The purpose of this policy is:
1. The purpose of this policy is to set out what a legitimate access request is and the time scales for responding to different types of requests.
2. In this policy ‘we/our’ is ESS the charity and ‘you/your’ is anyone reading this policy whose personal data ESS holds.
Individual’s rights under GDPR
3. Many of the individual rights set out in the GDPR deal with access to information held. These are:
- Right to access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
Right to access:
4. Individuals have the right to access their personal data and supplementary information. This allows them to be aware of and verify the lawfulness of the processing.
5. Individuals have the right to:
- Confirm their personal data is being processed
- Access their personal data
- Access supplementary information
6. Access requests must be dealt with within one month of receiving the request and must be provided free of charge. If the request/s is complex or numerous an extension of two months is allowed. We will tell you if we require an extension.
7. Multiple requests for the same data from the same individual can be onerous and we are allowed to introduce an administration fee. We would only access this right in exceptional circumstances.
Right to rectification:
8. This gives individuals the right to their have personal data updated or corrected if information held is inaccurate or incomplete.
9. The GDPR allows a month for changes in personal data to be made. If the request is complex an additional two months can be added.
10. If ESS has shared this information with anyone else we tell the third party that the data has been updated. This is unless this proves impossible or involves disproportionate effort. Individuals should be told who their data has been shared with.
Evaluation Support Scotland Access request policy
11. We have the option not to action the request for rectification. If we choose not to we must explain why and individuals have the right to complain to the Information Commissioners Office (ICO).
Right to erasure (‘right to be forgotten’)
12. An individual has the right to request deletion or removal of their personal data where there is no compelling reason for its continued processing.
13. This right applies when:
- the processing of personal data is no longer necessary in relation to the purpose for which it was first collected/processed
- if you withdraw consent
- if you object to the processing and there is no legitimate interest for continued processing
- personal data was unlawfully processed
- data has to be erased to comply with a legal obligation
Can the right to erasure be refused?
14. Under the following conditions a request to be forgotten can be refused:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority
- public health purposes
- the exercise or defence of legal claims.
15. As with the right to rectification, if the data was shared with a third party they have to be informed of the deletion.
Right to restrict processing:
16. Individuals have the right to ‘block’ or supress processing of personal data. When processing is restricted we are still able to store it, just not process it. We will generally have to keep a little information to ensure that we don’t process your personal information anymore.
17. This applies as follows:
- when individuals contest the accuracy of the personal data, we would restrict processing until the accuracy has been verified
- when an objection to processing has been made and we’re considering whether our legitimate interest overrides those of the individual
- when processing is unlawful and the individual opposed erasure and request restriction instead
- if the personal data is no longer needed but the individual requires the data to establish, exercise or defend a legal claim.
Evaluation Support Scotland Access request policy
Right to data portability
18. This allows the individual to obtain and reuse their personal data for their own purposes across different services. It allows people to move, copy or transfer data easily from one IT environment to another.
19. Information will be exported into excel and saved as a .csv file which is a universal format.
20. This right applies when:
- An individual has provided data to ESS
- Where processing is based consent or for the performance of a contract
- When processing is carried out by automated means (ESS does not do this)
Right to object
21. Individuals have the right to object to:
- processing based on legitimate interests, or performance of task in public interest/exercise of official authority (including profiling)
- direct marketing (including profiling)
- processing for purposes of scientific/historic research and statistics
22. Individuals must have an objection on “grounds relating to his or her particular situation”. This means objections cannot be made ‘in general’. There has to be a specific, personal reason.
23. Processing of personal data must stop unless:
- ESS can demonstrate compelling legitimate grounds for the processing, which overrides the interests, rights and freedoms of the individual
- processing is for the establishment, exercise or defence of legal claims.
Automated decision making and profiling
24. Individuals also have rights around automated decision making and profiling by organisations. ESS does not use automated decisions making.
Dealing with an access request
25. In the first instance access requests should be sent to the Finance and Business Manager (email@example.com). However individual members of staff may be required for data retrieval (e.g. emails to or about the person) for certain projects or from certain programmes. It may also be necessary for a member of staff to fulfil the request or conversely not be involved at all.