Guidance

Subject access request and data subject rights privacy notice

Published 3 May 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/data-subject-rights-privacy-notice/subject-access-request-and-data-subject-rights-privacy-notice

The Department for Business and Trade (DBT) is committed to protecting the privacy and security of your data. This notice describes how we collect and use your data in accordance with Data Protection legislation (the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).

It is important that you read this privacy notice; so that you are aware of how and why we are using your data, if you are making a subject access request for copies of your personal information or, if you are submitting any other request relating to your individual rights (listed under ‘Your Rights’) under the UK GDPR and the DPA 2018.

What personal data we collect

When you contact us, we will collect certain personal data from you in order for us to process your request, for example:

  • your request
  • your name
  • relevant contact details, which may include:
    • your address,
    • email address and, or;
    • telephone number.
  • information requested by us as proof of identity (in relation to subject access requests (SARs))
    • this will include seeking two official forms of ID, such as; a Birth Certificate, a valid (in date) Driving Licence, Passport or an official utility bill (showing proof of address).

Official forms of ID will not be stored by the department after verification has been completed. We will however keep a record of the ID documents provided so that we are able to demonstrate our compliance with a valid request.

  • Other personal data you provide which you consider relevant to your request.

Please be aware, in responding to subject access requests (SARs), the department will, across its estate, conduct reasonable and proportionate searches for the requested personal information. During the course of these searches, we may identify and process any data on you held by the department. This is to ensure that the personal information you have requested is identified/captured as part of the processing of the request.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where identifiers have been removed (anonymous data).

All personal data is handled under the Government Security handling for Official data and non-personal data may be retained according to the Public Records Act 1958.

How your personal information is collected

We collect personal information directly from you (detailed above) in circumstances such as:

  • when a subject access request, or any other type of individual rights request is made under data protection legislation

We may also collect your personal information directly from third parties when it is appropriate to do so in managing your request, such as:

  • other government departments and public authorities
  • suppliers providing a service to the department

The information you provide will be processed by DBT and any necessary third parties in order to fulfil our regulatory duties when responding to your request.

Why we need your personal data

The data you provide will be processed by DBT in order:

  • to register and process a subject access request (this includes the registering and processing of requests for all the individual rights under UK GDPR which are listed under the ‘Your Rights’ section in this notice).
  • verify your identity if you make a request under data protection legislation.

The legal basis for processing your data is that it is necessary:

  • to comply with a legal obligation placed upon us as the data controller.
  • to perform a task in the public interest/substantial public interest

Failure to provide personal information

If you contact the department, wishing to submit a SAR or any other type of individual rights request, and fail to provide certain personal information when required to do so, we will likely be unable to process your request.

We will tell you when you are obligated to provide information and the consequences of not doing so.

How we use particularly sensitive personal information

Special categories of personal information require enhanced levels of protection.

The department will not ask that you provide any special category personal data when submitting a SAR, or any other data subject right request. However, we may process this information in the course of responding to a SAR, specifically in cases where special categories of personal data have been volunteered; for example within the request to the department, or, where the department already holds special categories of personal data processed for specific purposes and where this is identified as part of the reasonable searches made to identify personal data in response to a request.

How we share your personal data

Personal information submitted via your request is shared within the department so that your request can be processed in accordance with data protection legislation. Further, in some circumstances your personal information may be shared with:

  • the departments legal advisers, in order to obtain legal advice regarding your request;
  • the Information Commissioner’s Office (ICO) in relation to any complaint made to the Commissioner.

An analysis of data collected may be shared with Government Internal Audit Agency (GIAA), and the National Audit Office (NAO) for audit purposes.

We will also share your data if we are required to do so by law or regulation – for example, by court order, or to prevent fraud or other crime.

How long we keep your personal data

We will only retain your data for as long as:

  • it is needed to fulfil the purpose for which we collected it (set out in this document)
  • the law requires us to, in line with our records management and retention and disposal policy.

Subject to the paragraph above, we will retain your personal information for as long as necessary to fulfil the purposes we collected it for. All records are retained and securely destroyed in accordance with our data retention policy. Details of retention periods for different aspects of your personal information are available in our retention policy.

How we protect your personal data and keep it secure

We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data - for example, we protect your data using password protection, limiting staff access to specifically ‘security cleared’ individuals.

We also ensure any third parties we deal with keep all personal data they process on our behalf secure and in line with Data Protection legislation.

Your data subject rights and access to your personal data

You have the right to contact DBT and exercise your data subject rights.

The UK GDPR sets out several rights, referred to as ‘individual rights’ or ‘data subject rights’, which are afforded to data subjects.

You have the right to request:

  • information about how your personal data is processed, and to request a copy of that personal data (SARs)
  • request that any inaccuracies in your personal data are rectified without delay

You can also:

  • raise an objection to the processing of your personal data (applicable in certain circumstances)
  • request that your personal data are erased, if there is no longer a justification for them to be processed (applicable in certain circumstances)
  • request that the processing of your personal data is restricted (applicable in certain circumstances)
  • request that any incomplete personal data are completed, including by means of a supplementary statement.
  • to request the right to data portability (applicable in certain circumstances)

You should contact us, should you wish to submit any of these requests.

Contacting you

We will use the personal information you provide to contact you about the specific service you have used or following any enquiries you have made about such services.

Contacting us

If you have any questions about this privacy notice or how we handle your personal information, you can write to us at:

Data Protection Officer

Department for Business and Trade
Old Admiralty Building
Admiralty Place
London
SW1A 2DY

Contacting the Information Commissioner’s Office

You can also make a complaint to the Information Commissioner, who is an independent regulator.

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email casework@ico.org.uk

Telephone 0303 123 1113

Textphone 01625 545860

Monday to Friday 9am to 4:30pm

Changes to this privacy notice

We reserve the right to update this privacy notice at any time and we will provide you with a new privacy notice if we make any substantial updates.

Back to top