Subject Access Request Policy
Introduction and Purpose
This Subject Access Request (SAR) Policy outlines the procedures and guidelines for individuals to request access to their personal data held by Out of the Woods. The policy ensures compliance with relevant data protection laws, including but not limited to the General Data Protection Regulation (GDPR) and any applicable local data protection laws.
Scope
This policy applies to all individuals who wish to exercise their right to access their personal data held by Out of the Woods. This includes current and former employees, customers, clients, partners, and any other individuals whose personal data is processed by the organization.
Legal Basis
Roles and Responsibilities
Out of the Woods Data Protection Officer is Carol Whibley.
Definitions
- Personal Data: Any information relating to an identified or identifiable individual.
- Data Subject: The individual to whom the personal data belongs.
- SAR: Subject Access Request, a formal request from a data subject to access their personal data.
- Data Controller: [Your Organization Name], the entity that determines the purposes and means of processing personal data.
Submitting a SAR:
Individuals who wish to request access to their personal data must do so in writing. This request can be submitted via email to the Data Protection Officer (DPO) at info@outofthewoods-therapy.co.uk
The request should include the following information:
- Full name of the data subject making the request.
- Contact details for correspondence (email address, phone number, postal address).
- Sufficient information to identify the personal data in question.
Processing of SARs
Upon receipt of a valid SAR, Out of the Woods will acknowledge the request within 5 working days. The DPO will initiate the verification process to confirm the identity of the data subject to prevent unauthorized access to personal data.
Once the data subject's identity is confirmed, Out of the Woods will proceed to gather the requested personal data. This may involve data retrieval from relevant departments or systems. The organization will endeavour to fulfil the request within 30 days from the date of verification.
This time frame may be extended in complex cases, but the individual should be informed of the delay and reasons.
Examples of documentation accepted as proof of I
- Full or provisional UK Driver's License
- Passport
- Student ID
- HM Armed Forces identity card.
- Financial statement such as a bank, building society, or credit card statement (UK) and EEA. D statements will not be accepted) *dated within the last 3 months.
- Bank Cards
- Utility bills (gas, water, electricity or land-line telephone)
- Council tax statement **dated within the last 12 months
- Biometric Residence Permit (formerly known as identity cards for foreign nationals) (UK)
- Benefit statement. Book or card; or original notification letter from Department of Work and Pensions (DPW) confirming the rights to benefit – for example, child allowance, pension (UK) * dated within the last 3 months
- Full birth certificate (UK and Channel Islands) issued after the date of birth by the General Register Office or other relevant authority, for example registrars.
- Work permit/residency permit (UK) valid up to the expiry date
- Adoption certificate (UK and Channel Islands)
- Marriage or civil partner certificate (UK and Channel Islands)
Fees
There is no fee. However, a 'reasonable fee' will be charged for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data.
Providing the Requested Data
Communication
Out of the Woods will communicate with the requester via email, letter of phone call. The requested data. The personal data will be provided in a clear and understandable format. If the data is voluminous, Out of the Woods may provide the data electronically, where feasible..
Exemptions
Certain exemptions may apply, which could result in the organization not disclosing specific information requested in the SAR. These exemptions include, but are not limited to, legal privilege, ongoing investigations, or protection of third-party data.
Appeals Process
If the data subject is not satisfied with the response to their SAR, they have the right to raise a complaint with the Information Commissioners Office (ICO). https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/
Record Keeping:
Out of the Woods will maintain records of SARs received and processed for compliance purposes via a digital database.
Review and Update
This policy will be reviewed and updated periodically to ensure its effectiveness and compliance with changing laws.
Contact Information
For any more information regarding a Subject Access Request please contact
Carol Whibley (Data Protection Officer)
c.w@outofthewoods-therapy.co.uk
Policy reviewed by Carol Whibley
27/08/2023