Scribd
Upload
146 views

Data Subject Access Request Template

The document provides guidance on handling subject access requests. It outlines steps for receiving, acknowledging, searching for, and responding to requests as well as considering third party data and data destruction.

Uploaded by

Shah Khan
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
146 views

Data Subject Access Request Template

The document provides guidance on handling subject access requests. It outlines steps for receiving, acknowledging, searching for, and responding to requests as well as considering third party data and data destruction.

Uploaded by

Shah Khan
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Subject Access

Requests

1
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Document Information
Version Control
Owner Version Edited By Date Change History
User 1 Resilify.io DD/MMM/YYYY First Draft

Distribution
Held Format Location Comments
By
User Digital / Physical

Status
X Status Approved By Date
X Draft DD/MM/YYYY
Final Draft
Published
Withdrawn

Classification
X Confidential
Restricted
Unclassified

Relevance to Standard

Standard Clause Title

Data Protection Act 2018 NA NA

License

Licensed by Assent Risk Management via Resilify.io Under a Creative Commons Share Alike License.

2
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Contents

Document Information_____________________________________________________________________________2
Contents_______________________________________________________________________________________________3
Policy Content________________________________________________________________________________________4
Introduction__________________________________________________________________________________________4
Receiving a Request__________________________________________________________________________________4
Acknowledging a Request___________________________________________________________________________4
Searching for PII______________________________________________________________________________________4
Third Party Data within the Data You Find_______________________________________________________5
Response______________________________________________________________________________________________5
Data Destruction_____________________________________________________________________________________5

3
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Policy Content
More information on the right to access is available at the ICO Website.

Introduction
Any written request for personal information - by a customer for their information or a
member of staff – should be processed in accordance with data protection
legislation.

This document is designed to help you through the process.

Receiving a Request
The General Data Protection Regulations require responses to data subject access
requests within 28 days.

This time begins on receipt of the request.

Data Subject Access Requests should be passed to the Data Protection Officer
(DPO) or the person responsible for Data Protection as soon as possible.

Acknowledging a Request
The person responsible for Data Protection will evaluate whether there is enough
information to fulfil the access requests including:

 Can the data subject be identified?


 Is it the data subject making the request?
 Does the requester have the legal right?

If more information is required, this will be requested in writing. Regardless, all


requests will be acknowledged in writing.

Searching for PII


All systems will be searched for the data subject’s information.

 [ Insert list of Systems ]


 [ Insert Data Register ]

4
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Search through all systems for information.

Then go through all the documents to extract the personal information to be


disclosed, including expressions of opinion.

DO NOT provide the whole document, but only the relevant data within those
documents.

Third Party Data within the Data You Find

Any data about someone other than the data subject is considered a third party.

IF third party data cannot be deleted from the data without destroying the data itself
consent from the third-party will be obtained.

Response
The Response to the Data Subject Access Request will include:
 What is being disclosed,
 How the organisation came to hold that data,
 All data that is possible to disclose under the legislation.
 The option to review with the company if the data subject believes not all
data has been disclosed.
 A reminder that the data subject may contact the ICO.

Data Destruction
If the data subject requests the deletion of their data, the organisation’s data
destruction procedure will be followed.

There may be a legal basis to retain some personal information even where the data
subject has asked for it to be deleted.

5
© Distributed by Resilify.io under a Creative Commons Share Alike License.

You might also like