What is an individual entitled to?
If an Individual asks to see the personal information we are holding about them – a subject access request – we will provide:
- confirmation that we are processing their personal data;
- a copy of their personal data; and
- reference to our Privacy Notice, which contains other supplementary information:
- the purposes of our processing;
- the categories of personal data concerned;
- the recipients or categories of recipient we disclose the personal data to;
- our retention period for storing the personal data or, where this is not possible, our criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards we provide if we transfer personal data to a third country or international organisation.
Information about third parties
An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, our first step it to establish whether the information requested falls within the definition of personal data (in most cases this will be any information about the individual which could identify them).
How do we recognise a request?
The GDPR does not specify how to make a valid request. Therefore, we will accept subject access requests verbally or in writing. We have a Subject Access Request form (see Annex at the end of this guidance note) but this is not mandatory.
A request does not have to include the phrase ‘subject access request’ or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.
What if the personal data is processed after the subject access request is received?
A subject access request relates to the data held at the time the request was received. However, in some cases, routine use of the data may result in it being amended or even deleted while we are dealing with the request. We will send out the data we hold at the time we make the response, but we will not amend or delete the data if we would not otherwise have done so. Under the Data Protection Act 2018 (DPA 2018), it is an offence to make any amendment with the intention of preventing its disclosure.
Do we have to explain the contents of the information we send to the individual?
The GDPR requires that the information we provide is in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This will be particularly important where the information is addressed to a child.
This means that the information should be capable of being understood by the average person (or child). However, we are not required to ensure that that the information is provided in a form that can be understood by the particular individual making the request.
Charging a fee
In some cases we may charge a “reasonable fee” for the administrative costs of complying with the request if:
- it is manifestly unfounded or excessive; or
- an individual requests further copies of their data following a request.
The reasonable fee will be based on the administrative costs of complying with the request, and will be agreed by the Head of Business Services.
Alternatively, we might decide to refuse to comply with a manifestly unfounded or excessive request.
All requests should receive a response without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any information requested to confirm the requester’s identity or
- a fee, if we have agreed to charge one.
The time limit will be calculated from the day we receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.
We may extend the time to respond by a further two months if the request is complex or if we have received a number of requests from the same person.
We will not ask the requester to narrow the scope of their request, but we may ask them to provide additional details that will help us locate the requested information, such as the context in which their information may have been processed and the likely dates when processing occurred. However, a requester is entitled to ask for ‘all the information you hold’ about them.
We will respond to Subject Access Requests from third parties, but we need to be satisfied that the third party making the request is entitled to act on behalf of the individual, and it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
In some cases, if we think an individual may not understand what information we may contact the individual first to make them aware of our concerns.
What about requests for information about children?
Even if a child is too young to understand the implications of subject access rights, it is still the right of the child rather than of anyone else such as a parent or guardian. So it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.
Before responding to a subject access request for information held about a child, we will consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, we will usually respond directly to the child. We may, however, allow the parent to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
Disclosing information about other people
The DPA 2018 says that we do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information, except if:
- the other individual has consented to the disclosure; or
- it is reasonable to comply with the request without that individual’s consent.
We will decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights
Subject access requests to organisations who carry out data processing on our behalf
Responsibility for complying with a subject access request lies withus as the controller. We need to ensure there are contractual arrangements in place to guarantee that subject access requests are dealt with properly, irrespective of whether they are sent to us or to the processor.
If an exemption applies, we can refuse to comply with a subject access request (wholly or partly). Not all of the exemptions apply in the same way, and we will look at each exemption carefully to see how it applies to a particular request.
Subject Access Request Form
Police and Crime Commissioner
Send your request via email to: firstname.lastname@example.org