Subject Access Request
OUR PROCESS MAP IN TERMS OF GDPR
The flow chart below sets out the steps that will be followed each time a subject access request is received by Mobivate. Further commentary in respect of each of those steps is set out below the flow chart.
Note: at the date of receipt, Mobivate has one month within which to respond to the subject access request. Mobivate is not entitled to and will not charge for responding to a subject access request, although see further comments at Step 6.
Step 1 – Log subject access request
Mobivate will maintain a log of subject access requests it receives, setting out the dates on which the requests are received, and the final response sent, together with any intermediary steps taken before sending a final response (for example, request for identification proof or further information in respect of the data). If Mobivate fails to respond to the request in accordance with GDPR timescales, this will be noted together with an explanation of the failure and steps taken to avoid such failure in the future.
Step 2 – Acknowledge receipt
Mobivate will acknowledge receipt of the subject access request (although this is not strictly necessary).
Step 3 and 3a – Confirm whether further proof of identification of data subject is required
Mobivate will only respond to a subject access request if it is confident of the identity of the applicant. Mobivate will be reasonable in terms of what it asks for and will not ask for a significant amount of extra information if the identity of the person making the request is obvious to Mobivate, which is more likely to be the case if Mobivate has an ongoing relationship with that person. If, for example, an existing employee makes the request it’s likely Mobivate will be able to confirm their identity easily (the ICO wouldn’t react well to an attempt to delay the process by asking for further proof of identity). If, however, Mobivate receives a request from a customer it has not previously dealt with or the customer’s email address / postal address has changed since its last dealings with them, it may seek further proof of identity such as a recent utility bill or copy of driving licence or passport. In this scenario, the one month time period to respond will commence only once Mobivate has received the proof of identity. Thereafter, Mobivate will not delay in asking for further proof.
Step 4 and 4a – Confirm whether further information is required to respond to the request
Mobivate is entitled to ask for further information it reasonably needs in order to comply with the request, although it will not delay responding to a subject access request unless it requires more information to find the data in question. Mobivate will not require the applicant to narrow the scope of the request (they are entitled to ask for all the information we hold), but Mobivate may ask them to provide some context around the information they’re seeking such as relevant dates or if they want a particular document or type of document (for example, letter, email, application form), which may help Mobivate locate the data).
Mobivate will not delay in asking for further information and will be clear about what details it needs. Provided Mobivate does that, and needs the additional information in order to be able to comply (rather than it being a tactic to delay timescales), the one month time period will begin when it receives the information.
Collating all relevant information will be the most time consuming task. Consideration will be given to which departments may hold personal data and whether that personal data can be accessed centrally by (for example) the legal or IT team.
Examples of the current systems / locations that will need to be searched are set out below:
- Online storage (one drive)
- Cloud servers (e.g. Amazon Web Servers)
- Archived records (e.g. medical records or message logs)
- Office areas / desks
- Paper files / general correspondence
Consideration as to how to search for the data will be given. For example, does the data subject use a username or alternative name which would also need to be searched?
Step 6 – Consider exemptions
Under GDPR, member states are entitled to restrict the application of individuals’ rights (including subject access requests). The Data Protection Bill (which will implement GDPR in the UK) is currently going through Parliament. The current draft text entitles a data controller to restrict subject access requests to the extent that the restriction is (having regard to the fundamental rights and legitimate interests of the data subject) necessary and proportionate to:
- avoid obstructing an official or legal inquiry, investigation or procedure;
- avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
- protect public security;
- protect national security; and
- protect the rights and freedoms of others.
These are relatively narrow in scope but Mobivate will bear them in mind when responding to a subject access request.
If a request is manifestly unfounded or excessive, Mobivate may charge a reasonable fee or refuse to act on the request, but Mobivate will have to demonstrate that the request is unfounded or excessive. If Mobivate processes large volumes of data about the individual making the request, it is entitled to ask the data subject to specify the information or processing activities to which the request relates (as referred to above).
Step 7 – Redact personal data of other data subjects
If personal data relating to other individuals is included in the documents that will be provided pursuant to the subject access request, it will need to be redacted. Mobivate could alternatively obtain consent from the data subject to disclose the personal data, but that could be more time consuming than redaction.
Step 8 – Respond to data subject
In some cases, the data subject may request a copy of their personal data only. They are entitled, however, to also request the following information:
- the purposes of and legal basis for the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data has been disclosed (including recipients or categories of recipients in third countries or international organisations);
- the period for which it is envisaged that the personal data will be stored or, where that is not possible, the criteria used to determine the retention period;
- the existence of the data subject’s rights to request from the controller—
- rectification of personal data, and
- erasure of personal data or the restriction of its processing;
- the existence of the data subject’s right to lodge a complaint with the Information Commissioner and the contact details of the Information Commissioner; and
- communication of the personal data undergoing processing and any information about its origin.
If the above information is requested in the subject access request, it will be provided.
Step 9 – Log completion of subject access request
See comments at Step 1 for information that will be recorded. Mobivate shall keep a copy of the information provided until it has confirmation from the data subject that it does not require any further information or for a period of 6 months from completion of the request, whichever happens first.
Contact Information – firstname.lastname@example.org