Subject Access Request Procedure
Published 12 April 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/subject-access-request-procedure/subject-access-request-procedure
1. Purpose
This procedure defines the process to be followed when a request for access to personal data is received. A failure to comply with the provisions of the Data Protection Act 2018 and UK General Data Protection Regulation (GDPR) in responding to requests may render Great British Nuclear (GBN), liable to prosecution as well as giving rise to civil liabilities.
2. Scope
This procedure applies to Subject Access Request (SAR) where GBN holds personal information in line with the Data Privacy and Fair Processing Policy.
3. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Data Protection Officer | Responsible for ensuring that statutory and regulatory obligations with respect to the GDPR are adhered to. |
| Information Manager | Responsible for handling subject access requests. |
| GBN Employees | Responsible for incorporating this procedure and its associated policy into their own working practices. |
4. Terms and Acronyms
| Acronym/Term | Meaning |
|---|---|
| Data Subject | The identified or identifiable living individual to whom personal data relates. |
| Personal Data | Personal data only includes information relating to natural persons who can be identified or who are identifiable, directly from the information in question, or who can be indirectly identified from that information in combination with other information. |
| Subject Access Request | A formal inquiry made to a company by a data subject inquiring what of the data subject’s personal information has been collected, stored, and used (processed). |
5. Procedure
5.1. Logging a Subject Access Request
5.1.1. Once a subject access request has been received the Information Manager or person responsible for responding to the request will log the request on the Subject Access Request Register.
5.1.2. The register will be used to track the progress of the subject access request.
5.2. Valid Subject Access Request
5.2.1. A valid subject access request can be received in any format including but not limited to, in writing, verbally or on social media. An individual does not need to use any specific wording to define their request, however GBN will offer a Subject Access Request form to assist in ensuring we have all relevant information to process the request. A Subject Access Request can only be fulfilled when we have validated the identity of the individual making the request and have all of the information required to provide the information requested.
5.2.2. Where the Subject Access Request is not valid as documented in section 5.2.1 the Information Manager or person responsible for responding to the request will contact the person making the request, to seek further information.
5.2.3. Once the Information Manager or person responsible for responding to the request has received all the information they need and sufficient information to verify the data subject’s identity, GBN has one month to provide the information requested.
5.3. Correctly identifying the data subject
5.3.1. Before disclosing any personal information, the Information Manager or person responsible for responding to the request must verify the identity of the data subject.
5.3.2. Whilst it is important that GBN does not send copies of personal information to people who are not the data subject, we must not appear obstructive. The Data Protection Act requires GBN to take “reasonable measures” to verify the identity of a data subject. The Information Manager or person responsible for responding to the request shall keep a record of what measures they taken to verify the identity of the person making the request.
5.4. Locating personal information for the Subject Access Request
5.4.1. The Information Manager or person responsible for responding to the request will work with all teams within GBN to identify systems where personal data of the data subject is being held, as well as identifying the means by which the personal data can be extracted.
5.4.2. When the systems have been identified, the team(s) will carry out searches to identify personal data held on the data subject and export to a common area so that personal data can be combined before the data can be screened prior to disclosure to the data subject.
5.5. Reviewing Personal Information and what cannot be disclosed as a result of a Subject Access Request
5.5.1. Once information has been collated on what GBN hold about a data subject this information will be examined by the Data Protection Officer to establish if it should be disclosed. This must be done on a case-by-case basis for each individual piece of information. In some cases, we might disclose only parts of particular documents. This shall include checking that the record is actually about the person concerned and not about someone else with the same name, screening out any duplicate records.
5.5.2. There are instances where personal information does not require to be disclosed. The Information Manager or person responsible for responding to the request will determine if any of the exemptions apply before releasing personal information.
5.5.3. Where a document contains personal data about a number of individuals, including the data subject, they we will not disclose the information about the third parties to the data subject. If the record is primarily about the data subject, with incidental information about others, then third-party information will be redacted. If the record is primarily about third parties, then the document will be withheld if redacting is not possible.
5.5.4. Where possible third parties will be contacted to obtain consent to disclose the document if possible.
5.6. Sending Personal Data to Data Subject
5.6.1. Once the Data Protection Officer has identified all of the information that can be sent in response to a SAR, one final review will be undertaken of this information as a collection of data.
5.6.2. The personal data of the data subject will be sent to the data subject as provided on the Data Subject Access Request form.
6. References
| Reference | Title |
|---|---|
| GBN-Legal-PO-001 | Data Privacy and fair processing policy |
| GBN-Legal-FO-006 | Subject Access Request Form |
7. Appendices
None