Control measure: People are informed about their rights and all staff are aware of how to identify and deal with both verbal and written requests.
Risk: If people are not given sufficient guidance, they may not be aware of their rights. This may breach chapter 3 of the UK GDPR.
Ways to meet our expectations:
- Give people clear and relevant information about their rights and how to exercise them.
- Set out processes for dealing with requests from people about their rights in policies and procedures.
- Deliver training and guidance to all staff on how to recognise a request and where to send them.
Options to consider:
- Have a separate policy for handling people’s rights, with specific processes for the right of access to personal information.
- Document clear step-by-step instructions or a process flow chart for handling requests.
- Include a link to individual rights policies in other relevant policies, such as the data protection policy.
- Produce a script or form for support staff to use who receive requests for access on the phone.
- Ask customers if they find the process to make requests clear and user-friendly.
Have you considered the effectiveness of your accountability measures?
- Do all staff understand how to recognise a request and where to send them?
- Would people say that you provided useful materials to help them to exercise their rights?
Control measure: There are appropriate resources in place to handle requests from people about their information.
Risk: Without a sufficiently resourced and competent team to handle requests, the statutory requirements and timeframe may not be met, or information may be inappropriately disclosed. This may breach articles 12 and 15 of the UK GDPR.
Ways to meet our expectations:
- Ensure there is a specific person or team in place that are responsible for managing and responding to requests.
- Ensure staff receive specialised training to handle requests, including regular refresher training.
- Have sufficient resources to deal with requests.
- If a staff member is absent, train other staff to carry out key tasks.
- Ensure you can deal with any increase in requests or reduction in staffing levels.
Options to consider:
- Train additional staff, who can support with high volumes or help to cover staff absences.
- Give responsibility to a named staff member or have a clear plan to prevent delays to requests you receive during extended office closures or public holidays.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of their key responsibilities and how to deliver them in practice?
- Would your staff say that you have appropriate resources to deal with the volume of requests?
- In the case of staff absences, could key tasks in the request process be covered by more than one person?
Control measure: Verbal and written requests from people are logged and the log is updated to track the handling of each request.
Risk: Not keeping records of verbal and written requests, or keeping incomplete records, makes it difficult to demonstrate compliance with statutory requirements, and prevents lessons being learned and used to improve performance. This may breach articles 5(2) and 30(1) of the UK GDPR.
Ways to meet our expectations:
- Put processes in place to ensure the log is accurate and updated as appropriate.
- Show the due date for requests, the actual date of the final response and the action taken on the log.
- Have a checklist that records the key stages in the request handling process, eg which systems or departments have been searched. This could be part of the log or a separate document.
- Keep records of your organisation's request responses, and any disclosed or withheld information.
Options to consider:
- Use a spreadsheet or database to automatically calculate key dates.
- Mark log fields as ‘mandatory’ to ensure information is captured and there are no gaps.
- Include the log in your retention schedule to ensure you only retain the information for as long as necessary.
Have you considered the effectiveness of your accountability measures?
- Could you locate relevant records easily?
- Are the records correct?
- Would a small sample of requests show that your staff follow the policies and procedures?
Control measure: Requests from people are dealt with in a timely manner that meets their expectations and statutory timescales.
Risk: If requests are not responded to within the statutory timeframe, people may be dissatisfied or complain, causing reputational damage. This may breach article 15 of the UK GDPR.
Ways to meet our expectations:
- Action all requests within statutory timescales.
- Ensure staff responsible for managing requests meet regularly to discuss any issues and investigate, prioritise or escalate any delayed cases.
- If you need an extension, update people on the progress of their request and keep them informed.
- If a request is refused, have records about the reasons why and inform people about the reasons for any refusals or exemptions.
Options to consider:
- Use a spreadsheet or database to automatically calculate key dates.
- Plan to respond to non-complex requests in a shorter period (eg two weeks) so you have extra time if there are delays or issues.
Have you considered the effectiveness of your accountability measures?
- Would staff say that the process in place to deal with issues is regular and effective?
- Would requesters say they were kept well-informed about the progress of their request?
- Did requesters receive clear information?
Control measure: There is monitoring in place on how staff handle requests, and that information is used to make improvements.
Risk: If not monitored, performance and compliance can’t be improved. This may breach article 5(2) of the UK GDPR.
Ways to meet our expectations:
- Ensure staff responsible for managing requests meet regularly to discuss any issues.
- Produce regular reports on performance and case quality assessments to ensure that requests are handled appropriately.
- Share reports with senior management, that they review and action at appropriate meetings.
- Analyse any trends in the nature or cause of requests to improve performance or reduce volumes.
Options to consider:
- Add oversight of requests as a standing agenda item on relevant team and senior management meetings.
- Send a feedback or satisfaction survey with responses to requests to help identify issues or trends.
- Record minutes of meetings where you discuss request performance.
Have you considered the effectiveness of your accountability measures?
- Are the management reports easy to understand?
- Does senior management know about current performance?
- Are the actions clear and are they followed up?
Control measure: There are appropriate systems and procedures to change inaccurate information, add additional information to incomplete records or add a supplementary statement where necessary.
Risk: If there are no procedures in place to allow people to have their personal information corrected or completed, there is a risk of processing inaccurate or incomplete information. This may breach article 5 (1) (d) of the UK GDPR.
Ways to meet our expectations:
- Take proportionate and reasonable steps to check the accuracy of the personal information held and, if necessary, be able to rectify it.
