Subject Access Request Policy
This document sets out Island Advice Centre’s policy in dealing with a subject access request.
A subject access request is a written request for personal information (known as personal data) held about you by Island Advice Centre’s policy. Generally, you have the right to see what personal information we hold about you. You may make a request by emailing us at admin@island-advice.org.uk or writing to us, stating that you are making a ‘Subject Access Request’ and letting us know how to contact you and how you wish to receive the information.
The GDPR gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. However, this right is subject to certain exemptions that are set out in the GDPR.
The GDPR works in two ways.
Firstly, it states that anyone who processes personal data must comply with eight principles, which make sure that personal data is:
- Fairly and lawfully processed
- Processed for specific and lawful purposes
- Adequate, relevant, and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with the individuals’ rights
- Secure
- Not transferred to other countries without adequate protection
Secondly, it provides individuals with important rights, including the right to find out what personal data is held on computer and most paper records.
Personal data will cover basic details and will include details such as name, address, telephone number, attendance at events, medical and consent information and information held about that person in files, etc.
When we receive a subject access request, we will first check that we have enough information to be sure of your identity. Often, we will have no reason to doubt a person’s identity, for example, if we have regularly corresponded with you.
However, if we have good cause to doubt your identity we can ask you to provide any evidence we reasonably need to confirm your identity.
We will gather any manual or electronically held information (including emails) and identify any information provided by a third party or which identifies a third party.
If we have identified information that relates to third parties, we will write to them asking whether there is any reason this information should not be disclosed. We do not have to supply the information to you unless the other party has provided their consent, or it is reasonable to do so without their consent. If the third-party objects to the information being disclosed, we may seek legal advice on what we should do.
We have 30 calendar days starting from when we have received all the information necessary to identify you, to identify the information requested, to provide you with the information or to provide an explanation about why we are unable to provide the information. In many cases, it will be possible to respond in advance of the 30-calendar day target, and we will aim to do so where possible. Copies of the information will be sent to you in electronic form or permanent form, depending on your preference and our ability to extract it.
The GDPR contains a number of exemptions to our duty to disclose personal data, and we may seek legal advice if we consider that they might apply. An example of an exemption is information which is subject to ongoing criminal investigation.
If we agree that the information is inaccurate, we will correct it and where practicable, destroy the inaccurate information. If we do not agree or feel unable to decide whether the information is inaccurate, we will make a note of the alleged error and keep this on file.
If you are not satisfied by our actions, you can seek recourse through our internal complaints procedure. If you remain dissatisfied, you have the right to refer the matter to the Information Commissioner. The Information Commissioner can be contacted at:
Information Commissioner Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 01625 545745 Fax: 01625 524510
Email: enquiries@ico.gsi.gov.uk