In the process of undertaking our day to day work, CCS regularly has the need to collect and use information about people with whom we work – members, employees (current, past and prospective), trustees, clients, consultants and suppliers.
CCS acknowledges the rights of individuals as set out in the Data Protection Act 1998 and General Data Protection Regulation 2018, and we aim to respond promptly and appropriately to any Subject Access Request received.
1. Individual’s rights
GDPR sets out the following 8 rights of data subjects;
- the right to be informed – individuals have the right to be informed about the collection and use of their personal data. CCS has updated its privacy notices and documentation so that we are fully transparent about the personal data that we will obtain, the purpose(s), who it will be shared with, and how long it will be kept. Privacy notices include the rights of individuals.
- the right of access – any living individual has the right to make a Data Subject Access Request, see below.
- the right to rectification – we have a responsibility to ensure that data is accurate, and individuals can request that personal data is corrected either verbally or in writing. CCS has 30 days to respond. This is the responsibility of the Data Protection Officer (DPO).
- the right of erasure – or ‘right to be forgotten’. Data subjects can request that their personal data is deleted. CCS has 30 days to determine whether this is applicable and respond. It is the responsibility of the DPO to ensure that data is erased appropriately.
- the right to restrict processing / suppress their data – as above requests can be made verbally or in writing and the DPO has 30 days to consider and respond.
- the right to data portability – this allows individuals to obtain and reuse their personal data for their own purposes across different services.
- the right to object – to processing, profiling, or inclusion in statistics and
- the right not to be subject to automated decision-making.
2. Subject Access Requests
CCS endeavours to be clear and transparent about personal data held. The individual must confirm their identity and complete a Data Subject Access Request form and submit to CCS. A copy of this form is available by contacting CCS using the main address or by emailing firstname.lastname@example.org.
On receipt of a Subject Access Request form, CCS will forward to the nominated Data Protection Officer. All Subject Access Requests will be logged on a register here: General Drive – GDPR – SAR Log. The date of receipt will be recorded to enable monitoring against the 30 days timescales set out in legislation.
CCS will not make a charge to respond to Subject Access Requests unless requests are excessive, in which case a reasonable fee will be charged to cover the costs of preparing the response.
The responses must go through the following steps;
- Confirm whether the request is a Subject Access Request. If not then respond in accordance with usual procedures.
- Confirm the identity of the individual making the request in order to avoid inappropriate disclosure. Request any evidence required to confirm identity.
- Evaluate that the request is clear about what the data subject requires, and that there is sufficient information to be able to comply with their request. Notify the subject if this is not the case.
- Determine whether the information will change between receiving the request and sending the response. Normal processing can still occur, however, records must not be changed as a result of the request.
- If the request includes information about other data subjects, it is not reasonable to provide this information, and CCS does not have their consent, then the information can either be redacted or a limited response provided with an explanation.
- If the request includes information containing any codes or language not easily understood by the subject a full explanation should be provided.
- The response should be supplied in an appropriate format that the respondent will be able to open and keep.
- The subject should be made aware of the CCS complaints policy.
Phone calls can lead to unauthorised use or disclosure of personal information and the following precautions should be taken:
- Personal information should not be given out over the telephone unless the caller’s identity has been established beyond doubt and the information requested is innocuous.
- If in doubt, ask the caller to put their enquiry in writing.
Overall responsibility for this policy lies with the CCS Board of Directors / Trustees and its implementation with the Senior Management Team.