What is a subject access request?
A Subject Access Request (SAR) is simply a request made by, or on behalf of, an individual. Under data protection legislation, individuals (data subjects) have the right to request that a data controller provides them with the following:
- Confirmation that their personal data is being processed
- Access to their personal data
- Other supplementary information about the processing of their personal data.
How do I make a subject access request?
A subject access request can be submitted verbally or in writing, but in either case, must describe the personal data required. If making a third party request for personal data, please note the special conditions here. NMITE’s Governance office can provide you with a Subject Access Request Form which will aid you in providing as much detail as possible relating to the request and will reduce the potential for delays pending clarification. If you are unable to make a request in writing, telephone NMITE at 01432 371111 x341. Proof of identification must be provided, comprising a copy of an official document containing photographic identification, e.g. passport or driving license.
You can submit the form and/or proof of identification by email to governance@nmite.ac.uk but please note that NMITE will only begin to process a request once it is in receipt of all items. We may need to provide the response in an accessible format and will work with you to establish what is appropriate.
What happens once I have submitted a request?
NMITE will send you an acknowledgement of the request. If we need any clarification, or if proof of ID, we will contact you as soon as possible. Once we are in receipt of a clear request and proof of ID we will begin to locate and collate the relevant personal data.
What information will I receive?
The subject access right allows individuals the right to access personal data of which they are the subject. It does not provide the right to access entire documents if the documents do not fully comprise the personal data of the individual. Therefore, in response to a subject access request, an individual may receive partial or redacted documents.
Can I access the personal data of other individuals?
An individual only has the right to access personal data of which they are the subject and there is no right of access to the personal data of friends or family. However, there are some instances in which a request made on behalf of another individual or for a specific purpose (such as the detection or prevention of crime) will be considered. Please refer to this section for further information.
When will I receive a response to my request?
Under data protection legislation, NMITE must respond within one calendar month of receiving a request and proof of ID, unless the request is particularly complex, in which case the deadline may be extended by a further two months. Where NMITE needs to extend a deadline we will write to inform the requestor of this.
How will I receive copies of personal data in response to my request?
Copies of personal data will normally be sent either electronically (by email attachment, using password protection and encryption) or in hard copy (by the Royal Mail's 'Signed For' service). If you prefer, you can request that we provide personal data to you orally, but we will only do so if we are able to verify your identity first.
What if I am dissatisfied with NMITE’s response to my request?
If you are dissatisfied with the way in which your subject access request has been processed or dissatisfied with the response that you have been given, please write to the Company Secretary in the first instance c/o governance@nmite.ac.uk so that NMITE is provided with the opportunity to review the matter and respond to your concerns.
You can also ask the Information Commissioner's Office (ICO) to carry out an assessment to see whether it is likely or unlikely that NMITE has responded properly. The ICO can be contacted at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 1231113
Website: www.ico.org.uk
Making a third-party request for personal data
There are some circumstances under which NMITE will consider a request for access to personal data on behalf of another individual, or a request for access to personal data of another individual without their consent. These are:
- The requestor is the parent of a child aged 12 years or under
- The requestor has the written permission to make a request on behalf of another individual
- The requestor has Power of Attorney or an order from the Court of Protection to act on behalf of another individual
- NMITE believes that it is in the best interests of an individual who does not have the capacity to make a request themselves
- NMITE deems that release can be justified under crime and taxation provisions.
In these circumstances, NMITE may seek further information from the requestor in order to help determine whether we are willing to release any personal data.
A request for access to personal data made on behalf of a child
Children aged 13 and above are generally deemed mature enough to make decisions about the processing of their personal data and would normally be expected to submit a subject access request themselves. Where a parent of a child over the age of 13 submits a subject access request on the child's behalf, NMITE may contact the child to request their consent to the release of the personal data, or require the parent to provide written consent from the child.
A parent has the right to request access to their child's personal data, where the child is under 13 years old. NMITE will decide whether it is in the best interests of the child to make the disclosure. Please follow the subject access request process above, submitting a copy of a form of ID for yourself and your child.
A request for access to personal data made on behalf of an adult
A request for access to personal data made on behalf of an adult will need to be accompanied by a signed letter from the data subject that contains consent to the release of all or specific personal data to the requestor. Such requests are typically made by solicitors acting on behalf of a client.
A request for access to personal data made on behalf of an adult who does not have the capacity to make a request themselves will need to be accompanied by proof that the requestor has the authority to act on behalf of the data subject, such as through Power of Attorney or an order from the Court of Protection. Where authority is not provided, NMITE will consider on a case by case basis whether release of the personal data requested is in the best interests of the data subject. Please follow the subject access request process above, submitting a copy of a form of ID for yourself and the data subject and proof of your authority to act on behalf of the data subject.
A request for personal data for the purpose of law enforcement
The Data Protection Act 2018 contains some exemptions that permit NMITE to release personal data for the purpose of law enforcement:
- Safeguarding national security (section 110)
- The prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty or of any imposition of a similar nature (schedule 2).
A request for the release of personal data under these provisions would be typically made by a police force, the Department for Work and Pensions, a local authority or the Border and Immigration Agency. NMITE is not obliged to release personal data unless it is satisfied that it is reasonable to do so. Under these exemptions, personal data may be released without the consent of the data subject and outside of the purpose for which the personal data was originally collected.
A request for release of personal data for the purpose of law enforcement should be submitted using the requesting organisation's own form for that purpose. Police forces, for example, use standard forms as per guidance issued by the Association of Chief Police Officers (ACPO). The form should give full details of the personal data requested, a full explanation of the reason for the request and should be counter-signed by a senior officer of the organisation. Completed forms should be emailed to governance@nmite.ac.uk. Requests will be acknowledged and a full response sent as soon as possible.