Procedures for processing data subject rights.

Procedures for processing data subject rights

The GDPR provides the following rights for individuals:

  1. 1
    The right to be informed
  2. 2
    The right of access
  3. 3
    The right to rectification
  4. 4
    The right to erasure
  5. 5
    The right to restrict processing
  6. 6
    The right to data portability
  7. 7
    The right to object
  8. 8
    Rights in relation to automated decision making and profiling.

This document sets out the basic conditions where the Rights apply & action on Truth Gym (TG) in order to comply with the Right. Extensive use is made of material from the Information Commissioner’s Office (ICO). https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/


The basic concepts & reasons for the rights are straightforward. However, there are limits & exceptions in each case. For up-to-date guidance please use the references.


Text in italics is quoted direct from the ICO web pages.


For all the Rights, the subject can appeal to the ICO.

  1. 1
    Right: The right to be informed

Rationale:

This is a key transparency requirement under the GDPR.


The Controller/Processor should be pro-active in providing information to the subject. See below for a checklist. If a subject seeks further information about the processing, then transparency (& clarity, honesty) would always be the objective.


Can the Controller/Processor refuse to comply?

No. They must provide information to the subjects or potential subjects of the processing.


How should the Controller/Processor comply?

You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.’ Thus any proposed significant change to your processing should trigger a review of your current privacy information.


A significant part of the privacy information will describe how a subject can exercise their rights.


Items to include:

- The name and contact details of our organisation.

- The name and contact details of our representative (if applicable).

- The contact details of our data protection officer (if applicable).

- The purposes of the processing.

- The lawful basis for the processing.

- The legitimate interests for the processing (if applicable).

- The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).

- The recipients or categories of recipients of the personal data.

- The details of transfers of the personal data to any third countries or international organisations (if applicable).

- The retention periods for the personal data.

- The rights available to individuals in respect of the processing.

- The right to withdraw consent (if applicable).

- The right to lodge a complaint with a supervisory authority.

- The source of the personal data (if the personal data is not obtained from the individual it relates to).

- The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).

- The details of the existence of automated decision-making, including profiling (if applicable).


Process within TG

The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.’ The ICO strongly recommends that material is tested with a user group if at all possible. The intention is that the material is not heavy with jargon.


Making use of various media (printed, electronic), routes (posters for general consumption, direct mailshot when a subject’s data are first processed) & topics (e.g. purposes of processing, subject rights).


The Privacy Information will be subject to annual review, or sooner if there is a significant change in processing activity.


Procedure for Rights 2 – 7


Rights 2 -7 are exercised at the request of the subject. The GDPR allows the initial request to be made in writing or verbally. However, it would be good practice to obtain a definite record of the request, & to confirm the identity of the requester (or their agent). This is because the Rights either lead to release of data or modification to what is held. The Controller/Processor needs a clear record of the reason why they carried out the action.


In all cases the identity of the subject must be confirmed. Depending upon the situation this may be face-to-face with supporting documents or by a completed form with copies of the supporting documents. The ICO takes the line that validating identity can take place but should not be onerous, stating:


If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.


You must let the individual know without undue delay and within one month that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.


Procedure:

  1. 1
    All requests under Rights 2-7 must be: 
  2. 2
    -Logged, including:
  3. 3
    o the date the request was received within the organisation (not when the team responsible for satisfying the request received it),
    o the deadline for providing the data,
    o lead manager responsible
  1. 2
    If the request is poorly phrased the lead manager should contact the requester as soon as possible to clarify the request. This may speed up the response, & aids transparency.
  2. 3
    The request must be acknowledged.
  3. 4
     In most cases the request should be resolved within 1 month. The rules for calculating the deadline date (i.e. the meaning of ‘1 month’) are set out on each page of the ICO guidance. Arguments for extensions must be solid.
  4. 5
    In most cases a subject cannot be charged a fee.
  5. 6
    Identify the system(s) involved. Make use of the data flow maps & asset registers for the organisation. Consider any impact on other data sets & whether the exceptions above apply to any of these. Discuss the action with system managers, who do not need to know whose record(s) are involved but should be able to comment on the impact on normal working processes. For example, deletion on one system may trigger alarms on another where there is a dependency.
  6. 7
    If it becomes apparent to the lead manager that a request will longer than a month to be resolved, then the DPO should be informed immediately. They will decide on how to inform the subject, but there should not be unnecessary delay. Keeping the subject fully informed will demonstrate transparency to the ICO.
  7. 8
    If requests are frequent, e.g. weekly, then the log should be reviewed on a weekly basis. Incomplete requests with a week or less to the deadline to be escalated to the DPO as risks.
  8. 9
    The response to the subject will be approved by the Chief Executive before it is released.
  9. 10
    Any changes to data held by TG arising from the request are to be logged, with the exception of Right 4, the Right to erasure. 

