Control measure: Processes for handling requests for access to personal information are in place and outlined in policies.
Risk: If processes for handling requests are not documented clearly, agreed processes may not be followed, requests may be handled inefficiently, and statutory requirements may not be met This may breach UK GDPR Articles 5(2), 12, and 15.
Ways to meet our expectations:
- Document how you handle requests in sufficient detail in policies, including who oversees the request process.
- Ensure these policies have appropriate document version control.
- Communicate these policies to staff dealing with requests and make policies readily available for them to refer to.
- Keep policies up-to-date, particularly with changes to data protection law.
Options to consider:
- Have a separate policy for handling all individual rights, with specific processes for the right of access to personal information.
- Document clear step-by-step instructions or a process flow chart for handling requests.
- Include a link to individual rights policies in other relevant policies, such as the data protection policy.
Control measure: Staff are in place and are competent to handle requests for access.
Risk: Without a sufficiently resourced and competent team to handle requests, the statutory requirements and timeframe may not be met, or information may be inappropriately disclosed. This may breach UK GDPR articles 12 and 15.
Ways to meet our expectations:
- Identify the specific staff member or team who manages and responds to requests.
- Assign sufficient resources to process the requests you receive.
- Build resilience to mitigate the risk of request backlogs or failures to meet the statutory timeframes that result from staff absence.
- Provide specialised training for staff who handle requests, particularly on statutory requirements and exemptions.
- Record training requirements in a training needs analysis or training programme.
Options to consider:
- Review training content regularly to keep it up-to-date.
- Get input into training content from subject matter experts and the DPO.
- Train additional staff, who can support with high volumes or help to cover staff absences.
- Give responsibility to a named staff member or have a clear plan to prevent delays to requests you receive during extended office closures or public holidays.
Control measure: People are guided on how to make verbal or written requests for access.
Risk: If people are not given sufficient guidance, they may not be aware of their rights. This may breach UK GDPR article 12 and 15.
Ways to meet our expectations:
- Produce guidance on how to make verbal and written (including electronic) requests.
- Make guidance easily accessible and available in electronic and paper formats.
Options to consider:
- Create an online and paper form for people to use to submit their requests.
- Produce a script or form for support staff to use who receive requests for access on the phone.
- Ask customers if they find the process to make requests clear and user-friendly.
Control measure: Processors acting on your behalf are ready and able to respond to requests for access.
Risk: If processes aren’t in place beforehand, processors may not respond to requests fully or within statutory timeframes. This may breach UK GDPR Articles 12 and 15.
Ways to meet our expectations:
- Include requirements for processors to handle requests for access in contracts, including clear timescales for response.
- Check that processors can competently respond to requests for personal information prior to processing it.
Options to consider:
- Ask processors for a named staff member or point of contact to send requests to.
- Document the process for communicating requests to processors in your subject access request policy.
- Record what information each processor processes in a detailed record of processing activities, so you can quickly identify which processors to speak to.