Subject Access Request (SAR) Policy and Procedure

Introduction

This procedure document supplements the subject access request (SAR) provisions set out in 0800 Repair’s Data Protection (UK GDPR) Policy & Procedure document (FCAP020b) and provides the process for data subject individuals to use when making an SAR and the protocols we follow when an SAR is received.

0800 Repair needs to collect personal information to effectively and compliantly carry out our everyday business functions and services and in some circumstances, to comply with the requirements of the law and/or regulations.
As we process personal information regarding individuals (data subjects), we are obligated under the General Data Protection Regulation (UK GDPR) to protect such information, and to obtain, use, process, store and destroy it, only in compliance with the UK GDPR and its principles.

The legislation which this Policy and Procedure relates to is Data Protection legislation. This means all applicable laws relating to data protection and privacy including (without limitation) the EU Data Protection Directive (95/46/EC) as implemented in each jurisdiction, the EU General Data Protection Regulation (2016/679) (“GDPR”), the UK Data Protection Act 1998, the UK Data Protection Act 2018, the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in each jurisdiction, and any amending or replacement legislation from time to time. It is highlighted that during 2020 as a result of Brexit, it is anticipated that the UK Legislation in relation to Data Protection will change. Should this happen, this Policy and Procedure will be updated accordingly to ensure 0800 Repair remains fully compliant to all applicable UK legislation and statutory requirements.

The General Data Protection Regulation

The General Data Protection Regulation (UK GDPR) gives data subject individuals the right to know what information is held about them, to access this information and to exercise other rights, including the rectification of inaccurate data. The UK GDPR is a standardised regulatory framework which ensures that personal information is obtained, handled and disposed of properly.

As we are obligated under the UK GDPR and UK data protection laws, we abide by the Regulations principles, which ensure that personal information shall be:
a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’)
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The Regulation also requires that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the GDPR principles’ (‘accountability’). We have adequate and effectives measures, controls and procedures that protect and secure your personal information at all times and guarantee that it is only ever obtained, processed and disclosure in accordance with the UKGDPR.

What is Personal Information?

Information protected under the UK GDPR is known as “personal data” and is defined as: –
“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Further information on what constitutes personal information and individual’s rights under the data protection regulation and laws can be found on the Information Commissioners Office (ICO) website.

The Right of Access

Under Article 15 of the UK GDPR, an individual has the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed. We are committed to upholding the rights of data subject individuals and have dedicated processes in place for providing access to personal information. Where requested, we will provide the following information:
• the purposes of the processing
• the categories of personal data concerned
• the recipients or categories of recipient to whom the personal data have been or will be disclosed
• If the data has been transferred to a third country or international organisations (and if so, the appropriate safeguards used)
• the envisaged period for which the personal data will be stored (or the criteria used to determine that period)
• where the personal data was not collected directly from the individual, any available information as to their source

How To Make a Subject Access Request (SAR)?

A subject access request (SAR) is a request for access to the personal information that 0800 Repair holds about an individual, which we are required to provide under the UK GDPR (unless an exemption applies). The information that we provide is covered in section 3 of this document.

A request can be made verbally or in writing using the details provided in section 7 of this document.

Where a request is received by electronic means, we will provide the requested information in a commonly used electronic form (unless otherwise requested by the data subject).

What We Do When We Receive An SAR

Notification to the Data Protection Officer

If any employee receives a SAR in any format, written or verbal, they are required to immediately pass on the request to the Data Protection Officer via email. This creates an audit trail and a timeline for the request. This must be emailed immediately to:
SubjectAccessRequest@0800repair.com
Staff should however encourage the Requester to use the on-line form on the 0800 Repair website so the data subject individual can make the request themselves.

SAR Requesters

Individuals who typically request data include customers who have bought products or services from us, current or former employees, external organisations who request data about customers or current or former employees such as clients, possible employers and landlords.

Identity Verification

Subject Access Requests (SAR) are passed to the person responsible for data protection within our organisation as soon as it is received and a record of the request is noted. The person in charge will be the Data Protection Officer who will use all reasonable measures to verify the identity of the individual making the access request, especially where the request is made using online services.

