests restriction instead
- If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim
This means that Pat Robson & Co. will continue to store this data but will not process it in any other way. In addition, any third parties with whom this data has been disclosed will be informed about this restriction, unless it is impossible or involves disproportionate effort to do so. If for any reason, this restriction is lifted, then the individual will be informed of this.
2.4 Rights to erasure
The right to erasure is also known as ‘the right to be forgotten’. Its aim is to allow individuals to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This right can only be applied in the following circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- When the individual withdraws consent
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- Where the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
- Where the personal data has to be erased in order to comply with a legal obligation
- Where the personal data is processed in relation to the offer of information society services to a child
There are some specific circumstances where the right to erasure does not apply and a request can be refused. This includes where this personal data is processed:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority
- for public health purposes in the public interest
- archiving purposes in the public interest, scientific research historical research or statistical purposes
- the exercise or defence of legal claims
As with some other rights, if the data has been disclosed to third parties, we will inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. Where this relates to online data, this may also include asking other organisations to erase links or copies of the personal data in question.
2.4 Right to object
Individuals have the right to object in particular circumstances, namely:
- where processing is carried out based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- where personal data is used for direct marketing (including profiling); and
- where personal data is processed for purposes of scientific/historical research and statistics
Where such an objection is received, Pat Robson & Co. will stop this processing unless identified legitimate grounds for the processing can be demonstrated, which override the interests, rights and freedoms of the individual; or, if this processing is for the establishment, exercise or defence of legal claims.
Any objections in relation to direct marketing will be always be actioned and where the objection relates to automated decision making, individuals will be given the ability to request human intervention in this decision or to challenge any decision made based on automated decision making.
Individuals will be fully informed of their right to object when first communicated with and through privacy notices.
3 Format of Data Subject Requests
A data subject request is simply a request made by, or on behalf of an individual in relation to their personal data and their rights under Data Protection in relation to this data. The request does not have to be in any particular form, nor does it have to include the words ‘data subject request’ or make any reference to the Data Protection Act. Indeed, a request may be valid even if it refers to other legislation.
An emailed or faxed request is as valid as one sent in hard copy and requests might also be received via social media and possibly via third-party websites. Requesters do not have to provide their reason for making the request or what they intend to do with the information requested, although it may help find the relevant information, if the purpose of the request is explained.
If a request is for access to personal data, the requester may be asked for information that is reasonably needed to find the personal data covered by the request e.g. relevant timescales, location etc.
Appendix 1 includes a template form that data subjects can use to make a request, although as detailed above, requests received in other formats should also be considered.
4 Time Limit for Responding
In most cases a data subject request whether to access their own data, or in relation to any other of their rights, must be dealt with promptly and in any event within a month of receiving it, or (if later) from the day any requested location information is received or any information requested to confirm the requester’s identity is obtained. In rare cases, when the request is particularly complex or numerous, it may be extended by a further two months taking into account the complexity and number of requests (ensuring the applicant is informed of the delay and reasons within the month).
5 Charging Fees
A fee cannot be charged for responding to a data subject request, unless the organisation can prove that the request is manifestly unfounded or excessive (in particular because of their repetitive nature). In such a case, the request could either be refused or a reasonable fee charged (taking into account the administrative cost of providing the information). It is up to Pat Robson & Co. to evidence that any request is manifestly unfounded or excessive. In addition, a reasonable fee based on administrative costs can be charged for any additional copies of information, requested by the individual.
6 Confirming the identity of the applicant
To avoid personal data about one individual being sent to another or data subject rights being acted on inappropriately, either accidentally or as a result of deception, the lead within Pat Robson & Co. must be satisfied that he/she knows the identity of the requester. The level of information needed to judge whether the person making the request is the individual to whom the personal data relates (or a person authorised to make a request on their behalf) will vary depending on the circumstances.
