Subject Access Request Policy
SUBJECT ACCESS REQUEST POLICY
1. Statement of Policy
In the course of business, Knox captures personal data about its beneficiaries, donors, employees, members, other eligible parties, suppliers and volunteers. Knox regards the proper treatment of such data as critical to its effectiveness and to maintaining confidence between Knox and those with whom it works. In light of this, Knox is fully committed to abiding, not only to the letter, but also in the spirit of Data Protection Legislation, and, in particular, is committed to the observation of the highest standard of conduct mandated by that legislation.
This policy informs you of your rights, under article 15 of the GDPR, when requesting copies of your information from Knox, why Knox need to verify who you are and what you should expect Knox to provide to you. It also describes how you can go about making a Subject Access Request.
2. Why Knox may ask you for further information
You can request copies of your information in any reasonable way you would like, by contacting Knox online, by email or over the phone. Contact details can be found at the end of this document.
In order to deal with your request, Knox must be able to identify your records with absolute certainty. This may mean Knox ask you to supply additional information, including but not limited to: date of birth, postal address, email address and postcode
Subject access is not in itself an objection to processing and so in processing your request Knox may continue to record further information, specifically that a request has been made and what information was provided.
3. Why does Knox have my personal information?
You provide information directly when you:
-
- enquire about Knox’s services
- communicate with Knox through our website
4. Your rights
As defined in article 15 of the GDPR:
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
-
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
The Data Protection Representative shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, Knox may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The right to obtain a copy referred to shall not adversely affect the rights and freedoms of others.
5. How Knox will carry out your request
No two Subject Access Requests will be the same. Below are the important points for you to consider. Should anything else reveal itself during the course of the request, Knox will contact you directly:
-
- Knox are required to provide you with a copy of your information within 1 month of a valid request
- In circumstances where Knox cannot meet this deadline, Knox will notify you within that month, providing an explanation for the delay and a realistic estimate of when you should expect the information. This must be no longer than 3 months from the valid request being made
- Unless they give consent, any third party information contained within your information will be redacted
- Where requests are excessive or frequent and in line with legislation, Knox reserve the right to charge a reasonable fee to cover the costs of providing the information. Knox will tell you this at the outset
- Knox will retain a copy of your Subject access for 6 months from providing it to you, after which it will be destroyed. The original information from which it was sourced will remain in those original systems until such time that Knox’s retention schedule dictate that they should be destroyed.
- It may be necessary for other members of Knox staff to assist our Data Protection Representative with your request. All of our staff have up to date training in data protection, which is refreshed annually. They have also signed confidentiality agreements.
6. How to make a subject access request or contact us if you suspect inaccuracies in the information Knox holds.
To make a subject access request, please contact us in writing.
If you are unhappy with the way your subject access has been carried out or the accuracy of the final content, you can raise these concerns by contacting Knox’s Data Protection Representative at:
Paul Silcox
Knox Cyber Security
8 Caroline Point
62 Caroline Street
Birmingham
B3 1UF
Telephone: 01215 170058
Email: privacy@information-assurance.co.uk
If you are still unhappy with the outcome and would like to complain to the ICO, then you can do so at:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
www.ico.org.uk/make-a-complaint/
7. This policy is regularly reviewed.
Any amendments will be posted as revised copies which can be found here.