Documents
Little Eccleston With Larbreck Parish Council > Documents > Policies > Subject Access Request Policy

Subject Access Request Policy

Policies Uploaded on March 5, 2025
Download

LITTLE ECCLESTON WITH LARBRECK PARISH COUNCIL

Subject Access Request Policy (SARS)

Issue No Date Agreed Min Ref Details of Amendments
01 Feb 21 782/21 New Policy
02 Sept 24 1250/24 General review and new email address/website added

Application form added

 

This policy aims to comply with the requirements of the General Data Protection Regulations (GDPR), which came in force on 25 May 2018

Data subjects have the right to access personal data held about them by the Council.  Details are set out in the Privacy Notice on the Council’s website.

This policy is in place to ensure that internal procedures on the handling of SARs are accurate and complied with and includes:

  • Responsibilities (who, what)
  • Timing
  • Changes to data
  • Handling requests for rectification, erasure or restriction of processing.

The Council will ensure that personal data is easily accessible at all times in order to ensure a timely response to SARs and that personal data on specific data subjects can be easily filtered.

The Council has implemented standards on responding to SARs.

  1. Upon receipt of a SAR
    • The data subject will be informed who at the Council to contact, the Data Controller.
    • The identity of the data subject will be verified and if needed, any further evidence on the identity of the data subject may be requested.
    • The access request will be verified; is it sufficiently substantiated? Is it clear to the Data Controller what personal data is requested? If not, additional information will be requested.
    • Requests will be verified as to them being unfounded or excessive (in particular because of their repetitive character); if so, the Council may refuse to act on the request or charge a reasonable fee.
    • Receipt of the SAR will be promptly acknowledged and the data subject will be informed of any costs involved in the processing of the SAR.
    • Whether the Council processes the data requested will be verified. If the Council does not process any data, the data subject will be informed accordingly. At all times the internal SAR policy will be followed and progress may be monitored.
    • Data will not be changed as a result of the SAR. Routine changes as part of the processing activities concerned may be permitted.
    • The data requested will be verified to establish if it involves data on other data subjects. This data will be filtered before the requested data is supplied to the data subject; if data cannot be filtered, other data subjects will be contacted to give consent to the supply of their data as part of the SAR.

 

  1. Responding to a SAR
    • The Council will respond to a SAR within one calendar month after receipt of the request:
      • If more time is needed to respond to complex requests, an extension of another two calendar months is permissible, and this will be communicated to the data subject in a timely manner within the first month;
      • if the council cannot provide the information requested, it will inform the data subject on this decision without delay and at the latest within one calendar month of receipt of the request.
    • If a SAR is submitted in electronic form, any personal data will be preferably provided by electronic means as well.
    • If data on the data subject is processed, the Council will ensure as a minimum the following information in the SAR response:
      • the purposes of the processing;
      • the categories of personal data concerned;
      • the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third party countries or international organisations, including any appropriate safeguards for transfer of data, such as Binding Corporate Rules or EU model clauses
      • where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
      • the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
      • the right to lodge a complaint with the Information Commissioners Office (“ICO”);
      • if the data has not been collected from the data subject: the source of such data;
      • the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
    • Provide a copy of the personal data undergoing processing.

Implementing the Subject Access Requests Policy – Council Checklist on what MUST be done

 

On receipt of a subject access request it must be forwarded immediately to The Clerk who will identify whether a request has been made under the Data Protection legislation

 

  1. A member of staff, and as appropriate, councillor, who receives a request to locate and supply personal data relating to a SAR must make a full exhaustive search of the records to which they have access.
  2. All the personal data that has been requested must be provided unless an exemption applies. (This will involve a search of emails/recoverable emails, word documents, spreadsheets, databases, systems, removable media (for example, memory sticks, floppy disks, CDs), tape recordings, paper records in relevant filing systems.)
  3. A response must be provided within one calendar month after accepting the request as valid.
  4. Subject Access Requests must be undertaken free of charge to the requestor unless the legislation permits reasonable fees to be charged.
  5. The Council must provide where necessary an explanation with the personal data in an “intelligible form”, which will include giving an explanation of any codes, acronyms and complex terms. The personal data will be supplied in a permanent form except where the requestor agrees or where it is impossible or would involve undue effort. Agreement may be sought with the requestor that they will view the personal data on screen or inspect files on Council premises. Any exempt personal data will be redacted from the released documents with explanation why that personal data is being withheld.
  6. The Council must ensure a request has been received in writing where a data subject is asking for sufficiently well-defined personal data held by the council relating to the data subject. What personal data is needed will be clarified with the requestor, who must supply their address and valid evidence to prove their identity. The council accepts the following forms of identification (* These documents must be dated in the past 12 months, +These documents must be dated in the past 3 months):
  • Current UK/EEA Passport
  • UK Photocard Driving Licence (Full or Provisional)
  • Firearms Licence / Shotgun Certificate
  • EEA National Identity Card
  • Full UK Paper Driving Licence
  • State Benefits Entitlement Document*
  • State Pension Entitlement Document*
  • HMRC Tax Credit Document*
  • Local Authority Benefit Document*
  • State/Local Authority Educational Grant Document*
  • HMRC Tax Notification Document
  • Disabled Driver’s Pass
  • Financial Statement issued by bank, building society or credit card company+
  • Judiciary Document such as a Notice of Hearing, Summons or Court Order
  • Utility bill for supply of gas, electric, water or telephone landline+
  • Most recent Mortgage Statement
  • Most recent council Tax Bill/Demand or Statement
  • Tenancy Agreement
  • Building Society Passbook which shows a transaction in the last 3 months and your address

 

  1. Where a requestor is not satisfied with a response to a SAR, the council must manage this as a complaint under the Council’s Complaints Policy.

 

 

 

 

 

 

 

Contact Details and Website

 

Website: lewlparishcouncil.gov.uk

 

Clerks email: parishclerk@lewlparishcouncil.gov.uk