Data Subject Access Request (DSAR) Policy
The Policy sets out the way Trinity will respond to DSARs.
All Staff are responsible for:
Aims of the DSAR Policy
This Policy is designed to ensure that:
What is a DSAR?
Article 15 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) grants Data Subjects the right to access their personal data held by Trinity. It includes the right of the Data Subject to:
Trinity will provide this information (subject to any exceptions).
A DSAR can be submitted in writing or verbally. For a DSAR to be considered a valid request, it must be clear what the Data Subject is requesting; and they must provide proof of their identity.
The acceptable forms of identity are set out in the DSAR form and are a photocopy or scan of their passport or photo ID such as driver’s licence, national identification card or birth or adoption certificate. In addition, a statement within the last 3 months (bank, credit card, utility company – with transactions redacted) showing the requestor’s current address is required.
The GDPR also grants Data Subjects the right to:
Parents and/or guardians may be able to exercise some of these rights on behalf of their child (who is under the age of 18 years) in connection with their child’s personal information, though, depending on the circumstances, we may need to keep the child informed of such exercise of their rights by a parent and/or guardian.
It is always preferable for a DSAR to be in writing, so Trinity and the Data Subject have a clear record of what is requested. We recommend that the Data Subject completes the Trinity DSAR form, available on the website.
If the Data Subject, or their representative, advises that a written request is not possible, the Trinity Data Protection Office will contact them to facilitate another way to submit their DSAR.
Time limits and fees
Data Subjects have the right to have their request dealt without delay but in any event with within one (1) month from the date that the request was received by Trinity. The date of receipt is logged by Trinity. The time limit starts from the day Trinity receives the request (whether it is a working day or not) until the corresponding calendar date in the next month. For example, if Trinity receives a request on 10 September, the time limit will start from the same day. This gives Trinity until 10 October to comply with the request.
The time can be extended for an additional two months if the request is complex or we have received a number of requests from the person. If this is the case, we must let the person know within one month that we will be extending the time period and set out the reasons for the extension.
There will normally be no charge for receiving a copy of information requested in a DSAR. However, a reasonable fee may be levied when:
Examples of “manifestly unfounded” requests include when a person sends different requests to Trinity as part of a campaign with the intention of causing disruption, or the person is targeting a particular employee against whom they have a grudge.
The calculation of the fee is based on the administrative cost of providing the information. Trinity will explain why the fee has been levied within a month of receiving the original DSAR. Trinity does not have to comply with the request until it has received the fee.
Data Protection Officer
The DPO can be contacted at firstname.lastname@example.org
The DPO has overall responsibility for responding to and processing every DSAR received by Trinity. The DPO will regularly review the management of DSARs to ensure ongoing compliance, identify any issues and assure the quality and consistency of Trinity’s responses.
Locating the Information Requested
Providing the Information requested
Responding to requests to rectify or delete Personal Data
Data Subjects have the right to have their inaccurate personal data erased. This is also known as “the right to be forgotten”. It is not, however, an absolute right and applies in the circumstances listed below. Data Subjects also have the right for inaccurate personal data to be rectified or completed (if it is incomplete).
Any such request must be processed by Trinity without undue delay and within one month (using the same procedures as for a DSAR).
Individuals have the right to have their personal data erased if:
Trinity will search databases and other systems and applications where the personal data may be held and erase it within 1 month from the date of the request.
In the case of rectifying inaccurate personal data, Trinity must rectify the information without delay and notify the Data Subject that this has been completed.
Before responding to a DSAR, we need to check if there are any exemptions that apply to the personal data that is the subject of the DSAR. In the UK there are a number of public interest exemptions.
The exemptions most likely to be relevant to Trinity include exam scripts and marks and protection of the rights of others and immigration control. Please refer to the Director of Legal Services for advice on applying any exemptions.
Other linked Trinity Policies
Other useful links
Information Commissioner https://ico.org.uk/
This policy is subject to the review of Trinity’s Executive and/or as required by changes to legislation.
June 2020 (amended in July 2021)
Document Owner and Approval
The Director of Quality and Standards is the owner of this document and is responsible for ensuring that this policy document is reviewed in line with operational and GDPR requirements.
This policy was approved by Trinity’s Executive on 17 February 2020 and is issued on a version-controlled basis under their signature.