Note: ‘where the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.


You can also charge a reasonable fee if an individual requests further copies of their data following a request. You must base the fee on the administrative costs of providing further copies.


The following is taken from https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/.


The lawful basis for processing can also affect which rights are available to individuals. For example, some rights will not apply:

  1. 2
    Right: The right of access

Rationale:

Under the old DPA 1998 this was known as Subject Access Request (SAR).


Can the Controller/Processor refuse to comply?

Yes


An individual is only entitled to their own personal data, and not to information relating to other people. A record may need to be redacted to comply.


How should the Controller/Processor comply?

 ‘The GDPR requires that the information you provide to an individual is in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This will be particularly important where the information is addressed to a child.


At its most basic, this means that the additional information you provide in response to a request (see the ‘Other information’ section above) should be capable of being understood by the average person (or child). However, you are not required to ensure that that the information is provided in a form that can be understood by the particular individual making the request.


The GDPR does not require handwritten records to be made legible.


Process within TG

The subject will receive:
-confirmation that we are processing their personal data,

-a copy of their personal data,

-explanation of terms specific to your organisation e.g. coding schemes

-a reminder of the scope of what can be provided,

-contact details if the subject has any further questions,

-contact details for the ICO in case of complaint.


Record any exceptional circumstances, e.g. a poorly phrased request, special media request.


ICO checklist - Complying with subject access requests

☐ We have processes in place to ensure that we respond to a subject access request without undue delay and within one month of receipt.

☐ We are aware of the circumstances when we can extend the time limit to respond to a request.

☐ We understand that there is a particular emphasis on using clear and plain language if we are disclosing information to a child.

☐ We understand what we need to consider if a request includes information about others.

  1. 3
    Right: The right to rectification

Rationale:

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.

This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).


Can the Controller/Processor refuse to comply?

In certain circumstances you can refuse a request for rectification.


How should the Controller/Processor comply?

If you receive a request for rectification you should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You should take into account the arguments and evidence provided by the data subject.


Take care to understand whether the data were correct at the time they were recorded & have subsequently changed.

  1. If data are changed, any recipients of the data must be informed. This may happen as part of an active routine data flow so will take place automatically or may require manual intervention. In either case such a data flow should already have been set out in the Privacy Notice (Right 1) it would be advisable to remind the subject that such takes place. 

ICO checklist - Complying with requests for rectification

☐ We have processes in place to ensure that we respond to a request for rectification without undue delay and within one month of receipt.

☐ We are aware of the circumstances when we can extend the time limit to respond to a request.

☐ We have appropriate systems to rectify or complete information, or provide a supplementary statement.

☐ We have procedures in place to inform any recipients if we rectify any data we have shared with them.
  1. 4
    Right: The right to erasure

Rationale: 

The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’.


This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data. e.g. when a retention period has expired.


Individuals have the right to have their personal data erased if:

- the personal data is no longer necessary for the purpose which you originally collected or processed it for;

- you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;

- you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and - there is no overriding legitimate interest to continue this processing;

- you are processing the personal data for direct marketing purposes and the individual objects to that processing;

- you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);

- you have to do it to comply with a legal obligation; or

- you have processed the personal data to offer information society services to a child.


Can the Controller/Processor refuse to comply?

The right is not absolute and only applies in certain circumstances.

- to exercise the right of freedom of expression and information;

- to comply with a legal obligation;

- for the performance of a task carried out in the public interest or in the exercise of official authority;

- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or

- for the establishment, exercise or defence of legal claims.


