Subject Access Request

What is a data Subject Access Request?

A data Subject Access Requests (SARs) are when a data subject requests the data controller to do something with the data you hold on them.

This could be a request to identify:

- the reason why you have the data and what you are doing with it

- the type of data you hold on them

- the third parties you have disclosed the data to

- the period you will be keeping the data for and why

In addition, they can ask you to:

- delete or modify the data you have on them

- transfer this data to a third party of their choice

In all cases the action they are requesting cannot have a material impact on you fulfilling your obligations to the data subject. For example, you require a number of data points when registering a youth member – e.g. name and date of birth and parental/guardian contact details etc.

Subject Access Request - Process Overview

Initiation 

  • A Subject Access Request (SAR) can be initiated by any individual to obtain all, or some, data held by a Data Controller (Scout Group and/or Scouting Ireland) about them.
  • The request should be received in writing, and the Data Controller (Scout Group) should be satisfied of the identity of the individual.
  • Once received, the date and time of receipt should be recorded as well as the nature of the information requested.
  • Receipt of the SAR should be acknowledged in writing to the individual.
  • The Scouting Ireland Data Protection Officer should be consulted (dataprotection@scouts.ie)

Assessment

  • The SAR should be evaluated and deemed to be valid or unfounded.
  • If it is unfounded, the individual should be informed of the reasons why and their right to complain to the Office of the Data Protection Commissioner.
  • If it is valid the SAR should be processed (Free of Charge) within a month of receipt of a request.

Provision of Data

  • The Scout Group’s Log of Processing Activities/data inventory should be consulted to identify the locations, or possible locations of all data requested by the individual
  • All paper records should be identified and copied
  • All electronic records should be identified and extracted into standard formats (excel, Word, PDF etc)
  • Ensure the data collected does not include personal data of any other individual(s). If it does, ensure it is removed prior to the provision of the data via redaction if necessary.
  • All data should be provided to the individual within one month of receipt of the request. This should include the data requested by the individual together with a description of the purpose and legal basis for processing, the categories of personal data, any recipients of the data (third party data processors), retention periods, the location of the data concerned and an individual’s rights to have the data amended or deleted, and their right to complain to the Office of the Data Protection Commissioner Insert Link.
  • The SAR record should be updated with details of the information provided and the time and date that it was provided.