All individuals who are the subject of personal data held by the charity are entitled to be:

  • Told whether any personal data is being processed
  • Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people
  • Given a copy of the information comprising the data; and given details of the source of the data (where this available).

If an individual contacts the charity requesting this information, this is called a subject access request. Subject access requests from individuals can be made by mail or by email, or by social media channels, addressed to the Data Protection Lead.

The Data Protection Lead must always verify the identity of anyone making a subject access request before handing over any information.

  • If they are the data subjects then examples of proof of identity would be a recent bank statement or utility bill, driving licence or passport (photocopies are acceptable).
  • If they are acting on behalf of the data subject with their express permission or with the appropriate legal authority, this must be evidenced in writing, together with the reason why the individual cannot make the request themselves.

In this scenario they are asked if they wish to be removed from further communications from the charity, if they do so then communications preferences will be updated.

The following guidance will assist in recognising a subject access request:

  • It is in writing.
  • States the name of the applicant and address for correspondence.
  • Describes the information requested.

This request will be sent immediately to the data protection officer. By law we need to respond promptly and at the latest within 30 days and if we fail to handle a subject access request properly this could give rise to a complaint to the Information Commissioner’s Office, so all staff needs to follow the correct process.