And for special category data:

- if the processing is necessary for public health purposes in the public interest (e.g. protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or

- if the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).


How should the Controller/Processor comply?

If TG has purged all data relating to the subject then no data of any kind may remain within the control of TG or its Processors. This includes the record of the request to erase data.


If the recipient organisation is working as part of a Controller / Processor contract, then verify the terms & conditions of that contract as to who should be informed & whether to treat the scope of the request as covering both parties.


Process within TG

  1. Identify the system(s) involved. Make use of the data flow maps & asset registers for the organisation. Consider any impact on other data sets & whether the exceptions above apply to any of these. Discuss deletion of the data with system managers, who do not need to know whose record(s) are involved, but should be able to comment on the impact of deletion on normal working processes. For example, deletion on one system may trigger alarms on another where there is a dependency.
  2. Agree a date upon which the deletion will take place & the sequence of events.
  3. Confirmation is sent to the subject, making clear that from a specific date that the TG will no longer hold any information on the subject, within the exceptions of this right.
  4. The subject should also be informed of any data that have been shared with 3rd parties. Provide details of the 3rd party’s DPO to the subject. If the subject wishes for erasure from those organisations then they need to make requests to the 3rd party.

ICO checklist - Complying with requests for erasure

☐ We have processes in place to ensure that we respond to a request for erasure without undue delay and within one month of receipt.

☐ We are aware of the circumstances when we can extend the time limit to respond to a request.

☐ We understand that there is a particular emphasis on the right to erasure if the request relates to data collected from children.

☐ We have procedures in place to inform any recipients if we erase any data we have shared with them.

☐ We have appropriate methods in place to erase information.

  1. 5
    Right: The right to erasure

Rationale:

Individuals have the right to request the restriction or suppression of their personal data.


When processing is restricted, you are permitted to store the personal data, but not use it.


This right has close links to the right to rectification (Article 16) and the right to object (Article 21).


Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.


There are strong connections between this Right & those of rectification & objection.


Can the Controller/Processor refuse to comply?

This is not an absolute right and only applies in certain circumstances.

- the individual contests the accuracy of their personal data and you are verifying the accuracy of the data;

- the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;

- you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or

- the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.


How should the Controller/Processor comply?

As a matter of good practice you should automatically restrict the processing whilst you are considering its accuracy or the legitimate grounds for processing the personal data in question.


Under this Right, TG can decide to lift a restriction once a rectification or objection request is complete.


Ways to restrict processing could include temporarily moving the data to another system, or locking the records from routine user access.


Process within TG

  1. Once the systems within scope have been identified, confirm their capability to restrict processing. Any exceptions to be reported promptly to theDPO as this will impact TG’s ability to comply with the law. Restriction on processing may impact other systems.
  2. The subject should be involved in discussions as soon as possible – to ensure that they understand the impact of the change, & the duration of the restriction.
  3. Agree a date with system managers upon which the action will be completed.
  4. Inform the subject of the implementation & duration.
  5. Close to the end of the restriction period inform the subject of that fact.

ICO checklist - Complying with requests for restriction

☐ We have processes in place to ensure that we respond to a request for restriction without undue delay and within one month of receipt.

☐ We are aware of the circumstances when we can extend the time limit to respond to a request.

☐ We have appropriate methods in place to restrict the processing of personal data on our systems.

☐ We have appropriate methods in place to indicate on our systems that further processing has been restricted.

☐ We understand the circumstances when we can process personal data that has been restricted.

☐ We have procedures in place to inform any recipients if we restrict any data we have shared with them.

☐ We understand that we need to tell individuals before we lift a restriction on processing.

  1. 6
    Right: The right to data portability

Rationale:

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.


The right only applies to information an individual has provided to a controller.


Thus data from other sources are not in scope.


Can the Controller/Processor refuse to comply?

The right to data portability only applies when:

  • your lawful basis for processing this information is consent or for the performance of a contract; and
  • you are carrying out the processing by automated means (i.e. excluding paper files).

How should the Controller/Processor comply?