- If your organisation is satisfied that the information is accurate, have a procedure to explain this to people. You need to inform people of their right to complain, and as a matter of good practice, record on the system the fact that the person disputes the accuracy of the information.
- If personal information has been disclosed to others, contact each recipient to inform them about the rectification, unless this is impossible or involves disproportionate effort.
- If asked, tell people which third parties have received their personal information.
Options to consider:
- Produce clear template text to use in letters or emails for each request.
- Include template text as appendices in policies, so staff can find it quickly.
Have you considered the effectiveness of your accountability measures?
- Would staff say there are effective processes in place to rectify inaccurate or incomplete personal information?
- Would requesters say they were given clear information about the steps you took?
Control measure: There are appropriate methods and procedures in place to delete, suppress or otherwise stop processing personal information if required.
Risk: If there are no procedures in place to deal with such a request, this may breach articles 17 and 21 of the UK GDPR.
Ways to meet our expectations:
- Erase personal information from back-up systems as well as live systems where necessary, and clearly tell people what will happen to their information.
- If the personal information is disclosed to others, contact each recipient to inform them about the erasure, unless this is impossible or involves disproportionate effort.
- If asked to, tell people which third parties have received their personal information.
- If personal information has been made public in an online environment, take reasonable steps to tell other controllers, if they are processing it, to erase links to, copies or replication of that information.
- Give particular weight to a request for erasure where the processing is or was based on a child’s consent, especially when processing any personal information on the internet.
Options to consider:
- Produce clear template text to use in letters or emails for each request.
- Include template text as appendices in policies, so staff can find it quickly.
Have you considered the effectiveness of your accountability measures?
- Would staff say there are effective processes in place to erase personal information?
- Would requesters say they were given clear information about the steps you took?
Control measure: There are appropriate methods and procedures in place to restrict the processing of personal information if required.
Risk: If there are no procedures in place to deal with such a request, this may breach article 18 of the UK GDPR.
Ways to meet our expectations:
- Restrict personal information in a way appropriate for the type of processing and the system, for example temporarily moving the information to another system or removing it from a website.
- If the personal information has been disclosed to others, contact each recipient to tell them about the restriction, unless this is impossible or involves disproportionate effort.
- If asked to, tell the requestor which third parties have received their personal information.
Options to consider:
- Produce clear template text to use in letters or emails for each request.
- Include template text as appendices in policies, so staff can find it quickly.
Have you considered the effectiveness of your accountability measures?
- Would staff say you have effective processes in place to restrict personal information?
- Would requesters say you gave them clear information about the steps you took?
Control measure: People are able to move, copy or transfer their personal information to another organisation securely, without affecting the information.
Risk: Without the ability for people to move, copy or transfer their personal information, this may breach article 20 of the UK GDPR.
Ways to meet our expectations:
- When requested, provide personal information in a structured, commonly used and machine readable format.
- Where possible and if a person requests it, directly transmit the information to another organisation.
Options to consider:
- Create an online and paper form for people to use to submit their requests.
- Produce a script or form for support staff to use who receive requests on the phone.
- Ask customers if they find the process to make requests clear and user-friendly.
Have you considered the effectiveness of your accountability measures?
- Would staff say you have effective data portability processes in place?
- Would requesters say you gave them clear information?
Control measure: People’s rights related to automated decision-making and profiling are protected, particularly where the processing is solely automated with legal or similarly significant effects.
Risk: The right to not be subject to a decision based solely on automated processing, including profiling, is an absolute right under the UK GDPR. By not having adequate operational procedures in place to readily respond to requests from people to not be subject to this processing, may result in unlawful processing. This may breach article 22 of the UK GDPR.
Ways to meet our expectations:
- Complete additional checks for vulnerable groups, such as children, for all automated decision-making and profiling.
- Only collect the minimum information needed and have a clear retention policy for the profiles created.
- If your organisation uses solely automated decisions that have legal or similarly significant effects on people, have a recorded process to ensure these decisions only occur in accordance with article 22 of the UK GDPR. If this applies, carry out a data protection impact assessment (DPIA).
- Where the decision is solely automated and has legal or similarly significant effects on people, ensure a recorded process allows simple ways for people to request human intervention, express their opinion and challenge a decision.
- Conduct regular checks for accuracy and bias to ensure that systems are working as intended, and feed this back into the design process.
Options to consider:
- Have guidance that details how staff should respond to people challenging the decisions from automated decision making and profiling.
- Commission external certification mechanisms to check that people are treated fairly and not discriminated against.
Have you considered the effectiveness of your accountability measures?
- Do staff and customers find your retention policy clear?
- Do staff say you have effective processes to protect rights relating to automated decision-making and profiling?
- Would people say you made it easy to request human intervention, express their opinion and challenge a decision?
Control measure: There are procedures to recognise and respond to people's complaints about data protection, and people are made aware of their right to complain.
Risk: If people are not given clear and accessible ways to raise a complaint, or if complaints are not recognised and acted on, there is a risk that issues may continue, escalate or worsen. This may result in a breach of UK GDPR or an intervention by the ICO.
Ways to meet our expectations:
- Implement procedures to handle data protection complaints raised by people and report their resolution to senior management.
- Make the DPO’s contact details or alternative contact points publicly available if people wish to raise a complaint about the use of their information.
- Tell people about their right to make a complaint to the ICO in your privacy information.
Options to consider:
- Provide template forms to assist people to make a complaint.
- Provide all the relevant information upfront in order to handle complaints in a timely manner.
Have you considered the effectiveness of your accountability measures?
- Would complainants say that they were clear about how to make complaints and how it would be handled?