Policies & Procedures – Mareham le Fen Parish Council

Subject Access Procedure

This procedure will be followed when an individual contacts Mareham le Fen Parish Council to request access to their personal information held by the Council.

All requests shall be processed within 1 month and shall therefore be actioned as soon as they are received. SAR’s shall be provided free of charge unless one or all of the following apply;

• When a request is manifestly unfounded

• When a request is excessive

• When a request is repetitive

In such circumstance a ‘reasonable fee’ may be charged.

The steps below should be followed to action the request:

1. Is it a valid subject access request?

a) The request must be in writing (letter, email or fax).

b) Has the person requesting the information provided you with sufficient information to facilitate a proper search for the information? (Further information may be sought if the initial request is too broad.)

2. Verify the identity of the requestor.

The Parish Council will satisfy themselves that the person requesting the information is indeed the person the information relates to. The person making the request shall be asked to meet with either the Parish Council Clerk or the Data Protection Officer (DPO) and to bring with them recent and valid photo ID (passport/photo driving licence) and confirmation of their address (utility bill/bank statement).

3. Determine where the personal information will be found.

a) The Clerk and/or the DPO shall consider the type of information to determine where the records are stored. (Personal data is data which relates to a living individual who can be identified from the data (name,

address, email address, database information) and can include expressions of opinion about the individual.)

b) If the PC does not hold any of the requested data they shall inform the requestor accordingly.

c) If the PC does hold any or all of the requested data then it shall be reviewed.

4. Screen the information

Some or all of the information the Parish Council holds may not be disclosable due to exemptions.

Examples of exemptions are:

• References you have given

• Crime and taxation

• Management information (restructuring/redundancies)

• Negotiations with the requestor

• Legal advice and proceedings

• Personal data of third parties

In all cases legal and/or other professional data protection advice should be sought before applying any exemptions.

5. Are you able to disclose all the information?

If retrieved records contains any personal data of other individuals who have not given their consent to share their personal information with others then the third party’s personal data shall be redacted before the SAR is sent out.

6. Prepare the SAR response

The Parish Council’s DPO or Clerk shall prepare a suitable response (using the sample letters at the end of this document) which will include the following information as a minimum:

a) The purposes of the processing

b) The categories of personal data concerned

c) The recipients or categories of recipients to whom personal data is to be disclosed (in particular in third world countries or international organisations) shall include any appropriate safeguards for transfer of data

d) Where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period

e) The existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing

f) The right to lodge a complaint with the Information Commissioners Office (“ICO”)

g) If the data has not been collected from the data subject: the source of such data

h) The existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Be sure to also provide a copy of the personal data undergoing processing.

All SARs should be logged to include the date of receipt, identity of the data subject, summary of the request, indication of whether the Council can comply, date information is sent to the data subject.

Sample letters:

Replying to a subject access request providing the requested personal data

“[Name] [Address]

[Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject]. We are pleased to enclose the personal data you requested.

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data;

d) where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f) the right to lodge a complaint with the Information Commissioners Office (“ICO”);

g) if the data has not been collected from the data subject: the source of such data;

h) the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Copyright in the personal data you have been given belongs to the council or to another party. Copyright material must not be copied, distributed, modified, reproduced, transmitted, published or otherwise made available in whole or in part without the prior written consent of the copyright holder.

Yours sincerely”

Release of part of the personal data, when the remainder is covered by an exemption

“[Name] [Address]

[Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject]. To answer your request we asked the following areas to search their records for personal data relating to you:

• [List the areas]

I am pleased to enclose [some/most] of the personal data you requested. [If any personal data has been removed] We have removed any obvious duplicate personal data that we noticed as we processed your request, as well as any personal data that is not about you. You will notice that [if there are gaps in the

document] parts of the document(s) have been blacked out. [OR if there are fewer documents enclose] I have not enclosed all of the personal data you requested. This is because [explain why it is exempt].

a) the purposes of the processing;

b) the categories of personal data concerned;

d) where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f) the right to lodge a complaint with the Information Commissioners Office (“ICO”);

g) if the data has not been collected from the data subject: the source of such data;

Copyright in the personal data you have been given belongs to the council or to another party. Copyright material must not be copied, distributed, modified, reproduced, transmitted, published, or otherwise made available in whole or in part without the prior written consent of the copyright holder.

Yours sincerely”

Replying to a subject access request explaining why you cannot provide any of the requested personal data

“[Name] [Address]

[Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject].

I regret that we cannot provide the personal data you requested. This is because [explanation where appropriate].

[Examples include where one of the exemptions under the data protection legislation applies. For example the personal data might include personal data is ‘legally privileged’ because it is contained within legal advice provided to the council or relevant to on-going or preparation for litigation. Other exemptions

include where the personal data identifies another living individual or relates to negotiations with the data subject. Your data protection officer will be able to advise if a relevant exemption applies and if the council is going to rely on the exemption to withhold or redact the data disclosed to the individual, then in this

section of the letter the council should set out the reason why some of the data

has been excluded.]

Yours sincerely”

Replying to a subject access request explaining why you cannot provide any of the requested personal data

“[Name] [Address]

[Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject].

I regret that we cannot provide the personal data you requested. This is because

[explanation where appropriate].

include where the personal data identifies another living individual or relates to negotiations with the data subject.

Your data protection officer will be able to advise if a relevant exemption applies and if the council is going to rely on the exemption to withhold or redact the data disclosed to the individual, then in this section of the letter the council should set out the reason why some of the data has been excluded.]

Yours sincerely”

This procedure was adopted by the parish council at its meeting on 19th January 2022 and will be reviewed at least annually.