The Regulation states that personal data shall be:
- Processed fairly, lawfully and in a transparent manner in relation to the data subject. We will tell you clearly how your data will be processed.
- Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes (purpose limitation). We will always ensure we are processing your data appropriately.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation). We won't collect more personal data than we need to carry out the task.
- Accurate and, where necessary, kept up to date. We will take reasonable steps to ensure inaccurate data is rectified or deleted without delay.
- Kept in a form that permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed. We may store your personal data for longer periods but we will ensure we have a legal purpose for this, such as for archiving purposes in the public interest, scientific, or historical research purposes. Or statistical purposes subject to implementation of appropriate technical and organisational measures required by the Regulation in order to safeguard your rights.
- Processed in a way that ensures appropriate security of the personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. (integrity and confidentiality).
- The controller shall be responsible for, and be able to demonstrate compliance with the principles (accountability).
Applications for personal information – Subject Access Requests
Under the “Right of Access of the Data Subject”, you are entitled to request a copy of the information we are processing about you. You are only entitled to your own personal data, and not to information relating to other people (unless you are acting on behalf of that person). This is known as a Subject Access Request (SAR).
Unless there is an applicable exemption, you are entitled to be given information on:
- Whether your personal data is being processed.
- The purposes of the processing.
- The types of personal data being processed.
- A copy of your personal data being processed.
- The recipients or categories of recipients your data will be disclosed to. This includes countries outside of the EU and the appropriate safeguards in place to protect your data.
- Where possible, the envisaged period of time your data will be stored and processed.
- The right to request rectification, erasure or restriction of the processing of your personal data.
- The source of your data, if it has not been collected directly from you.
- The existence of automated decision making, including profiling.
Please note that should another person request information about you, unless specifically allowable under the Freedom of Information Act (FOIA) or Data Protection Regulation (normally for other legislative purposes), their request is likely to be refused under Section 40 personal information exemption under the FOIA.
We will respond to your request within 30 calendar days of receipt of your request and confirmation of your identification. There is no charge for a SAR.
How to make a Subject Access Request
SARs should be in writing and can be submitted by letter or email. So that we can respond fully, your request must include your name and correspondence address (email address where applicable). Please provide us with as much detail as possible on the information you require. This will enable us to identify the information requested.
Before responding to your SAR, we will require proof of identity to ensure that we do not release the information to anybody else other than you. If information is required in a particular format, for example, a photocopy or electronic copy, please state this in your request.
If we need more information from you to help us find your information or identify you, we will ask you for further information. The 30-day timescales will commence once we are satisfied we have all the necessary identification and information to respond to your request.
Subject Access Requests should be addressed to:
The Data Protection Officer
Customer Service Centre
Or email our Data Protection Officer at DPO@os.uk
If, for any reason, you are unhappy with our response to your SAR, please contact the Data Protection Officer to discuss your concerns.
Following this, if you are still dissatisfied with the outcome, you have the right to appeal our decision directly to the Information Commissioner’s Office at the contact details below. The Information Commissioner’s Office will assess whether they wish to take further action.
Request a review by the Information Commissioner on the ICO website or by calling 0303 123 1113.