If a subject does not specify a format for the data extract it should be discussed with them.


The data may be provided direct to the subject, or transmitted by secure means to a location specified by the subject.


Some organisations in the UK already offer data portability through midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.


You should however note that … ‘inferred’ or ‘derived’ data is personal data, you still need to provide it to an individual if they make a subject access request. Bearing this in mind, if it is clear that the individual is seeking access to the inferred/derived data, as part of a wider portability request, it would be good practice to include this data in your response.


The right to data portability only applies to personal data. This means that it does not apply to genuinely anonymous data. However, pseudonymous data that can be clearly linked back to an individual (eg where that individual provides the respective identifier) is within scope of the right.


Multiple subjects may be involved, e.g. a joint bank account, so approval of all parties should be sought.


Process within TG

  1. Having identified the system(s) involved, the mechanism(s) for the data extraction & export format are confirmed.
  2. The subject will be informed of the intended date of data extract or transmission.

ICO check list - Complying with requests for data portability

☐ We can transmit personal data in structured, commonly used and machine readable formats.

☐ We use secure methods to transmit personal data.

☐ We have processes in place to ensure that we respond to a request for data portability without undue delay and within one month of receipt.

☐ We are aware of the circumstances when we can extend the time limit to respond to a request.
  1. 7
    Right: The right to object

Rationale:

The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.

 

Individuals have an absolute right to stop their data being used for direct marketing.


In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.


You must tell individuals about their right to object.


Individuals can also object if the processing is for:

  • a task carried out in the public interest;
  • the exercise of official authority vested in you; or
  • your legitimate interests (or those of a third party).

In these circumstances the right to object is not absolute.


Can the Controller/Processor refuse to comply?

An individual can also object where you are relying on one of the following lawful bases:

  • ‘public task’ (for the performance of a task carried out in the public interest),
  • ‘public task’ (for the exercise of official authority vested in you), or
  • legitimate interests.

An individual must give specific reasons why they are objecting to the processing of their data. These reasons should be based upon their particular situation.


In these circumstances this is not an absolute right, and you can continue processing if:

  • you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • the processing is for the establishment, exercise or defence of legal claims.

How should the Controller/Processor comply?

Provide the means for a subject to object. Either by a form on TG’s web page or contact address. Web page & privacy notice to make clear the scope & limitations of the right to object.


Process within TG

  1. Consider whether processing should be restricted while an objection is active. This will depend upon the other aspects of the objection, i.e. to erase, correct, cease processing.

ICO checklist - Complying with requests which object to processing

We have processes in place to ensure that we respond to an objection without undue delay and within one month of receipt.

☐ We are aware of the circumstances when we can extend the time limit to respond to an objection.

☐ We have appropriate methods in place to erase, suppress or otherwise cease processing personal data.
  1. 8
    Right: Rights in relation to automated decision making and profiling.

Rationale:

The GDPR applies to all automated individual decision-making and profiling. Article 22 of the GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.


You can only carry out this type of decision-making where the decision is:

    necessary for the entry into or performance of a contract; or

    authorised by Union or Member state law applicable to the controller; or

    based on the individual’s explicit consent.


How should the Controller/Processor comply?

You must be aware of your processes & whether any processing falls under this Right. Refer to TGs Data flow mapping & Asset Register as they should contain sufficient detail on the nature of the processing.


TG must pro-actively notify data subjects (e.g. via the privacy notice under Right 1) if processing of this nature takes place.


Can the Controller/Processor refuse to comply?

No


ICO checklist – see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/ for checklists relating to


All automated individual decision-making and profiling, and


Solely automated individual decision-making, including profiling with legal or similarly significant effects (Article 22).

IG Smart Ltd

2019


References

ICO - Individual rights

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/


GDPR

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

Key Articles of the GDPR

Article 13 The right to be informed

Article 15 Right of access by the data subject

Article 16 Right to rectification

Article 17 Right to erasure (‘right to be forgotten’)

Article 18 Right to restriction of processing

Article 20 Right to data portability

Article 21 Right to object

Article 22 Automated individual decision-making, including profiling


Data Protection Act 2018

http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted