Data Protection
Subject Access Requests and Data Breach protocols

GDPR–Subject Access Requests and Data Breach Protocols

1 – These terms

The General Data Protection Regulations (GDPR) were introduced in 2018 and the Information Commissioner’s Office (ICO) has provided a compliance framework which includes how subject access requests and data breaches are managed.

2. Subject Access Requests (SAR)

2.1. This protocol provides guidance when an individual requests a copy of all the information that Knepp holds under GDPR Article 15, why we need to verify their identity, what we will do with it and what the individual can expect. It also advises on how to get a copy of any personal information we may hold. This is called a Subject Access Request (SAR).

2.2. The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request verbally or in writing. It can also be made to any part of Knepp (including by social media) and does not have to be to a specific person or contact point. A request does not have to include the phrase ‘subject access request ‘or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.

2.3. Knepp must comply with a request without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:

• any requested information to clarify the request;
• any information requested to confirm the requester’s identity;

Knepp should calculate the time limit from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month.

2.4. Appendix A lists the actions to take upon receipt of a SAR.

3. Data Breaches

3.1. This protocol provides guidance when a data breach occurs.

3.2. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. Personal data breaches can include:

• A hacker breaching a business’ data environment to steal financial details of customers;
• A system error resulting in customers being able to view the account details of other customers;
• The loss or theft of a ICT device i.e. laptop, smart phone, tablet or USB stick;
• A member of staff copying customer data onto a USB stick and disclosing the data to a third party;
• A disgruntled employee leaking Knepp data and information; and
• The disclosure of confidential Knepp data and information to an authorised third party company

3.3. The GDPR introduces a duty on all organisations to report certain types of personal data breach to the ICO. This must be done within 72 hours of becoming aware of the breach, where feasible.

3.4. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, Knepp must also inform those individuals without undue delay.

3.5. Knepp should ensure it has robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not the relevant supervisory authority and the affected individuals are notified.

APPENDIX A – Upon receipt of a subject access request

• MUST: On receipt of a subject access request it must be forwarded immediately to the Compliance Manager.
• MUST: The Compliance Manager must correctly identify whether a request has been made under the Data Protection legislation.
• MUST: A member of staff who receives a request to locate and supply personal data relating to a SAR must make a full exhaustive search of the records to which they have access.
• MUST: All the personal data that has been requested must be provided unless an exemption can be applied.
• MUST: Knepp must respond within one calendar month after accepting the request as valid.
• MUST: SARs must be undertaken free of charge to the requestor unless the legislation permits reasonable fees to be charged.
• MUST: Knepp managers must ensure that the staff they manage are aware of and follow this guidance.
• MUST: Where a request or is not satisfied with a response to a SAR, Knepp must manage this as a complaint.

Action to Take.

• Notify the Compliance Manager upon receipt of a request.
• Knepp must ensure a request is asking for sufficiently well-defined personal data held by Knepp relating to the data subject. The Compliance Manager should clarify with there questor what personal data they need.
• To establish identity the requestor must send at least two original identity documents with the application which (between them) proves name, date of birth and current address. For example, this could be a driving licence, birth/adoption certificate or passport to prove identity and a utility bill or official document no more than 3 monthsold to prove current address details.
• Depending on the degree to which personal data is organised and structured, the Compliance Manager will require Knepp employees to search emails (including archived emails and those that have been deleted but are still recoverable), Word documents,spreadsheets, databases, systems, paper records in relevant filing systems etc.
• The Compliance Manager must not withhold personal data because they believe it will be misunderstood; instead, they should provide an explanation with the personal data. The Compliance Manager must provide the personal data in an “intelligible form”, which includes giving an explanation of any codes, acronyms and complex terms. The personal data must be supplied in a permanent form except where the person agrees or where it is impossible or would involve undue effort. The Compliance Manager must redact any exempt personal data from the released documents and explain why that personal data is being withheld.
• The Compliance Manager will maintain a database allowing Knepp to report on the volume of requests and compliance against the statutory timescale.
• When responding to a complaint, Knepp must advise the complainant that they may complain to the ICO if they remain unhappy with the outcome.
• In addition to a copy of their personal data, Knepp also has to provide individuals with the following information:
  • the purposes of your processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient you disclose the personal data to;
  • your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
  • the existence of their right to request rectification, erasure or restriction or to object to such processing;
  • the right to lodge a complaint with the ICO or another supervisory authority;
  • information about the source of the data, where it was not obtained directly from the individual;
  • the existence of automated decision-making (including profiling); and o the safeguards you provide if you transfer personal data to a third country or international organisation.

APPENDIX B – if a personal data breach occurs

Action to take. 

• If a personal data breach has occurred, the details must be reported immediately to the Compliance Manager;
• When a personal data breach has occurred, the likelihood and severity of the resulting risk to people’s rights and freedoms needs to be established. If it’s likely that there will be a risk then Knepp must notify the ICO; if it’s unlikely then Knepp does not have to report it. The Compliance Manager must assess if the data breach is notifiable to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If this takes longer, reasons must be given for the delay;
• When reporting a breach to the ICO, the following must be provided:
  • a description of the nature of the personal data breach including, where possible;
  • the categories and approximate number of individuals concerned;
  • the categories and approximate number of personal data records concerned;
  • the name and contact details of the Estate Administrator;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
• Communication of a breach to affected individuals is required only where it is likely to result in a “high risk” to their rights and freedoms. The communication should be made without undue delay and should include at least:o the nature of the breach;o contact details;o a description of the likely consequences; and o the measures that the controller has taken, or plans to take, to address and mitigate the breach.
• The Compliance Manager will ensure that Knepp record all breaches, regardless of whether or not they need to be reported to the ICO. The Estate Administrator will investigate whether or not the breach was a result of human error or a systemic issue and see how a recurrence can be prevented –whether this is through better processes, further training or other corrective steps. The register should record:
  • the cause of the breach, what happened and what personal data was affected;
  • the effects and consequences;o the remedial action taken; and
  • who has been notified.