The Association of Health Professions in Ophthalmology

Data Protection Act (DPA) – Subject Access Request (SAR) Policy

1. Purpose

Individuals have the right to know what personal data we hold about them, why we hold it and who we disclose it to. The Data Protection Act 1998 (DPA) gives individuals the right to require us to do this and will also apply when the General Data Protection Regulations come into effect in May 2018.

This right is commonly known as subject access.

2. Introduction – What is the DPA?

2.1 The DPA gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.

2.2 The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for specific and lawful purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with the individuals’ rights
  • Secure
  • Not transferred to other countries without adequate protection

2.3 Secondly, it provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.

3. What is AHPO’s general policy on providing information?

3.1 We are committed to operating openly and to meeting all reasonable requests for information that are not subject to specific exemption in the Act.

4. How do you make a subject access request?

4.1 A subject access request is a request for personal information (known as
personal data) held about you by AHPO. The request may come via email, hard copy, social media and by phone. You have the right to see what personal information we hold about you, you are entitled to be given a description of the information, what we use it for, who we might pass it onto, and any information we might have about the source of the information. However, this right is subject to certain exemptions that are set out in the Data
Protection Act.

5. What is personal information?

5.1 Personal data is information that relates to a living individual that can used to identify them and can affect their privacy.

5.2 Further information on what amounts to personal data can be found at appendix A. 

6. What do we do when we receive a subject access request?

Checking of identity

6.1 We will first check that we have enough information to be sure of your identity. Often, we will have no reason to doubt a person’s identity, for example, if we have regularly corresponded with them. However, if we have good cause to doubt your identity we can ask you to provide any evidence we reasonably need to confirm your identity. For example, we may ask you for a piece of information held in your records that we would expect you to know, a witnessed copy of your signature, or proof of your address.
6.2 If the person requesting the information is a relative/representative of the individual concerned, then the relative/representative is entitled to personal data about themselves but must supply the individual’s consent for the release of their personal data.
6.3 Should you make a data subject access request but you are not the data subject, you must stipulate the basis under the Data Protection Act that you consider makes you entitled to the information.

Collation of information

6.4 We will check that we have enough information to find the records you requested. If we feel we need more information, then we will promptly ask you for this. We will gather any manual or electronically held information (including emails) and identify any information provided by a third party or which identifies a third party.
6.5 If we have identified information that relates to third parties, we will write to them asking whether there is any reason why this information should not be disclosed. We do not have to supply the information to you unless the other party has provided their consent or it is reasonable to do so without their consent. If the third-party objects to the information being disclosed we may seek legal advice on what action we should take.
6.6 Before sharing any information that relates to third parties, we will where possible anonymise information that identifies third parties not already known to the individual (e.g. AHPO’s employees), and edit information that might affect another party’s privacy. We may also summarise information rather than provide a copy of the whole document. The DPA requires us to provide information not documents.

Issuing our response
6.7 Once any queries around the information requested have been resolved, copies of the information in a permanent form will be sent to you except where you agree, where it is impossible, or where it would involve undue effort. In these cases, an alternative would be to allow you to view the information on screen at AHPO.
6.8 We will explain any complex terms or abbreviations contained within the information when it is shared with you. Unless specified otherwise, we will also provide a copy of any information that you have seen before.

7. Will we charge a fee?

7.1 Under the DPA we are able to charge a maximum £10 fee. If we do charge a fee we will inform you promptly of this.

8. What is the timeframe for responding to subject access requests?

8.1 We have 40 calendar days starting from when we have received all the information necessary to identify you, to identify the information requested, and any fee required, to provide you with the information or to provide an explanation about why we are unable to provide the information. In many cases, it will be possible to respond in advance of the 40 calendar day target and we will aim to do so where possible.

  1. Are there any grounds we can rely on for not complying with a subject access request?
    Previous request
    9.1 If you have made a previous subject access request we must respond if a reasonable interval has elapsed since the previous request. A reasonable interval will be determined upon the nature of the information, the time that has elapsed, and the number of changes that have occurred to the information since the last request.

Exemptions

9.2 The Act contains a number of exemptions to our duty to disclose personal data and we may seek legal advice if we consider that they might apply. Possible exemptions would be: information covered by legal professional privilege, information used for research, historical and statistical purposes, and confidential references given or received by AHPO.

10. What if you identify an error in our records?

10.1 If we agree that the information is inaccurate, we will correct it and where practicable, destroy the inaccurate information. We will consider informing any relevant third party of the correction. If we do not agree or feel unable to decide whether the information is inaccurate, we will make a note of the alleged error and keep this on file.

11. What if you want AHPO to stop processing your data?

11.1 Under section 10 of the DPA, you can object to AHPO processing your data altogether, in relation to a particular purpose or in a particular way through a data subject notice. However, this only applies to certain processing activities and there is a process that you must follow when making such an objection. We must then give you written notice that either we have complied with your request, intend to comply with it or state the extent to which we will comply with it and why. This information will be given to you within 21 days of AHPO receiving the data subject notice. Further information on this, can be found at www.informationcommissioner.gov.uk.

12. Our complaints procedure

12.1 If you are not satisfied by our actions, you can seek recourse through our internal complaints procedure, the Information Commissioner or the courts.

12.2 The AHPO Chairperson will deal with any written complaint about the way a request has been handled and about what information has been disclosed. The AHPO Chairperson can be contacted at:

Association of Health Professions in Ophthalmology

59 New Street
Burton on Trent
DE14 3QY

12.3 If you remain dissatisfied, you have the right to refer the matter to the Information Commissioner. The Information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House

Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 01625 545 745 Email: enquiries @ico.gsi.gov.uk

13. Appendix A

13.1 Personal data is information that relates to a living individual who can be identified from the information and which affects the privacy of that individual, either in a personal or professional capacity. Any expression of opinion about the individual or any indication of the intentions of any person in respect of the individual will be personal data.

13.2 Provided the information in question can be linked to an identifiable individual, the following are likely to be examples of personal data:

  • an individual’s salary or other financial information
  • information about an individual’s family life or personal circumstances,
  • employment or personal circumstances, any opinion about an individual’s
  • state of mind
  • sensitive personal information – an individual’s racial or ethnic origin,
  • political opinions, religious beliefs, physical or mental health, sexual
  • orientation, criminal record and membership of a trade union.

13.3 The following are examples of information, which will not normally be personal data:

  • mere reference to a person’s name, where the name is not associated with any other personal information
  • incidental reference in the minutes of a business meeting of an individual’s
  • attendance at that meeting in an official capacity
  • where an individual’s names appears on a document or email indicating only that it has been sent or copied to that particular individual
  • the content of that document or email does not amount to personal data about the individual unless there is other information about the individual in it.

13.4 If a document has been sent by a third party, that contains information about an individual, which relates to their personal or professional life, it is personal data.
An outline of an organisation’s standard procedure, relevant to an individual’s complaint/s case will not be personal data.

February 2020