The Data Governance Manager (DGM) is responsible for maintaining and reporting against a central Individual Rights Register, which includes a record of all Subject Access Requests (SAR - as defined by UK GDPR) submitted and responded to across all SSAFA operations.
Data Governance Manager DGM and Data Protection Officer (DPO) should be consulted when necessary for further guidance and assistance with decision-making.
For the Subject Access Request Form please click below
Formal Subject Access Requests (SAR)
A. Service Users request access to own file Formal SAR request
- The request can be received verbally or in writing (letter or email).
- Record request on RAD Management.
- SWTL to inform DGM of SAR request, passing on details and copy of the request (unless made verbally) including any specificity of data requested.
- DGM to determine if proof of identity of Service User is required, requesting it if necessary.
- DGM to notify the Service User that their request has been received as well as inform them of their rights and when they should expect to receive the response.
- DGM to request PS&SWS prepare copy of relevant file(s).
- Admin to prepare file.
- Relevant file to be sent to DGM, who will:
- Contact any 3rd Party where their consent is required
- Review file to identify 3rd Party data and any content to be redacted/extracted
- Arrange for file to be redacted by redaction agency, when necessary
- Prepare final file(s) and send formal response to the Service User
- Notify SWTL that SAR has been responded to and closed.
- Update RAD, in IMP
B. Solicitor requests access to file on behalf of Service User
Note: This should be treated as if it were a SAR received from the Service User direct
- Steps 2 to 9 (above) to be followed
- For Step 4: A letter of authority is usually supplied with a solicitor’s request for a client. If not, request that the solicitor provide evidence of authority/consent. This should not delay preparing the file.
Sharing Service User Data with Law Enforcement Authorities
Note: Although a data sharing agreement may not be required, we must satisfy ourselves of the lawful basis for sharing a Service User’s personal data if we are not seeking their consent. Consult DGM and DPO as necessary.
C. Police request access to file
- Police to provide appropriate documentation and definition of information required when requesting it. Documentation will vary depending upon reason for request; urgency of need and a determination of need for Service User’s consent will need to be made (e.g. intent to arrest or apprehend the Service User; safeguarding concerns regarding a child versus other (less urgent) information).
- Record request on RAD Management
- Inform DGM of the request (for central register).
- File to be prepared, containing ONLY the specified information/data.
- File to be emailed to police (please note all documents to be sent in PDF format).
- Inform DGM of closure.
D. Court request access to file
- Court to provide completed documentation requesting the information, this would usually include a court order overriding the need for the Service User’s permission to share.
- Record request on RAD Management.
- Inform DGM of the request (for central register).
- File to be prepared, containing ONLY the specified information/data.
- File to be emailed to court (please note all documents to be sent in PDF format).
- Inform DGM of closure.
Informal Requests
E. Service User’s request access to own file Informal request
Note: An informal request is when the Service User is seeking only part of their file for a specific purpose and requires it in a short time period. All other requests should be managed as a SAR (see (A) above).A record should be kept of decisions to treat occurrences as informal requests.
- Send letter / email to acknowledge receipt of their request. This request can be received verbally or in writing. If verbal, then photo ID is required before you send the file; this should not delay preparing the file.
- Record request on RAD Management, in IMP this should be updated during the process. A rough timescale for the request can be set.
- Where third party data is included, identify the third parties and request their permission to share (this should not delay preparing the file) OR prepare to redact third party details in response material.
- Admin to prepare file.
- Fieldworker &/or SWTL to prepare file.
- Redact as appropriate.
- File to be vetted by SWTL or RM.
- SWTL to notify SU that file is ready and send file to SU ensuring it is in an un-editable format (PDF). SWTL to arrange where access will take place (usually a SSAFA office, if possible, to be able to answer any questions).
- Update RAD, in IMP
Redaction Guidance
Responding to any request may involve providing information related to both the individual making the request and another individual(s). Redaction is the removal of this third-party information from the copy of the Service User’s record.
Exceptions:
- Where consent is given by the third party
- Information required to be disclosed by law or in connection with legal proceedings
Other considerations:
- Third party permission is to be sought before information is shared (except where an exception applies); please note the third party can request to see the information held by us before deciding whether to give permission
- Professional information can be shared without consent if it is thought to be pertinent providing the third party cannot be identified
- Information which is out of scope of the informal request (i.e. due to it not being the applicant’s personal data) should be considered for redacted