DATA SUBJECT ACCESS REQUEST POLICY AND PROCEDURE
This policy and procedure establishes an effective, accountable and transparent framework for ensuring compliance with the requirements for the Data Protection Legislation.
This policy and procedure applies across all entities or subsidiaries owned, controlled, or operated by MSKnote and to all employees, including part-time, temporary, or contract employees.
The Data Protection Legislation details rights of access to both manual data (which is recorded in a relevant filing system) and electronic data for the data subject. This is known as a Data Subject Access Request (DSAR).
Under the Data Protection Legislation, organisations are required to respond to subject access requests within one month. Failure to do so is a breach of the Data Protection Legislation and could lead to a complaint being made to the Data Protection Regulator.
This policy informs staff of the process for supplying individuals with the right of access to personal data and the right of access to staff information under the Data Protection Legislation. Specifically:
How should DSARs be processed after receiving?
When a subject access request is received from a data subject it should immediately be reported to the Data Protection Officer who will log and track each request. If you are asked to provide information, you will need to consider the following before deciding how to respond:
Under Data Protection Legislation Articles 7(3), 12, 13, 15-22 data subjects have the following rights:
No fee can be charged for providing information in response to a data subject access request, unless the request is ‘manifestly unfounded or excessive’, in particular because it is repetitive.
If MSKnote receives a request that is manifestly unfounded or excessive, it will charge a reasonable fee taking into account the administrative costs of responding to the request. Alternatively, MSKnote will be able to refuse to act on the request.
Subject access requests made by a representative or third party
Anyone with full mental capacity can authorise a representative/third party to help them make a data subject access request. Before disclosing any information, MSKnote must be satisfied that the third party has the authority to make the request on behalf of the requestor and that the appropriate authorisation to act on their behalf is included (see Data Request Form).
If an individual is dissatisfied with the way MSKnote Ltd have dealt with their subject access request, they should be advised to invoke the MSKnote Ltd complaints process. If they are still dissatisfied, they can complain to the Data Protection Regulator.
Compliance, monitoring and review
The overall responsibility for ensuring compliance with the requirements of the related legislation in relation to performing subject access rights at MSKnote, rests with the Data Protection Officer.
All operating units’ staff that deal with personal data are responsible for processing this data in full compliance with the relevant MSKnote policies and procedures.
TERMS AND DEFINITIONS
General Data Protection Regulation (GDPR): the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data
Data Processor: the entity that processes data on behalf of the Data Controller
Data Protection Authority: national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union
Data Protection Officer (DPO): an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR
Data Subject: a natural person whose personal data is processed by a controller or processor
DSAR: data subject access request
Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person
Privacy Impact Assessment: a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data
Processing: any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Profiling: any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour
Regulation: a binding legislative act that must be applied in its entirety across the Union
Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them
RELATED LEGISLATION AND DOCUMENTS
FEEDBACK AND SUGGESTIONS
MSKnote employees may provide feedback and suggestions about this document by emailing firstname.lastname@example.org
APPROVAL AND REVIEW DETAILS
Approval and Review
Board of Directors
Data Protection Officer
Next Review Date
Data Request Form
MSKnote Subject Access Rights Policy and Procedure