All personal data processed by Hart Securus is within the scope of this procedure.
This procedure excludes personal data that is asked for as a matter of routine by data subjects i.e. Name, address etc.
Data subjects are entitled to ask:
- Whether Hart Securus is processing any personal data about that individual and, if so, to be given:
- a description of the personal data;
- the purposes for which it is being processed; and,
- details of who will be allowed to see the personal data.
- To be provided with a copy of the information and to be told about the sources from which Hart Securus derived the information.
The Data Protection Officer is responsible for the application and effective working of this procedure, and for handling Subject Access Requests (SARs).
3. Personal Data of the Subject
An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them in which case any third-party identifiers will be redacted).
3.1 In addition to a copy of their personal data, Hart Securus will provide data subjects with the following information:
- the purposes of processing data;
- the categories of personal data concerned;
- the recipients or categories of recipient Hart Securus discloses the personal data to;
- Hart Securus’ retention period for storing the personal data or, where this is not possible, Hart Securus’ criteria for determining how long it will be stored for;
- the existence of the data subject’s right to request rectification, erasure or restriction or to object to such processing;
- the right of the data subject to lodge a complaint with the ICO;
- information about the source of the data, where it was not obtained directly from the data subject;
- the existence of automated decision-making (including profiling); and
4.1 Subject Access Requests can be made verbally or in writing to Hart Securus’ Data Protection Officer.
4.2 The data subject must provide evidence as to identity, in the form of a current passport/driving license to the Data Protection Officer upon request who will in turn verify the identity of the data subject before complying with the request.
4.3 The data subject must identify the data that is being requested and where it is being held and this information must be evidenced within the SAR. Note that the data subject is entitled to ask for all data that Hart Securus holds, without specifying that data.
4.4 The date by which the identification checks and the specification of the data sought must be recorded; Hart Securus has one month from this date to provide the requested information. Hart Securus reserves the right to extend the time to respond by a further two months if the request is complex or Hart Securus have received a number of requests from the data subject. Hart Securus will let the data subject know within one month of receiving their request and explain why the extension is necessary.
4.5 The SAR is immediately forwarded to the Data Protection Officer who will ensure that the requested data is collected within the time period.
Collection will entail:
- Collating the data specified by the data subject;
- Searching all databases and all relevant filing systems including all back up and archived files, whether computerised or manual, and including all e-mail folders and archives.
4.6 The Data Protection Officer maintains a record of requests for data and of its receipt, including dates. Note that data may not be altered or destroyed in order to avoid disclosing it.
4.7 The Data Protection Officer is responsible for reviewing all provided documents to identify whether any third parties are identified in it and for either excising identifying third party information from the documentation or obtaining written consent from the third party for their identity to be revealed.
4.8 If the requested data falls under one of the following exemptions, it does not have to be provided:
- Crime prevention and detection;
- Confidential references given by The Right Mortgage Limited (not ones given to The Right Mortgage Limited);
- Information covered by legal professional privilege.
4.9 The information is provided to the data subject in electronic format unless otherwise requested and all the items provided are listed on a schedule that shows the data subject’s name and the date on which the information is delivered.
4.10 The GDPR requires that the information Hart Securus provides to a data subject is in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
4.11 Hart Securus will not charge a fee to process a subject access request unless the request is manifestly unfounded or excessive in which case Hart Securus reserves the right to charge a “reasonable fee” for the administrative costs of complying with the request. Hart Securus may also charge a reasonable fee if a data subject requests further copies of their data following a request.
4.12 The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that a data subject feels comfortable allowing someone else to act for them. In these cases, Hart Securus will need to be satisfied that the third party making the request is entitled to act on behalf of the data subject, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
4.13 If Hart Securus believes the data subject may not understand what information would be disclosed to a third party who has made a subject access request on their behalf, Hart Securus may send the response directly to the data subject rather than to the third party. The data subject may then choose to share the information with the third party after having had a chance to review it.
4.14 Where the data subject is a child and they are too young to understand the implications of subject access rights, it is still the right of the child rather than of anyone else such as a parent or guardian; therefore, it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.
Before responding to a subject access request for information held about a child, Hart Securus will consider whether the child is mature enough to understand their rights.
5. Complying with a request
Hart Securus can refuse to comply with a SAR if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If Hart Securus considers that a request is manifestly unfounded or excessive Hart Securus can:
- request a “reasonable fee” to deal with the request; or
- refuse to deal with the request.
In either case Hart Securus will justify their decision.