In the process of undertaking our day to day work, Smart Communities Limited (SCL) regularly has the need to collect and use information about people with whom we work – members, employees (current, past and prospective), Trustees, clients, consultants and suppliers.
SCL acknowledges the rights of individuals as set out in the Data Protection Act 1998 and General Data Protection Regulation 2018, and we aim to respond promptly and appropriately to any Subject Access Request received.
1. Individual’s rights
GDPR sets out the following 8 rights of data subjects;
1. the right to be informed – individuals have the right to be informed about the collection and use of their personal data. SCL has updated its privacy notices and documentation so that we are fully transparent about the personal data that we will obtain, the purpose(s), who it will be shared with, and how long it will be kept. Privacy notices include the rights of individuals.
2. right of access – any living individual has the right to make a Data Subject Access Request, see below.
3. right to rectification – we have a responsibility to ensure that data is accurate, and individuals can request that personal data is corrected either verbally or in writing. SCL has 30 days to respond. This is the responsibility of the DPO.
4. right of erasure – or ‘right to be forgotten’. Data subjects can request that their personal data is deleted. SCL has 30 days to determine whether this is applicable and respond. It is the responsibility of the DPO to ensure that data is erased appropriately.
5. right to restrict processing / suppress their data – as above requests can be made verbally or in writing and the DPO has 30 days to consider and respond.
6. right to data portability – this allows individuals to obtain and reuse their personal data for their own purposes across different services.
7. right to object – to processing, profiling, or inclusion in statistics
8. and the right not to be subject to automated decision-making.
2.Subject Access Requests
SCL endeavours to be clear and transparent about personal data held. The individual must confirm their identity and complete a Data Subject Access Request form and submit to SCL. A copy of this form is available by contacting SCL using the main address or by emailing firstname.lastname@example.org.
On receipt of a Subject Access Request form SCL will forward to the nominated Data Protection Officer. All Subject Access Requests will be loged on a register here: General Drive – GDPR – SAR Log. The date of receipt will be recorded to enable monitoring against the 30 days timescales set out in legislation. SCL will not charge to respond to Subject Access Requests unless requests are excessive, in which case a reasonable fee will be charged to cover the costs of preparing the response.
The responses must go through the following steps;
• Confirm whether the request is a Subject Access Request. If not then respond in accordance with usual procedures.
• Confirm the identity of the individual making the request in order to avoid inappropriate disclosure. Request any evidence required to confirm identity.
• Is the request clear about what the data subject requires, and is there sufficient information to be able to find out what they want? If not then promptly request further information from the subject.
• Confirm whether SCL does have the data that the subject has requested. If not then promptly notify the subject that this is the case.
• Determine whether the information will change between receiving the request and sending the response. Normal processing can still occur, however records must not be changed as a result of the request.
• Does it include information about other data subjects? If so and it is not reasonable to provide this information, and you do not have their consent, then we can either redact the information, or provide a limited response and explain that this is the case.
• Does the information requested include any codes or language not easily understood by the subject? If so provide explanations.
• Formulate the response in an appropriate format that the respondent will be able to open and keep.
• Ensure that in all cases the applicant is made aware of the SCL complaints policy.
Personal Date Requests via the phone
Phone calls can lead to unauthorised use or disclosure of personal information and the following precautions should be taken:
• Personal information should not be given out over the telephone unless you have no doubts as to the caller’s identity and the information requested is innocuous.
• If you have any doubts, ask the caller to put their enquiry in writing.
• If you receive a phone call asking for personal information to be checked or confirmed be aware that the call may come from someone impersonating someone with a right of access.
Overall responsibility for this policy lies with the SCL Board of Directors / Trustees and its implementation with the Senior Management Team.