Subject Access and Individual Rights Requests

Who can request information under the General Data Protection Regulations?

The UK General Data Protection Regulations gives you the right to apply for a copy of information about yourself.   This is called a ‘Subject Access Request’. You may, if you so wish, appoint someone (an agent) to apply on your behalf (such as your parent or a solicitor). You can make a subject access request verbally or in writing.  However, we may need to ask for proof of your identity in order to ensure that personal data is not disclosed to any other individuals or third parties.  Where the subject access request is being made on your behalf, we will request written confirmation from you for them to act on your behalf. 

We regard the security and the fair and lawful treatment of personal information as very important in maintaining confidence between the public and ourselves, and fully endorse and adhere to the principles of data protection as listed in the UK General Data Protection Regulations.

We observe fully conditions regarding the lawful, transparent and fair collection and use of information, and ensure that the rights of people whose information we hold can be fully exercised, including the right to access that information.

All staff who collect or process your information are kept up to date with the latest data protection advice, guidance, and training and will be happy to answer any questions, or address any concerns you may have about the way we use it.

The Council has developed a Data Protection policy (PDF 99.9KB) which sets out our approach.

If you would like to know more about your rights under the UK General Data Protection Regulations, and what you should expect from us, then full information is available from the Information Commissioner website.

Making a Subject Access Request

 You can submit your request in the following ways :

• by completing the:
  
   Subject Access Request Form
• by sending a letter in the post to:

Data Protection Officer
c/o Information Governance Team
8th Floor Rear
255-259 High Road
Ilford, Essex IG1 1NY

• over the phone or verbally 

You can make a request verbally, however, we will need to ask security questions in order to confirm your identity or ask to see a copy of a valid ID.  

If you choose send a letter your request must include:

• your name 
• your address 
• a description of the information you wish to obtain
• details of the service(s) you are receiving and any other information (such as date of birth, rent or council tax number) that could help the Council find your information

To ensure confidentiality, we will need evidence which confirms your identity. A copy of a photo ID, and proof of your address such as, driving licence or passport, and an energy bill would be acceptable. We keep all information securely, and in accordance with the GDPR.

For your guidance please see the SAR Proof of Identity List.

If you are making a request on behalf of someone else, you must include proof of their permission for you to do so, or provide evidence of a power of attorney, court order, or health professional evidence that they are unable to provide consent.

 Please complete and return the Subject Access Form of Authority for third party agent (117KB)

Childrens Information

Information about children may be released to a person with parental responsibility. However, the best interests of the child will always be considered. Even if a child is very young, data about them is still their personal data and does not belong to anyone else. It is the child who has a right of access to the information held about them.

Before responding to a request for information held about a child, we will consider whether the child is mature enough to understand their rights. In normal circumstances, we consider a child of 12 or older is old enough to understand their rights.

For children under the age of 12, we will consider applications from whoever has parental responsibility for the child. We will take into account details of the specific case. You may find it useful to refer to the Gingerbread page on Parental Responsibility.

What happens to my request?

 When the Council receives a request for information, we must respond as soon as possible, and no later than a month (30 calendar days) after receiving your request.  However, the 30 calendar days starts from when the Council receives a clear request and enough identification to be sure that the request is from the data subject (whose information it is). In certain circumstances we can extend this by up to a further 2 months.  We will tell you if we need to do this.

Once this information has been received the Subject Access coordinator will send you an acknowledgement to inform you that the 30 day period has started.

Once your request has been received, it will be logged and allocated a number and the Subject Access coordinator will liaise with the appropriate area of the Council that holds the information you have requested.

The information will be reviewed to establish what information you are entitled to under the UK General Data Protection Regulations. Information which identifies other people will not be released, unless they have given their permission.

What does it cost?

Subject Access Requests are free of charge.

How many requests can I make?

The Council is not obliged to respond to vexatious or repeated requests. This may include repeated requests from the same person for the same information, or requests which are intended to disrupt the Council's work.

What happens if some or all of my request is refused?

The Council is permitted to withhold information if it falls under one of the exemptions in the Act. If you are unhappy with the decision, you can write to the Councils Data Protection Officer  to request a review of that decision.

What if I think I have not been given all of the information I asked for?

You can appeal to the Information Commissioner's Office (ICO). The ICO's staff will look into the matter on your behalf.

What other individual rights do I have under the UK General Data Protection Regulations UKGDPR and how I can exercise these rights?

The UK GDPR also provide the following rights for individuals in addition to right of access:

1. The right to be informed
2. The right to rectification
3. The right to erasure
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling

Depending on the lawful basis on which the Council relies on for processing your personal data, for example;  we have legal obligation to process Personal Data for purposes of collection of Council tax, or paying of benefits, or administrating Housing applications, or exercising our safeguarding obligations, you may not always be able to exercise these rights.  For more information on your rights under UK GDPR  please visit the ICO's website.

Making an Individual Rights Request

You can submit your request in the following ways :

• by completing the:
  
   Individual Rights Request Form
• by sending a letter in the post to:

Data Protection Officer
c/o Information Governance Team
8th Floor Rear
255-259 High Road
Ilford, Essex IG1 1NY

• over the phone or verbally 

You can make a request verbally, however, we will need to ask security questions in order to confirm your identity or ask to see a copy of a valid ID.  

If you choose send a letter your request must include:

• your name 
• your address 
• a description of the information you wish to obtain
• details of the service(s) you are receiving and any other information (such as date of birth, rent or council tax number) that could help the Council find your information

To ensure confidentiality, we will need evidence which confirms your identity. A copy of a photo ID, and proof of your address such as, driving licence or passport, and an energy bill would be acceptable. We keep all information securely, and in accordance with the Data Protection Act 2018.

For your guidance please see the SAR Proof of Identity List.

If you are making a request on behalf of someone else, you must include proof of their permission for you to do so, or provide evidence of a power of attorney, court order, or health professional evidence that they are unable to provide consent.

 Please complete and return the Subject Access Form of Authority for third party agent (117KB)

You must write, or email to the Council telling us what information is incorrect and asking for it to be corrected.

Send your letter to:

Data Protection Officer
c/o information Governance Team
8th Floor Rear
255-259 High Road
Ilford, Essex IG1 1NY

or email: data.protection@redbridge.gov.uk

 

Complaints

If you are unhappy with the way your subject access request or you individual rights request has been handled, you can write to:

Data Protection Officer
c/o information Governance Team
8th Floor Rear
255-259 High Road
Ilford, Essex IG1 1NY

or email: data.protection@redbridge.gov.uk

An independent senior Council officer will be assigned to review the way your subject access request or your individual rights request has been handled.

 Following this review, should you still be unhappy with how your subject access request has been handed, you have a further right to appeal to the Information Commissioner's Office, who is responsible for ensuring compliance with the UK GDPR.

 The Information Commissioner can be contacted by:

• Email - casework@ico.org.uk (please include your telephone number)
• Telephone - 0303 123 1113 (local rate) or 01625 545745 if you prefer to use a national rate number
• Fax - 01625 545510
• Writing to - The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF