This policy was adopted by Cotton Parish Council to comply with the requirements of the General Data Protection Regulations (GDPR), which came into force on May 2018.

Data subjects have the right to access personal data held on them by the Parish Council. Details are set out in the Privacy Policy, also held on the Parish Council’s website.

This policy is in place to ensure that internal procedures on handling of Subject Access Requests (SARs) are accurate and complied with.

The Parish Council will always ensure that personal data is easily accessible to enable a timely response to SARs.

The Parish Council has implemented standards on responding to SARs:

  1. On receipt of a SAR the Clerk will correctly identify whether a request has been made under the Data Protection Regulation 2018
  2. The identity of the Data Subject will be verified and, if needed, any further evidence on the identity of the Data Subject may be requested. Evidence can include current driving licence and/or passport, HMRC documentation, financial statements issued within the past 3 months
  3. We will respond to all SAR’s within one calendar month from receipt. If more time is needed to respond to complex requests, an extension of another two months is permissible, and this will be communicated to the Data Subject in a timely manner.
  4. Subject Access Requests must be undertaken free of charge to the requestor unless the legislation permits reasonable fees to be charged
  5. All the personal data that has been requested must be provided unless an exemption can be applied
  6. 6. If the Parish Council cannot provide the information requested, it will inform the Data Subject on this decision without delay and, at the latest, within one calendar month of receipt of the request.

If data on the Data Subject is processed, the Parish Council will ensure, as a minimum, the following information in the SAR response:

  1. a)  the purposes of the processing;
  2. b)  the categories of personal data concerned;
  3. c)  they will be sent all of the information that is being held about them
  4. d)  the recipients or categories of recipients to whom personal data has been or will be disclosed including any appropriate safeguards for transfer of data
  5. e)  where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
  6. f)  the existence of the right to request rectification or erasure of personal data, or restriction of processing of personal data concerning the Data Subject or to object to such processing;
  7. g)  if the data has not been collected from the Data Subject: the source of such data
  8. h)  Requests that are manifestly unfounded or excessive may be *refused or a charge made. *if a request is refused, a reason must be given.

The Data Subject has the right to lodge a complaint with the Information Commissioners Office (the ICO).