Data Subject Access Request Procedure (SAR)

1. The purpose of this policy

According to GDPR “a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.” This policy sets out the procedure following a Subject Access Request (SAR).

2. The rights of Data Subjects

Data subjects have the legal right to know whether you are processing any personal data about them as an individual and, if so, to be given:

  • the purposes of you processing the data on them
  • the categories of personal data concerned, personal or sensitive
  • the recipients to whom the personal data have been or will be disclosed, in particular, recipients in third countries or international organisations
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction on processing of personal data concerning
  • the data subject or to object to such processing
  • the right to lodge a complaint with a supervisory authority
  • any available information as to the source if you were not the originating data collector
  • the existence of automated decision-making, including profiling. Detail needs to be available on what technologies are used here and what result this has on the data subject and their data

The response to the data subject needs to be within 1 month of first receipt of the SAR.

3. The Procedure

North Hertfordshire Psychology Services will follow the procedure set out below and use the forms detailed within the steps when processing Subject Access Requests:

4. Responding to a SAR

The Data Controller is responsible for reviewing all provided documents to identify whether any third parties are identified in it and for either omitting or redacting identifying third party information from the documentation or obtaining written consent from the third party for their identity to be revealed.

If the requested data falls under one of the following exemptions, it does not have to be provided:

  • Crime prevention and detection
    Negotiations with the requester
    Information used for research, historical or statistical purposes
    Information covered by legal professional privilege

The information will be provided to the data subject in electronic format unless otherwise requested and all the items provided are listed on a schedule that shows the data subject’s name and the date on which the information is delivered.

In all cases care should be taken to redact all personal data or confidential information that the data subject should not see.


Updated 2019