We will utilise the request information to ensure that we can verify the identity of the requester and where we are unable to do so, we may contact the requester asking for further evidence of identity prior to actioning any request. This is to protect individuals’ information and their rights and to ensure no data is released unless we are satisfied that the request is genuine.

If a third party is involved such as a relative or representative or a different data subject, and they are requesting the information on behalf of a different data subject, we may seek to verify their authority to act on behalf of a data subject. To do this, we may issue a Letter of Authority (LOA) which requests consent from a data subject to release information to a named third party. We may continue to contact individuals to confirm authorisation prior to acting the subject access request.

Information Gathering

Where enough information has been provided within the SAR to collate the personal information held, we will gather all forms (hard copy, electronic etc) and ensure that the information required is provided in an acceptable format. If we do not have enough information to locate records, we may contact the requester for further details. This will be done as soon as possible and within the Regulation timeframes set out below.

Information Provision

Once we have collated all of the personal information requested, we will send this in writing (or in a commonly used electronic form if requested). The information will be in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Fees and Timeframes

SARs are always completed within 30-days and are usually provided free of charge. If we consider that the SAR is excessive, which could include repeated requests or where the administration costs in compiling the information requested in the SAR, we will contact individuals accordingly and explain that we are allowed to make a charge in these cases. Excessive requests may result in a reasonable fee being charged to cover administrative costs which will be discussed prior to the data being compiled, In these cases once the fee has been paid, the SAR will be processed. This fee is dependent upon the complexity and format of the SAR request.

Where the request is made by electronic means, we provide the information in a commonly used electronic format, unless an alternative format is requested where we will try to accommodate the format request. Call recordings may be sent via data file but it may be practical to record the voice file to CD and then post this to the requester. 0800 Repair aims to be flexible according to customer needs.

We always aim to provide the requested information at the earliest convenience, but at a maximum, within 30 days from the date the request was received. However, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months. If this is the case, we will write to requesters within 30 days of the request being received then keep the requester informed of the delay and the reasons.

Data Subjects other Rights

Under the UK GDPR, data subject individuals have the right to request rectification of any inaccurate data held by us. Where we are notified of an inaccuracy and agree that the data is incorrect, we will amend the details immediately as directed and make a note on the system (or record) of the change and reasons.
We will rectify the errors within 30-days and inform data subject individuals in writing of the correction and where applicable, provide the details of any third-party to whom the data has been disclosed.
If for any reason, we are unable to act in response to a request for rectification and/or completion, we always provide a written explanation and inform data subject individuals of their right to complain to the Supervisory Authority and to a judicial remedy.

Individuals also have the right to request from the erasure of personal data we hold or to restrict the processing of personal data where it concerns the data subject; as well as the right to object to such processing. Data subject individuals can use the contact details in section 7 to make such requests.

Automated Decision-Making

Under the access request requirements, the UK GDPR requires us to inform the data subject of the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. This does not apply to 0800 Repair as we do not carry out automated decision-making.

Exemptions and Refusals

The UK GDPR contains certain exemptions from the provision of personal information. If one or more of these exemptions applies to a subject access request or where we do not act on the request, we shall inform data subject individuals at the earliest convenience, or at the latest, within one month of receipt of the request.

Where possible, we will provide data subject individuals with the reasons for not acting and any possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. Details of contacting the supervisory authority are set out in section 7 of this document.

Submission & Lodging a Complaint

To submit a SAR, we can be contacted via email or visit our Privacy Notice page on our website.

If you are unsatisfied with our actions or with to make an internal complaint, data subject individuals can contact us in writing as outlined on our website.

Supervisory Authority

If data subject individuals remain dissatisfied with our actions, they have the right to lodge a complaint with the Supervisory Authority. The Information Commissioner’s Office (ICO) can be contacted at:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow. Cheshire. SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
Fax: 01625 524 510
Email: enquiries@ico.org.uk