Objectives

We recognise the need for legal compliance and accountability and endorse the importance of the rights of data subjects and the requirement to provide a complaints mechanism.

This policy sets out the key requirements in relation to the exercise of individual rights and complaints to which we are fully committed.

Scope

In order to fulfil statutory and operational obligations we have to collect, use, receive and share personal, special personal and crime personal data about living people e.g.

  • Members of public (adults and children)
  • Current, past, prospective employees
  • Clients and customers
  • Contractors and suppliers
  • Elected members

This policy covers the obligations to individual rights and complaints in relation to personal data, regardless of data age, format, systems and processes purchased, developed and managed by/or on behalf of us and any person directly employed or otherwise by us.

This policy reflects the commitment to data protecton compliance to both UK and EU legislation, in particular the Data Protection Act 2018, the EU General Data Protection Regulation 2016 (GDPR) and the EU Law Enforcement Directive 2016 (LED).

Policy

Data Protection Officer (DPO):  We will appoint a data protection officer who will be the key contact for the provision of independent advice on all things data protection.  The DPO will be responsible for facilitating the provision of an information rights and complaints mechanism.

Individual Rights:  Data subjects have the following rights (see Appendix 1 for more information and the guide to individual rights):

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling
  • The right to be informed in the event of a data security incident.

In addition, data subjects are also able to:

  • seek a review/complain to the DPO
  • complain to the Information Commissioners Office (ICO)
  • seek judicial remedy, including compensation through the courts

These request may be made verbally or in writing.

If a request is made verbally and the applicant refuses or is unable to put it in writing, it would be good practice to provide the applicant with a written summary of your understanding of the request and ask them to confirm the summary is correct (see template response letters).

In all cases (where there is any doubt as to the requestor’s identity) two proofs of identification will be necessary to confirm the requestor is who they say they are.

Where a request is ‘manifestly unfounded, excessive or repetitious’ the law says we can either:

  • charge a fee to respond, or
  • refuse the request on one or more of these grounds.

As a matter of policy, where we determine a request is manifestly unfounded, excessive or repetitious, we intend to refuse the request.

Where we refuse the request, the onus rests with us to demonstrate that the request falls within the threshold for relying on one or more of these grounds.

The only other circumstance where a modest administrative charge may be applied is in relation to a requestor seeking further copies of information supplied in response to a previous request.  For requests that do not otherwise fall within the ‘repetitious’ category above, we may seek a charge and recover the costs of supplying additional copies.

Timescales for response to individual rights requests and complaints:  We will provide a written response within one calendar month that explains the outcome of our decision with regards to an individual query/request and/or complaint (see template response letters).

The time starts from the first day after receipt of the enquiry where we are satisfied with verification of the data subject’s identity[1].  The target date is one calendar month after this date.

This time can be extended to two calendar months where the case is complex or voluminous and the data subject has been informed of this within one calendar month of the original enquiry.

In the event of a serious data breach, the controller has an obligation to inform the data subject without undue delay where this poses a high risk for their privacy rights.  This could mean in some cases, the data subject is entitled to know before the 72-hour deadline for notifying the ICO.

Reasons for lapsing request:  If ID and necessary information to locate the requested information, or to clarify what the requestor is asking, is not received then it may be necessary to ‘lapse’ the request after three months.

Reasons for refusing requests:  In addition to requests that may be considered manifestly unfounded and excessive etc. as outlined above, there may be other reasons why it is not possible to fully or partly provide the requested information.  There are other exemptions that allow us to partially or wholly comply with individual rights.  These are likely to be:

  • Rights of other individuals
  • Crime and taxation
  • Immigration
  • Determined by law and legal proceedings
  • Public protection and regulatory functions
  • Parliamentary privilege
  • Judicial appointments/proceedings
  • Other people’s data unless consent, or reasonable without consent
  • Self-incrimination
  • Corporate finance
  • Management forecasts
  • Negotiations
  • Confidential references
  • Exams
  • Special purposes e.g. artistic, literary, journalistic
  • Research and statistics
  • Archiving in the public interest

If the personal data is in relation to law enforcement, the exemptions include:

  • Prejudice/obstruction to prevention, detection, investigation, prosecution of crime
  • In the interests of public and national security and rights and freedoms of individuals e.g. privacy.

The response to the data subject:  The response to the data subject needs to contain the following (see recommended template response letters):

  • Acknowledgement of the request/enquiry made
  • Whether or not we are able to comply with the terms of the request and explanation of reasons/actions
  • If we are unable to comply with that the request is seeking, an explanation of the reasons why.
  • The right to complain to the ICO.

Complaints:  Complaints will be investigated and responded to by the DPO and/or Information Management Team.  Complaints in relation to data protection will not be handled by the corporate complaints team.  Where there is a crossover of issues, the two teams will liaise together.

Assessment and Monitoring

An assessment of compliance with requirements will be undertaken in order to provide:

  • assurance;
  • gap analysis of policy and practice;
  • examples of best practice;
  • improvement and training plans;

Reports will be submitted to the senior management team.

Responsibilities and Approvals

The Managing Director is responsible for the approval of this Policy and ensuring that the necessary support and resources are available for the effective implementation of this Policy.

