Subject Access Request

What is a Subject Access Request (SAR)?

A subject access request is a request for personal information (known as personal data) held about a Data Subject by Dorothy House. A Data Subject has the right to access to their personal data and also to obtain the following:

  • confirmation that their data is being processed;
  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data is disclosed;
  • the envisaged period for which the personal data will be stored (or the criteria used to determine that period);
  • the existence of the right to request rectification or erasure, to object to or to request the restriction of the processing;
  • the right to lodge a complaint with the Information Commissioner's Office;
  • any available information as to the source of the personal data; and
  • the existence of any automated decision-making, including profiling.

 

How does a Data Subject make a subject access request?

In order to make a subject access request a Data Subject can contact Dorothy House via telephone:

Email: info.governance@dorothyhouse-hospice.org.uk

To process a subject access request, Dorothy House ask that Data Subjects complete a form, or a letter or email outlining the information being requested and any specific time periods the request relates to.

The form is designed to assist you in the process of making a request for that personal data.  We recommend that you use it as it will ensure we have the relevant information and will therefore speed up the process.  However, it is not mandatory and we will respond to requests made in other formats. Please ask if you require help to complete the form.

 

Will we charge a fee?

No, not usually. There is no fee to make a subject access request, however if the request is manifestly unfounded or excessive the Charity may use its discretion to charge a reasonable fee. If this is the case the Data Subject will promptly be contacted.

 

What is the timeframe for responding to subject access requests?

Dorothy House has one month (starting from when it has received all the information necessary to identify the Data Subject and fulfil the request) to provide the information or explanation about why it is unable to provide the information. This can be extended in certain circumstances, such as where the request is particularly complex. Dorothy House will update Data Subjects within the initial one month period if this is the case.

 

Are there any grounds we can rely on for not complying with a subject access request?

We do not have to comply with a request if it is manifestly unfounded or excessive, in particular, because of their repetitive nature.

There are a number of legal exemptions which may apply and mean that there is no requirement to disclose personal data to a Data Subject. We may seek legal advice if we consider that they might apply. Exemptions include where the personal data attracts legal professional privilege or constitutes the personal data of a third party.

 

Subject Access Request – What happens next? 

Following receipt of a Subject Access Request the following steps will be taken:

 

  • Verify your identification

Often, we will have no reason to doubt a person’s identity, for example, if we have regularly corresponded with them. However, we can ask Data Subjects to provide any evidence we reasonably need to confirm their identity. For example, we may ask them for a piece of information held in their records that we would expect them to know: a witnessed copy of their signature or proof of their address.

If the person requesting the information is a relative/representative of the data subject, then the relative or representative is entitled to personal data about themselves but must supply the individual’s consent for the release of their personal data. If they have been appointed to act for someone under the Mental Capacity Act 2005, they must confirm your capacity to act their behalf and explain how they are entitled to access their information.

 

  • Collate the information

We will check that we have enough information in the request to find the records requested. If we feel we need more information, then we will promptly ask for this. We will gather any electronically held information (including emails) or hard copy information held in a Filing System. We will also identify any information provided by a third party or which identifies a third party.

If we have identified information that relates to third parties, we will write to them asking whether there is any reason why this information should not be disclosed. We do not have to supply the information unless the other party has provided their consent or it is reasonable to do so without their consent. If the third-party objects to the information being disclosed we may seek legal advice on what action we should take.

Before sharing any information that relates to third parties, we will where possible anonymise information that identifies third parties not already known to the individual, and redact information that might affect another party’s privacy. We may also summarise information rather than provide a copy of the whole document.

 

  • Issuing our response

We will respond to the request within one month, following the resolution of any queries around the information requested. In certain circumstances, we may request up to two further months to provide the information, for example where the requests are complex. Copies of the information in a permanent form will be sent to the Data Subject except where they agree, where it is impossible, or where it would involve undue effort. In these cases, an alternative would be to allow the Data Subject to view the information on screen at the Hospice.

We will explain any complex terms or abbreviations contained within the information when it is shared. Unless specified otherwise, we will also provide a copy of any information that the Data Subject has seen before.