Subject Access Request – Policy & Procedure
All personal data processed by Blackwell’s is within the scope of this procedure.
Data subjects are entitled to:
- Confirmation as to whether Blackwell’s is processing any personal data about that individual;
- Access to their personal data;
- Any related information;
- Deletion of any held data;
- The Data Protection Officer / GDPR Representative is responsible for the application and effective working of this procedure, and for reporting to the information owners, the Blackwell’s Directors and Blackwell’s CEO on Subject Access Requests (SARs).
- The Data Protection Officer / GDPR Representative is responsible for handling all SARs. If a Subject Access request is made by either an employee or customer this should be sent to GDPR@Blackwell.co.uk.
- Subject Access Requests are made using the Subject Access Request Form. The form can be found on the Frequently Asked Questions section of the Blackwell’s website under Subject Access Request Form. Blackwell’s employees can also find the form on the Blackwell’s intranet page in Sales and Operations, Sales and Shop Operations Documents, GDPR and Data Protection, Subject Access Request Form. This policy will also be available in the same location.
- The data subject provides Blackwell’s with evidence of their identity, in the form of a current passport/driving license, and the signature on the identity must be cross-checked to that on the application form.
- The data subject can specify to Blackwell’s specific data held by Blackwell’s on their subject access request (SAR). The data subject can also request all data held on them.
- The Blackwell’s Data Protection Officer records the date that the identification checks were conducted and the specification of the data sought.
- Once the subjects’ identity has been confirmed, the Data Protection Officer / GDPR Representative, who will make every reasonable endeavor so that the requested data is collected within the specified time frame of 28 days. If this is not possible for any reason the Data Protection Officer will inform the subject and contact the ICO immediately to ask for an extension of the time period.
- Collecting the data specified by the data subject, or
- Searching all databases and all relevant filing systems (manual files) in Blackwell’s, including all back up and archived files (computerised or manual) and all email folders and archives. The Data Protection Officer / GDPR Representative maintains a data map that identifies where all data in Blackwell’s is stored.
- The Data Protection Officer / GDPR Representative maintains a record of requests for data and of its receipt, including dates.
- The Data Protection Officer / GDPR Representative reviews subject access requests from a child. Before responding to a SAR of the child data subject the Data Protection Officer / GDPR Representative considers their ability to making the request by adequately explaining any implications of sharing their personal data.
- The Data Protection Officer / GDPR Representative reviews all documents that have been provided to identify whether any third parties are present in it, and either removes the identifying third party information from the documentation or obtains written consent from the third party for their identity to be revealed.
- If any of the requested data is being held or processed under one of the following exemptions, it does not have to be provided:
- National security
- Crime and taxation
- Social Work
- Regulatory activity
- Journalism, literature and art
- Research history, and statistics
- Publicly available information
- Corporate finance
- Examination marks
- Examinations scripts
- Domestic processing
- Confidential references
- Judicial appointments, honours and dignities
- Crown of ministerial appointments
- Management forecasts
- Legal advice and proceedings
- Human fertilization and embryology
- Adoption records
- Special educational needs
- Parental records and reports
- In the event that a data subject requestsBlackwell‘sto provide them with the personal data stored by the controller/processor, then the Blackwell’s Data Protection Officer will provide the data subject with the requested information in electronic format, unless otherwise specified. All of the items provided to the data subject are listed on a documentthat shows the data subject’s name and the date on which the information is delivered to the data subject.
- In the event that a data subject requests what personal data is being processed then the Blackwell’s Data Protection Officer will provide the data subject with the following information:
- Purpose of the processing
- Categories of personal data
- Recipient(s) of the information, including recipients in third countries or international organisations
- How long the personal data will be stored
- The data subject’s right to request rectification or erasure, restriction or objection, relative to their personal data being processed.
- The Blackwell’s Data Protection Officer removes personal data from systems and processing operations as soon as a request for erasure has been submitted by the data subject.
- The Blackwell’s Data Protection Officer contacts and communicates with other organisations, where the personal data of the data subject is being processed, to cease processing information at the request of the data subject.
- Information on how to lodge a complaint with the supervisory authority and a method to do so (Complaints Procedure) if requested by the subject.
- Information on the source of the personal data if it hasn’t been collected from the data subject.
- Information on and where personal data has been transferred and information on any safeguards in place.
- Blackwell‘suses the following electronic formats to respond to SARs:
- PDF document
- Microsoft Word
- Microsoft Excel
- Blackwell’s will make reasonable endeavors to provide the data in the format requested by the subject
Document Owner and Approval
A current version of this document is available to the public on the Frequently Asked Questions section of the Blackwell’s website, under Subject Access Requests, and to all members of staff on the Blackwell’s intranet. The document can be found on the intranet under Sales and Shop Operations, Sales & Shop Operations Documents, Subject Access Requests.
This procedure was approved by the Chief Executive Officer (CEO) David Prescott on 14/05/2018.
Change History Record
Description of Change
Date of Issue
Paul Bird (DPO)