Data Subject Access Request (DSAR) Policy

Title

Data Subject Access Request (DSAR) Policy

Objective

The Policy sets out the way Trinity will respond to DSARs.

Scope

  • This policy applies to all Trinity employees, temporary and freelance staff, contractors, consultants, suppliers and data processors working for, or on behalf of Trinity (“Staff”). 
  • It also applies to Data held on all Trinity systems, whether hosted on site or in the cloud, on portable storage media or devices or paper.

All Staff are responsible for:

  • ensuring that they recognise a DSAR and forward it or direct the requestor to the Data Protection Officer immediately; and
  • if requested by the DPO, to conduct a search for information and provide it in response to a DSAR within the specified timeline.

Aims of the DSAR Policy

This Policy is designed to ensure that:

  1. Data Subjects are provided with a clear way of requesting access to their personal information ( see DSAR form ).
  2. DSARs received by Trinity are recognised, logged and acknowledged in a timely manner.
  3. Staff asked to provide information in response to a DSAR are aware of their duties and responsibilities to comply with these requests.
  4. Responses to DSARs are delivered on time, consistently and in accordance with the rights of the Data Subjects.
  5. Any exemptions applied by Trinity to the right to access are made appropriately and consistently and are properly documented.

What is a DSAR?

Article 15 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) grants Data Subjects the right to access their personal data held by Trinity.  It includes the right of the Data Subject to:

  • obtain confirmation that we process their personal data,
  • receive certain information about the processing of their personal data, and
  • obtain a copy of the personal data processed. 

Trinity will provide this information (subject to any exceptions).

A DSAR can be submitted in writing or verbally. For a DSAR to be considered a valid request, it must be clear what the Data Subject is requesting; and they must provide proof of their identity.

The acceptable forms of identity are set out in the DSAR form and are a photocopy or scan of their passport or photo ID such as driver’s licence, national identification card or birth or adoption certificate. In addition, a statement within the last 3 months (bank, credit card, utility company – with transactions redacted) showing the requestor’s current address is required.

The GDPR also grants Data Subjects the right to:

  • Request correction or erasure of their personal data
  • Restrict or object to certain types of data processing
  • Make a complaint with their local data protection authority

Parents and/or guardians may be able to exercise some of these rights on behalf of their child (who is under the age of 18 years) in connection with their child’s personal information, though, depending on the circumstances, we may need to keep the child informed of such exercise of their rights by a parent and/or guardian.

It is always preferable for a DSAR to be in writing, so Trinity and the Data Subject have a clear record of what is requested. We recommend that the Data Subject completes the Trinity DSAR form, available on the website.

If the Data Subject, or their representative, advises that a written request is not possible, the Trinity Data Protection Office will contact them to facilitate another way to submit their DSAR.

Time limits and fees

Data Subjects have the right to have their request dealt without delay but in any event with within one (1) month from the date that the request was received by Trinity.  The date of receipt is logged by Trinity. The time limit starts from the day Trinity receives the request (whether it is a working day or not) until the corresponding calendar date in the next month.  For example, if Trinity receives a request on 10 September, the time limit will start from the same day. This gives Trinity until 10 October to comply with the request.

The time can be extended for an additional two months if the request is complex or we have received a number of requests from the person. If this is the case, we must let the person know within one month that we will be extending the time period and set out the reasons for the extension.

There will normally be no charge for receiving a copy of information requested in a DSAR.  However, a reasonable fee may be levied when:

  • A request is considered by Trinity to be “manifestly unfounded”, excessive or repetitive;
  • There are requests for additional copies of the same information.

Examples of “manifestly unfounded” requests include when a person sends different requests to Trinity as part of a campaign with the intention of causing disruption, or the person is targeting a particular employee against whom they have a grudge.

The calculation of the fee is based on the administrative cost of providing the information. Trinity will explain why the fee has been levied within a month of receiving the original DSAR. Trinity does not have to comply with the request until it has received the fee.

Data Protection Officer

The DPO can be contacted at dpo@trinitycollege.com  

The DPO has overall responsibility for responding to and processing every DSAR received by Trinity. The DPO will regularly review the management of DSARs to ensure ongoing compliance, identify any issues and assure the quality and consistency of Trinity’s responses.

Locating the Information Requested

  • The right to access the information held about the Data Subject extends to all information held about them, including emails that refer to them, personnel files and notes.
  • The DPO will establish the nature and likely location of the information requested and will contact the relevant business and system owner.
  • The DPO will provide guidance and support to Staff conducting the searches to be carried out but it is the responsibility of individual Staff members to carry out the searches within agreed timescales.
  • The DPO will review and screen the information to exclude any information the Data Subject is not entitled to (such as information relating to another person).

Providing the Information requested

  • The information provided to the Data Subject should be in clear and plain language, easily accessible and concise.
  • Trinity will provide the information in the format requested by the Data Subject where reasonably possible and in a secure electronic format, or if not possible, in hard copy. 
  • Trinity will explain if any exemptions have been applied and redact the personal information of any other persons (unless they have consented to the disclosure).

Responding to requests to rectify or delete Personal Data

Data Subjects have the right to have their inaccurate personal data erased. This is also known as “the right to be forgotten”. It is not, however, an absolute right and applies in the circumstances listed below.  Data Subjects also have the right for inaccurate personal data to be rectified or completed (if it is incomplete).

Any such request must be processed by Trinity without undue delay and within one month (using the same procedures as for a DSAR).

Individuals have the right to have their personal data erased if:

  • the personal data is no longer necessary for the purpose for which we originally collected or processed it;
  • Trinity is relying on consent as the lawful basis for holding the data, and the person withdraws their consent;
  • the personal data has been unlawfully processed.
  • Trinity is relying on legitimate interest as the basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing.

Trinity will search databases and other systems and applications where the personal data may be held and erase it within 1 month from the date of the request.

In the case of rectifying inaccurate personal data, Trinity must rectify the information without delay and notify the Data Subject that this has been completed.

Exemptions

Before responding to a DSAR, we need to check if there are any exemptions that apply to the personal data that is the subject of the DSAR.  In the UK there are a number of public interest exemptions.

The exemptions most likely to be relevant to Trinity include exam scripts and marks and protection of the rights of others and immigration control. Please refer to the Director of Legal Services for advice on applying any exemptions.

Other linked Trinity Policies

Other useful links

Information Commissioner https://ico.org.uk/

Review

This policy is subject to the review of Trinity’s Executive and/or as required by changes to legislation.

Effective date

June 2020 (amended in July 2021)

 

Document Owner and Approval

The Director of Quality and Standards is the owner of this document and is responsible for ensuring that this policy document is reviewed in line with operational and GDPR requirements.

This policy was approved by Trinity’s Executive on 17 February 2020 and is issued on a version-controlled basis under their signature.

Page last updated: 1 September 2021

 

Keep in touch

Make sure you don’t miss the latest news from Trinity College London. Sign up for email updates about your subject area.

Back to top