DSAR (Data Subject Access Request Policy) procedure

As part of our commitment to the GDPR, we will assist you with any data subject access requests you receive, or we receive on your behalf.

Here's our DSAR Policy in full:

1. WHO THIS POLICY APPLIES TO

1.1 This policy only applies to data subjects whose personal data we process on behalf of employers when providing our services.
1.2 “personal data” means any information relating to an identified or identifiable data subject. An identifiable data subject is anyone who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number or online identifier.
1.3 “processing” means any operation or set of operations that is performed on personal data, such as collection, use, storage, dissemination and destruction. 
1.4 Data subjects have certain rights in respect of their personal data that we must respect when we process a data subjects’ personal data on behalf of employers.
1.5 This policy sets out how to respond to a data subject request, when asked to do so by the employer.

2. RESPONDING TO A DIRECT REQUEST FROM A DATA SUBJECT

2.1 Data subjects have the right to request access to their personal data processed from a data controller. This is known as a subject access requests (“SAR”).
2.2 When a data subject makes a SAR to us directly we shall:
• log the date on which the SAR was received (to ensure that the relevant time frame of one month for responding to the request is met);
• refer the data subject to the employer who is the controller, as the controller is responsible for responding to the SAR unless required to respond directly to the data subject under any applicable law, or subject to a court order. In such circumstances we shall apply the same principles in relation to the SAR, as set out below in this policy.

3. ASSISTING AN EMPLOYER WITH A DATA SUBJECT REQUEST

3.1 We must assist the employer in providing the data subject with the information the employer needs to respond to the SAR.
3.2 Before providing any assistance we shall:
• confirm the identity of both the employer and the data subject who is the subject of the personal data. For example, we may request additional information from the employer and the data subject to confirm their identity;
• searching our databases, systems, applications and other places where the personal data which are the subject of the SAR may be held; and
• confirm to the employer whether or not personal data of the data subject making the SAR are being processed.
3.3 If we are processing personal data of the data subject, provide the employer with the following information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in writing or by other (including electronic) means:
• the purposes of the processing;
• the categories of personal data concerned (for example, contact details, bank account information and details of sales activity);
• the recipients or categories of recipient to whom the personal data have been or will be disclosed,in particular recipients overseas (for example, US-based service providers);
• where possible, the envisaged period for which the personal data will be stored, or, if not possible,the criteria used to determine that period;
• the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to such processing;
• the right to lodge a complaint with the Information Commissioner’s Office (ICO);
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making and meaningful information about the logic involved,as well as the significance and the envisaged consequences of such processing for the data subject; and
• where personal data are transferred outside the EU, details of the appropriate safeguards to protect the personal data.
3.4 Unless an exemption under section 4 below applies, we shall provide the employer with:
• a copy of the personal data processed by us in a commonly used electronic form (unless the data subject either did not make the request by electronic means or has specifically requested not to be provided with the copy in electronic form) within one month of receipt of the request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two months. If we extend the period for responding we shall inform the employer within one month of receipt of the request and explain the reason(s) for the delay.
3.5 Before providing the personal data to the employer we shall:
• review the personal data requested to see if it contains the personal data of other data subjects. If it does, we may redact the personal data of those other data subjects prior to providing the data subject with the requesting data subject’s personal data, unless those other data subjects have consented to the disclosure of their personal data.
3.6 We may charge the employer a reasonable fee, taking into account the administrative costs of providing the personal data, or refuse to act on the request.
3.7 If we are not going to provide any information in relation to the SAR we shall:
• inform the employer of the reason(s) for not taking action and of the possibility of lodging a complaint with the ICO.

4. EXEMPTIONS

4.1 Before responding to any request for information we shall check whether there are any exemptions that apply to the personal data that are the subject of the request. Exemptions may apply where it is necessary and proportionate not to comply with the requests described above to safeguard:
• national security;
• defence;
• public security;
• the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
• other important objectives of general national public interest, in particular an important national economic or financial interest, including monetary, budgetary and taxation matters, public health and social security;
• the protection of judicial independence and judicial proceedings;• the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
• a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority as set out above;
• the protection of the data subject or the rights and freedoms of others; or
• the enforcement of civil law claims.

