The EU General Data Protection Regulation 2016/679 ("GDPR") gives individuals (otherwise referred to as Data Subjects) the right of access to their Personal Data. In general, Cornerstone Collective’s Data Subjects may include employees, job applicants, covenant members, non-member congregation attendees, event (regular or non-regular) attendees or suppliers. A Data Subject can send Cornerstone Collective a ‘Subject Access Request’ (commonly referred to as an "SAR") in writing requiring Cornerstone Collective to provide details about the personal data that is held about them, and to provide them with a copy of that information.
This document provides details on how to deal with such requests, with standard letters attached that should be used in the event of a request.
Cornerstone Collective must respond to a valid Subject Access Request within 1 (one) calendar month of receiving it.
It should be noted that this process applies when Cornerstone Collective is the Data Controller. In most instances this is the case.
If a process were to be in place when Cornerstone Collective has acted as the Data Processor the request should be referred to the relevant Data Controller, and the requestor should be notified of this in writing.
- 4.1. What is a valid Subject Access Request?
A valid SAR must:
- be for a Data Subject (even if it is made by a third party on the Data Subject's behalf)
- provide/contain sufficient information to verify the identity of the Applicant, i.e. driving license or passport, and their authority to make the SAR
- be made in writing (i.e. letter, email, fax etc.)
Please note that there is no particular format, apart from it being in writing, that a SAR should be submitted by the Data Subject (or requestor on behalf of). It is important to remember that any requests received are examined, and that it is the responsibility of Cornerstone Collective to proactively assist the Data Subject in exercising their rights to access their personal data.
In the cases where Cornerstone Collective is the Data Controller the Data Subject should be provided access to their personal information held by Cornerstone Collective along with the following information:
- the reasons as to why their personal data is being processed/stored
- copies (be it physical or electronic) of the personal data stored for that individual Data Subject (only)
- categories of the personal data that is being processed/stored
- if applicable, detail the length of time in which their personal data will be stored, and in any case provide justification for this time period
- details of any third parties that their information has been disclosed to
- details of the Data Subject’s rights (in-line with GDPR), such as the right of erasure and their right to make a complaint to the Information Commissioner’s Office if they feel aggrieved with any of the information provided
- 4.2. Who should a SAR be sent to (internally) and who should process the request?
If a SAR is received it should be sent to the Operations Pastor immediately. In his absence send to the Director of Cornerstone Collective.
The Operations Pastor (or assigned deputy) can either complete the requirements of the SAR himself or can assign this to be completed by another individual. In this case the individual completing the request will be known as the ‘Nominated Person’.
The Nominated Person will ensure that an adequate data search is carried out and will collate the relevant data. He/she will prepare a response to the Applicant and will consider whether any information needs to be withheld or redacted.
It should be noted that in the event that someone, other that the Operations Pastor, is nominated to process the SAR it should be someone who would have access to much of the requested data; an Elder of Cornerstone Church or a Trustee.
- 4.3. Time period for completion
Under GDPR the statutory time limit to comply and respond to an SAR is 1 (one) calendar month from receipt of the SAR. However, commencement of the 1 month period should not start until the following has been established:
- the validity of the Data Subject must be confirmed. This could be in some form of ID for example a current driving license, utility bill or passport
- that the scope of the request is clear and concise. The Data Subject should be contacted to confirm the scope of the request in the event that this is unclear
- that if the person submitting the SAR is not the Data Subject, written authority must be provided to Cornerstone Collective by the Data Subject stating the authorisation to disclose personal data
- that if the request is of a legal/authorities nature (e.g. a court order) then certification of this formal request must be received.
In any event that the completion of the SAR is not likely to be processed within the 1 month statutory time limit then the requestor must be notified in writing stating the reasons why by the ‘nominated person’ under the authorisation of the Operations Pastor (or assigned deputy).
- 4.4. Processing a SAR
Upon receipt of an SAR, the nominated person dealing with the request must send a letter acknowledging the request to the applicant (see Appendix A for a template).
The letter must indicate the timescale in which the requestor would be likely to receive a response, this must be within the 1 month time limit.
If further information is required to complete the SAR, for reasons stated in section 4.3, this would be the opportunity for the request to be made to the applicant.
If the applicant is not the Data Subject and included in the SAR is not the written authority from the Data Subject, along with the validity of the Data Subject confirmed (see section 4.3), the applicant should be written to stating that the validity of the request and Data Subject will be required (under GDPR) prior to the SAR being accepted by Cornerstone Collective and that the 1 month time limit will not begin until this has been received.
- 4.5. Searching for records
In line with the Data Protection Act (1998) and GDPR legislation it is essential that all data records for that particular Data Subject are disclosed as part of the SAR response, see section 4.6 for exemptions. With that in mind, the nominated person may require the assistance of other person(s) within Cornerstone Collective to access particular data sets. In this instance assistance should be granted. In the unlikely instance that escalation is required the nominated person (if not the Operations Pastor) should refer the issue to the Operations Pastor.
Please note that under GDPR both physical and electronic information (including e-mails) can be requested and all, reasonable, methods and effort should be made to locate any personal data held on the Data Subject.
- 4.6. Exemptions of disclosure
There are exemptions from disclosure that Cornerstone Collective could invoke, however exemptions are easily interpreted. In any instance that any data record has reasonable justification that it should be exempt from disclosure legal guidance should be sought or contact should be made with the ICO (www.ico.org.uk).
- 4.7. Response and completion of a SAR
When all the requested data records, and any redactions are completed (of what is required), the information should be reviewed by the Operations Pastor. A copy of the information gathered should be uploaded onto an encrypted USB stick along with a covering letter (as per template given in Appendix B) and sent to the SAR requestor via recorded delivery.
Note if the Operations Pastor is the person processing the SAR then it should be reviewed by a Lead Pastor.
Any abbreviations used in any of the data records should be noted by way of explanation in the response letter.
The response should be within 1 month of the SAR being placed, unless in exceptional circumstances as stated in section 4.4.