GDPR Subject Access Request (SAR) Procedure
This procedure is to be followed when an individual contacts Lutton Parish Council to request access to their personal information held by the Council. Requests must be completed within 1 month, so it should be actioned as soon as it is received. SAR’s should be provided free of charge, however, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
The steps below should be followed to action the request:
Is it a valid subject access request?
The request must be in writing (letter, email, social media or fax).
Has the person requesting the information provided you with sufficient information to allow you to search for the information? (You are allowed to request for more information from the person if the request is too broad.)
Verify the identity of the requestor.
You must be confident that the person requesting the information is indeed the person the information relates to. You should ask for the person to attend the office or meeting place with their passport/photo driving licence and confirmation of their address (utility bill/bank statement).
Determine where the personal information will be found
Consider the type of information requested and use the data processing map to determine where the records are stored. (Personal data is data which relates to a living individual who can be identified from the data (name, address, email address, database information) and can include expressions of opinion about the individual.)
If you do not hold any personal data, inform the requestor. If you do hold personal data, continue to the next step.
Screen the information
Some of the information you have retrieved may not be disclosable due to exemptions, however legal advice should be sought before applying exemptions.
Examples of exemptions are:
References you have given
Publicly available information
Crime and taxation
Management information (restructuring/redundancies)
Negotiations with the requestor
Regulatory activities (planning enforcement, noise nuisance)
Legal advice and proceedings
Personal data of third parties
Are you able to disclose all the information?
In some cases, emails and documents may contain the personal information of other individuals who have not given their consent to share their personal information with others. If this is the case, the other individual’s personal data must be redacted before the SAR is sent out.
Prepare the SAR response (using the sample letters at the end of this document) and make sure to include as a minimum the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data;
where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with the Information Commissioners Office (“ICO”);
if the data has not been collected from the data subject: the source of such data;
the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Be sure to also provide a copy of the personal data undergoing processing.
All SAR’s should be logged to include the date of receipt, identity of the data subject, summary of the request, indication of if the Council can comply, date information is sent to the data subject.