The truth about subject access
Charlotte Lewendon, information management, governance and risk manager at The Guinness Partnership, gives us some practical tips for processing subject access requests.Processing subject access requests can be a daunting task for housing staff but there are some simple practical steps which can help meet compliance with the Data Protection Act 1998 (DPA) and make sure the person making the request gets a good level of customer service. Here are my top tips.
- Make sure that all staff within the organisation know what a subject access looks like, whether it could be dealt with as a routine enquiry and if not who to send it to in the organisation. The sooner it reaches the right person the sooner the request can be processed. A routine enquiry could be “Can I have a copy of my tenancy agreement or my rent statement?”
- Check that you have proof of identity if you need it, the £10 fee (if you charge) and signed authority where someone is acting on the behalf of a third party such as a solicitor.
- Keep a log of all subject access requests recording receipt, owner and date of response.
- Do you have enough detail to locate the information? You should not second guess or assume you know what they are seeking. Engage with the person who has made the request as it could save you time and effort in locating the information they want.
- Keep a record of the searches you have made to locate the information that is being asked for. This will help should a complaint be made to the Information Commissioner’s Office (ICO).
- Keep the person who has made the request updated on the progress of the request. Send an acknowledgment setting out when they can expect a response and the name of the person dealing with their request.
- Remove third party data where it is not already known to the customer or it is not reasonable to provide it. For example a member of staff’s name that has been dealing with their tenancy.
- In the covering response give as much contextual detail to help the requester understand the information being provided. This is in addition to the requirement to explain any codes or acronyms in the information.
- Keep a copy of what you have sent out and what information you have withheld or redacted in case of future queries or a complaint to the ICO.
Finally, there is a lot of good practical advice in the ICO’s Code of Practice on Subject Access.