Subject Access Request Policy

Purpose of this policy

The purpose of this document is to outline Uplift’s policy in relation to the management of subject access requests which are submitted by individuals (data subjects). A subject access request enables a data subject to gain access to any personal information held about them by Uplift. It promotes the right of data subjects to submit a subject access request in order to obtain a copy of such information held about them, in electronic or hard copy form, by Uplift, as the data controller. It also outlines the procedure to be followed by data subjects when submitting a data access request to Uplift.

Scope of this policy

This policy outlines how Uplift will meet its legal obligations under the European Union’s General Data Protection Regulation (GDPR) upon receipt of a data access request.

Ownership

The Subject Access Request Policy is maintained by Brian Cuthbert, Uplift’s Data Protection Officer (DPO), who is responsible for dealing with all subject access requests received by the organisation, and is approved by the Senior Leadership Team. All questions or comments related to this policy or a specific subject access request should be directed to the DPO. Any material changes to this policy will require approval by Uplift’s Board.

What is personal information?

Personal information is any data, in both physical and electronic form, related to an identified or identifiable person. It includes anything that can be used to identify a person, directly or indirectly, by means of his or her physical, physiological, mental, economic, cultural, or social identity.

What is a subject access request?

A subject access request is a written request for personal information (known as personal data) held about you by Uplift. Under article 15 of the GDPR you have, as the data subject, the right to see if Uplift is processing your personal data and receive a copy of the data itself. In particular you have the right to the following information:

1. The data itself in a permanent and intelligible format
2. The purposes of the processing (what are we using your data for?);
3. The categories of personal data concerned (categories such as: name, address, email address, date of birth etc);
4. The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (are we sharing you information with anyone else?)
5. Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period (how long are we keeping your data?);
6. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing (the right to object to having your data processed, and to have data erased or corrected upon request);
7. The right to lodge a complaint with a supervisory authority (the Irish Data Protection Commissioner);
8. Where the personal data is not collected from the data subject, any available information as to their source (if we didn’t collect the data from you, where did we get it?);
9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

How do you make a subject access request? 

In order to respond effectively and efficiently to any subject access request we ask you to:

• Visit the Subject Access Request form online at https://www.uplift.ie/gdpr-data-requests.
• Complete the form.
• When you receive our confirmation email, please reply to it and be specific as possible about the
  information you wish to access. Please attach a photocopy of your proof of identity and address.
• If you cannot use the online Access Request Form, please write to us requesting a form from [email protected] and a copy will be sent to you.

Use of the Access Request Form is not mandatory. However, completing the Access Request Form should enable us to process your subject access request more efficiently.

What does Uplift do upon receiving a valid subject access request?

We will first check that we have enough information to be sure of your identity. Often we will have no reason to doubt a person’s identity. However, in rare cases we may request additional evidence we reasonably need to confirm your identity. We do this to ensure that we only disclose information about personal data to the data subject.

We will then check that we have enough information to find the records you requested. If we feel we need more information, then we will promptly ask you for this.

We will then conduct a full search of all our relevant databases and filing systems and collect all data relevant to the subject access request. Provided that none of the restrictions specified in Article 23 of the GDPR apply, we will then share with you the data and the additional information that you are entitled to. The default position is that you will get a hard copy of the information in a permanent and intelligible format unless the supply of such a copy is not possible or would involve a disproportionate effort, or you have agreed otherwise. Any terms which are not intelligible without an explanation will be accompanied by an explanation.

The copy of the requested material will be emailed to you, and we will seek timely confirmation from you, as the data subject on receipt of the material.

Are there any fees payable? 

No. The information provided under a subject access request will be provided free of charge (for the first copy – any subsequent copies may incur a reasonable fee based on administrative costs).

How soon will my subject access request be dealt with? 

All valid subject access requests, accompanied by valid proof of identity, received by Uplift will be dealt with within 30 days of receipt of the request.

Review

This policy will be reviewed at least annually by the Data Protection Officer to ensure alignment to appropriate risk management requirements and its continued relevance to current and planned operations, or legal developments and legislative obligations.