Under the General Data Protection Regulations (GDPR), individuals have the right to access their personal data. This is commonly referred to as a Subject Access Request. It gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why NACCC are using their data, and check we are doing it lawfully.
An individual is entitled to: –
- confirmation that we are processing their personal data;
- a copy of their personal data; and
- other supplementary information – this largely corresponds to the information that we provide in our privacy notice.
An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, we may need to take steps to establish whether the information requested falls within the definition of personal data.
An individual can request access to their personal data by either writing to:
5 Russell Place
or emailing – firstname.lastname@example.org
Requests will be responded to within one month from the day after receipt of the request. E.g. The request is made on 3 September we will respond by 4 October.
There is no charge unless the request is manifestly unfounded or excessive, we may charge a “reasonable fee” for the administrative costs of complying with the request.
If we have any doubts about the identity of the person making the request we may ask for further information to confirm the identity.
GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, we need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
Even if a child is too young to understand the implications of subject access rights, it is still the right of the child rather than of anyone else such as a parent or guardian. So it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.
Before responding to a subject access request for information held about a child, we will consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then we will respond directly to the child. We may, however, allow the parent to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so. When considering borderline cases, we will take into account, among other things:
- the child’s level of maturity and their ability to make decisions like this;
- the nature of the personal data;
- any court orders relating to parental access or responsibility that may apply;
- any duty of confidence owed to the child or young person;
- any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
- any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
- any views the child or young person has on whether their parents should have access to information about them.
Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual.
The Data Protection Bill says that we do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information, except if:
- the other individual has consented to the disclosure; or
it is reasonable to comply with the request without that individual’s consent.
- In determining whether it is reasonable to disclose the information, we will take into account all of the relevant circumstances, including:
the type of information that we would disclose;
any duty of confidentiality we owe to the other individual;
any steps we have taken to seek consent from the other individual;
whether the other individual can give consent; and
any express refusal of consent by the other individual.