The key point is to be reasonable about what is requested and not ask for excessive information e.g. if the individual is already know to the organisation. However, where there is any doubt of the identity of the requester, formal methods should be implemented to verify this e.g. through requesting a copy of their passport/driving licence/utility bills etc.
7 Information Individuals Are Entitled To
If a request is to access personal data held by the organisation, individuals are entitled to be:
- told whether any of their personal data is being processed
- given a description of their personal data, the reasons it is being processed, related retention periods and whether it will be given to any other organisations or people
- given a copy of the personal data
- given details of the source of the data (where this is available)
- given details of their rights in relation to their data
- given information on any safeguards implemented for information processed outside the EU
An individual can also request information about the reasoning behind any automated decisions taken about him or her, such as a computer-generated assessment of performance at work. If requested by electronic means, the information should be provided in a commonly used electronic format, unless another format has been requested.
8 Requesting on an Individual’s Behalf
The Data Protection Act/GDPR does not prevent an individual making a data subject request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that the individual wants someone else to act for them.
In these cases, there will be a need to ensure that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
In relation to a right of access request, if there is any doubt that an individual may not understand what information would be disclosed to the third party, the response should be sent directly to the individual rather than the third party. The individual may then choose to share the information with the third party after having had a chance to review it.
The UK Data Protection Bill creates a number of exemptions in relation to data subjects’ rights. This includes exemptions in the following areas:
- Processing of personal data for the prevention or detection of crime and the assessment and collection of taxes, the public functions of certain regulatory bodies and for various functions in the public interest, including protecting the public against financial malpractice, protecting charities and securing the health and safety of workers
- Disclosing information in response to an access request where another individual can be identified from that information (unless they give their consent)
- Exemption around rights of access, and the requirements to provide certain information to data subjects where the data could have the benefit of legal professional privilege, or are processed for the purposes of business management forecasting
- Exemption around rights of access, and the requirements to provide certain information where the data consists of confidential references (for employment, education or training), the organisation’s records in relation to any negotiations with the individual, or information recorded by candidates during an exam
- Exemption around complying with an access request if doing so would reveal incriminating evidence of their commission of a criminal offence (unless it applies to offences under the Bill, or to perjury offences)
- Rights of access and transparency will not apply where compliance would likely affect the price of corporate finance instruments, or where compliance would prejudicially affect the functioning of financial markets by affecting the decisions of business people in relation to corporate finance
- Exemptions around processing of data for journalistic, academic, artistic or literary purposes, where the controller reasonably believes that the publication of the material would be in the public interest
- Exemptions where personal data is processed for scientific or historical research, statistical purposes, or for archiving purposes in the public interest
- Exemptions around data relating to health, social work or education in the Family Courts
- Exemptions around rights of access in relation to health, social work or education data, and where disclosure would be likely to cause serious harm to the physical or mental health of the data subject (or another individual)
- Exemptions to rights of access to those with parental responsibility or court appointed responsibility to a child’s data where releasing the data would not be in the best interest of the child
- Exemptions re rights of access relation to data concerning health, education or social work, where the data was obtained from or provided by the subject with an expectation of privacy (or where the subject expressly indicates that the information should not be disclosed)
More detailed information on exemptions can be found through the ICO website:
If a decision is made not to provide the information requested, based on one of the above reasons, this will need to be communicated to the requester.
10 Keeping A Record
Pat Robson & Co. will keep a log of receipt of data subject requests and will ensure it is routinely updated to monitor progress as the request is processed. The log will include details of actions taken and when, and where the request relates to access to personal data, copies of information supplied in response to the subject access request, together with copies of any material withheld and an explanation why.
11 Informing individuals of their rights
Pat Robson & Co. will ensure that individuals whose information they process, are fully informed of their rights under the Data Protection Act and how to complain should they be concerned about the way their request is handled. This will be included in Pat Robson & Co.’s privacy notice.
12 Further information
Further guidance can also be obtained from Pat Robson & Co.’s Data Protection Officer.