The Data Protection Officer is responsible for the review of this policy.

The senior management team as Senior Information Risk Owners (SIROs) have overall ownership of the Information Risk Policy.  The SIROs are to act as champion for information risk to senior management and leadership boards and are responsible for providing written advice to the Accounting Officer on the content of our Statement of Internal Control in regard to information risk.  The SIROs are responsible for decisions in relation to any information issues or incidents.

The Information Manager and Information Management Team are responsible for providing specialist advice and support on all aspects of Information and Records Management and Governance.

Employees.  All staff, whether permanent, temporary or contracted, including students, contractors and volunteers are responsible for ensuring they are aware of the data protection legislation requirements and for ensuring they comply with these on a day-to-day basis.  Where necessary advice, assistance and training should be sought.  Any breach of this Policy could result in disciplinary action or could constitute a criminal offence.

Authority for this policy

This policy is owned by the Managing Director on behalf of the Senior Information Risk Officers.

This delegation is to establish and approve internal policies dealing with all aspects of the management of our information security, records and information governance.

Policy governance

The following table identifies who is accountable and responsible with regards to this Policy.

  Definition  
Accountable The person who has ultimate accountability and authority for the policy. Managing Director
Responsible The person(s) responsible for developing and implementing the policy. Senior Information Risk Officers

Appendix 1 – Rights of Individuals

The right to be informed

Data subjects have the right to be informed about the collection and use of their personal data, this will primarily be via a privacy notice – (see the Privacy Notice Policy and guide for more information)

The right of access

Data subjects have the right to request access to their own personal data and be provided with an intelligible permanent copy – (see the Data Subject Access Policy and guide for more information.)

The right to rectification

Data subjects have the right to request the rectification of inaccurate or incomplete personal data. This request could be fulfilled by the provision of a supplementary statement. Where the personal data needs to be retained as part of the record, for evidence purposes, instead of rectifying it, its use could be restricted.

If you have shared/disclosed this personal data with another body, you must notify those recipients of the rectification/restriction of the information.

The right to erasure

Data Subjects have the right to be ‘forgotten’ but this does not apply in all circumstances.

 It does apply where:

  • the personal data is no longer necessary for the purpose which you originally collected or processed it for;
  • you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
  • you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • you are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • you have processed the personal data unlawfully;
  • you have to do it to comply with a legal obligation;
  • you have processed the personal data to offer information society services to a child.

If you process data collected from children you should give particular weight to any request for erasure if the processing of the data is based upon consent given by a child – especially any processing of their personal data on the internet.  This is still the case when the data subject is no longer a child, because a child may not have been fully aware of the risks involved in the processing at the time of consent.

If you erase the personal data requested you need to notify any recipients you have shared/disclosed this information with, and if you have made the information public, then endeavour to remove it from the public domain/internet. 

It does not apply in the following circumstances:

  • To exercise the right of freedom of expression and information.
  • To comply with a legal obligation.
  • For the performance of a task carried out in the public interest or in the exercise of official authority.
  • For archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
  • For the establishment, exercise or defence of legal claims.

In addition, the right does not apply to special personal data where:

  • it is necessary for public health purposes in the public interest (e.g. protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
  • it is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services).  This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).

The right to restrict processing

Data Subjects have the right to request restriction/suppression of processing, but this does not apply in all circumstances.  When processing is restricted, you are permitted to store the personal data, but not use it.  This may be an alternative to erasure or rectification and it is unlikely that a restriction would be in place indefinitely, but could be temporary whilst issues with the personal data are resolved.  If you decide to remove the restriction you must tell the data subject before you continue to process the data.

The rights applies where

  • the data subject contests the accuracy of their personal data and you are verifying the accuracy of the data;
  • the data has been unlawfully processed and the data subject opposes erasure and requests restriction instead;
  • you no longer need the personal data but the data subject needs you to keep it in order to establish, exercise or defend a legal claim;
  • the data subject has objected to you processing their data on grounds that you are relying on legitimate interests as your basis for processing, and you have no overriding legitimate interest to continue this processing or are processing it for profiling purposes.

Although this is distinct from the right to rectification and the right to object, there are close links between those rights and it would be good practice to automatically restrict processing whilst considering its accuracy and legitimate grounds of processing.

Ways of restricting processing may include, but are not limited to:

  • temporarily moving the data to another processing system;
  • making the data unavailable to users; or
  • temporarily removing published data from a website.

The data should not be erased or changed whilst restricted and no further processing should take place during this time except to store it, unless:

  • you have the individual’s consent;
  • it is for the establishment, exercise or defence of legal claims;
  • it is for the protection of the rights of another person (natural or legal); or
  • it is for reasons of important public interest.

If you restrict the processing of personal data you need to notify any recipients you have shared/disclosed this information to.  

The right to data portability

Data Subjects have the right to request for data portability, which allows data subjects to obtain and reuse their personal data for their own purposes across different services.  This involves moving, copying, and/or transferring personal data easily across IT environments safely and securely.

The right to data portability only applies:

  • to personal data a data subject has provided to us;