5. HOW DATA IS TO BE PROVIDED TO EMPLOYERS 

5A. RECTIFICATION
Data subjects have the right to have their inaccurate personal data rectified. Rectification can include having incomplete personal data completed, for example, by a data subject providing a supplementary statement regarding the data. Where such a request is made:
• unless an exemption under section 4 applies, we shall rectify the personal data without undue delay;
• communicate the rectification of the personal data to each recipient to whom the personal data have been disclosed (for example, our third party service providers who process the data on our behalf), unless this is impossible or involves disproportionate effort;
• inform the employer about those recipients, if they request this.

5B. ERASURE 
Data subjects have the right, in certain circumstances, to request erase of their personal data “right to be forgotten”. Where such a request is made, unless there is an exemption under section 4, personal data should be erased without undue delay if:
• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws their consent to the processing of their personal data and consent was the basis on which the personal data were processed and there is no other legal basis for the processing;
• the data subject objects to the processing of their personal data on the basis of our performance of a task carried out in the public interest or in the exercise of official authority vested in us, or on the basis of our legitimate interests which override the data subject’s interests or fundamental rights and freedoms, unless we either can show compelling legitimate grounds for the processing which override those interests, rights and freedoms, or we are processing the data for the establishment, exercise or defence of legal claims;
• the data subject objects to the processing of their personal data for direct marketing purposes;
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation to which we are subject; or
• the personal data have been collected in relation to the offer of e-commerce or other online services. Inform the employer of the reasons for not taking action if data is not deleted. In addition to the exemptions in section 4, we can also refuse to erase the personal data to the extent processing is necessary:
• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by law and to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
• for reasons of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• for the establishment, exercise or defence of legal claims.

5C. RESTRICT THE PROCESSING
Data subjects have the right, unless there is an exemption in section 4, to restrict the processing of their personal data if:
• the data subject contests the accuracy of the personal data, for a period to allow us to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• we no longer need the personal data for the purposes we collected them, but they are required by the data subject for the establishment, exercise or defence of legal claims; and
• the data subject has objected to the processing, pending verification of whether we have legitimate grounds to override the data subject’s objection.Where processing has been restricted, we shall only process the personal data (excluding storing it):• with the data subject’s consent;
• for the establishment, exercise or defence of legal claims;
• for the protection of the rights of another person; or
• for reasons of important public interest.Prior to lifting the restriction, we shall inform the employer of the lifting of the restriction.We shall communicate the restriction of processing of the personal data to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort. We shall also inform the employer about those recipients if the employer requests it.

5D. PORTABILITY
Data subjects have the right, in certain circumstances, to receive their personal data that they have provided to a data controller in a structured, commonly used and machine-readable format that they can then transmit to another company. Where such a request is made, unless there is an exemption in section 4, we shall provide the personal data without undue delay if:
• the legal basis for the processing of the personal data is consent or pursuant to a contract; and
• our processing of those data is automated.

5E. OBJECTIONS TO THE PROCESSING
Data subjects have the right to object to the processing of their personal data where such processing is on the basis of performance of a task carried out in the public interest or in the exercise of official authority vested in us,or on the basis of our legitimate interests which override the data subject’s interests or fundamental rights and freedoms, unless we either:
• can show compelling legitimate grounds for the processing which override those interests, rights and freedoms; or
• are processing the personal data for the establishment, exercise or defence of legal claims. Data subjects also have the right to object to the processing of their personal data for scientific or historical research purposes, or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.Where such an objection is made, we shall, unless there is an exemption in section 4, we shall no longer process a data subject’s personal data.Where personal data are processed for direct marketing purposes, data subjects have the right to object at anytime to the processing of their personal data for such marketing. If a data subject makes such a request, we shall stop processing the personal data for such purposes.

5F. AUTOMATED DECISION-MAKING
Data subjects have the right, in certain circumstances, not to be subject to a decision based solely on the automated processing of their personal data, if such decision produces legal effects concerning them or similarly significantly affects them. Where such a request is made, unless there is an exemption in section 4, we shall no longer make such a decision unless it:
• is necessary for entering into, or the performance of, a contract between the employer and the data subject;
• is authorised by applicable law which lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests; or
• is based on the data subject’s explicit consent.