Quickly exit this site by pressing the Escape key Quick exit
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
The Data Protection Act 2018 (DPA) and the UK General Data Protection Regulations (UK GDPR) give individuals rights of access to their personal data held by the Office of the Police and Crime Commissioner (OPCC). Subject access is a fundamental right for individuals.
However, it is also an opportunity to maximise the quality of personal data held and to provide excellent customer service. The information provided to the public, and the timeliness of responses, is reflective and representative of the OPCC. If the OPCC does not meet its obligations, individuals can complain to the Information Commissioner’s Office (ICO); not only does this result in dissatisfaction, but it can cause reputational damage, and lead to the issuing of fines.
This policy explains how the OPCC will fulfil its obligations under the DPA and UK GDPR.
This policy applies to all OPCC staff and volunteers and outlines how an individual can make a request under the DPA and how it will be processed.
Requests relating to the records of people who are deceased are not within scope of this policy as the DPA only applies to the data of living individuals. Such requests will be treated as requests for access to information under the Freedom of Information Act (FoIA) or as miscellaneous requests, depending on the nature of the data and the reason the data is being requested.
Chief Executive |
· The Chief Executive is accountable for having policies and procedures in place to support best practice, effective management, service delivery, management of associated risks and meet national legislation and/or requirements in relation to and including the DPA and UK GDPR. · Holds overall responsibility for compliance with the DPA and for implementing records management within the OPCC. |
Head of Policy Coordination & Research |
· Has delegated responsibility for compliance with the DPA and for implementing records management within the OPCC. · Oversees all individual rights requests and reviews draft responses. · Line manages the Office & Data Protection Manager. |
Office & Data Protection Manager |
· Responsible for processing all individual rights requests and implementing records management policies. · Performs role of Data Protection Officer and acts as a point of contact for data subjects, partners and the supervisory authority. · Monitors internal compliance and provides advice and training on data protection obligations. · Responsible for drafting responses to individual rights requests. |
Staff/Volunteers |
Must: · understand their duty of care to ensure the confidentiality of all personal data; · undertake appropriate training; · understand this policy and where to direct individuals enquiring about their rights. |
The rights of data subjects under which individuals may make requests include the following:
The right to obtain confirmation as to whether personal data concerning the person is being processed, and, where that is the case, request access to the personal data.
The right to the rectification of inaccurate or incomplete personal data.
The right to the erasure of personal data. Sometimes known as the ‘right to be forgotten’.
The right to restrict the processing of personal data.
The right to receive a copy of personal data in a structured, commonly used and machine-readable format, also to request these data are transmitted to another controller directly.
The right to object to processing of personal data.
In addition to the above, data subjects also have the right to be informed, which the OPCC fulfils by providing a weblink to its Privacy Notice in all communications with individuals.
All the rights listed above are qualified rights, meaning there are exceptions to when they must be applied. The OPCC will always acknowledge a request has been made, but there may be legal grounds for not complying with it.
Key Points:
Individual rights requests are free of charge. However, if the OPCC considers that a request is ‘manifestly unfounded’ or ‘manifestly excessive’ (repeated) it can:
A reasonable fee should be based on the administrative costs of complying with the request. The OPCC will need to document and justify the decision and let the requestor know as soon as possible. It does not need to comply with the request until the fee has been received.
Where an exemption applies, the OPCC may refuse to provide all or some of the requested information, depending on the circumstances.
If the OPCC refuses to deal with a request it will explain the reasons why, advise the individual of their right to make a complaint to the ICO and their ability to seek to enforce the right through a judicial remedy.
Exemptions to the individual rights (as provided by the DPA and UK GDPR) will be applied by the OPCC where required.
Whether or not the OPCC can rely on an exemption depends on the purpose for which it is processing the personal data.
Under data protection legislation the OPCC has one calendar month to respond to any request but will respond as quickly as possible.
The OPCC will calculate the time limit from the day it receives the request (whether it is a working day or not) until the corresponding calendar date of the next month (or next working day if it is a weekend or bank holiday).
If the OPCC needs something from the requestor to be able to deal with their request (e.g. ID documents), the time limit will commence once received.
Extending the response time
The OPCC can extend the time to respond by a further two calendar months if the request is complex or a number of requests have been received from an individual. The OPCC will let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary.
However, it is the ICO’s view that it is unlikely to be reasonable to extend the time limit if:
The OPCC will seek to respond to an individual’s right request, subject to the application of any exemptions under the DPA or UK GDPR. The OPCC will also endeavour to provide the information in the preferred format requested.
The OPCC will always require appropriate valid ID documents when processing an individual’s right request. Whilst it is acknowledged that the ICO guidance advises it may not be necessary on every occasion, the current OPCC document tracking system does not facilitate alternative verification methods and this approach is intended to protect all personal data held and minimise the risk of inappropriate release.
Where ID documents are not submitted with the initial request, or the OPCC needs additional information to confirm an individual’s identity, it will let them know without undue delay. The OPCC does not need to comply with the request until the relevant documents/information have been received.
The OPCC will not retain copies of any ID documents, but will record what documents were provided, the date they were verified and the details of who verified them.
If the OPCC is not able to action the request |
If the OPCC is able to action the request dependent on further information |
If the OPCC is actioning the request: |
· the reasons it is not taking action; · the right to make a complaint to the ICO; · the ability to seek to enforce a right through a judicial remedy |
· that it is requesting a reasonable fee; or · that it needs ID documents/additional information to verify their identity |
· respond to the request; or · notify that it needs to extend the response time (up to a further two months) |
Any personal data in relation to an individual, no matter what format, where or how it is stored by the OPCC could fall into the scope of an individual rights request.
All staff/volunteers should be aware that if they write it, they are ultimately responsible for it, and it could potentially be something that ends up being disclosed to an applicant.
On a monthly basis, the Chief Executive will meet with the Office & Data Protection Manager and Head of Policy Coordination & Research to review OPCC compliance with the DPA and UK GDPR. The meeting will focus on the timeliness of responses and requests in progress or outstanding, with the provision of data facilitating discussion and where appropriate, further action.
Staff requiring training |
Frequency of training |
Length of training |
Delivery method |
Training delivered by whom |
Where are records held? |
All & volunteers |
Upon commencement of employment & annually thereafter |
1 hour |
Face to face |
Office & Data Protection Manager |
OPCC HR Records
OPCC Training Record Status List |
All |
Upon commencement of employment & as specified thereafter |
1 hour |
Online (Mandatory training) |
Kent Police |
OPCC HR Records
OPCC Training Record Status List |
Upon completion of mandatory online training, staff must provide a copy of the certificate to the Office & Data Protection Manager for their training record to be updated and filing purposes.
The Chief Executive will occasionally review the OPCC Training Record Status List to ensure all staff/volunteers are completing the necessary training.
Policy owner: Chief Executive
Contact point: Head of Policy Co-ordination & Research
Publication date: 01/08/2023
Review date: 01/08/2025
The right of access, commonly referred to as subject access, gives individuals the right to obtain the following:
It helps individuals to understand how and why the OPCC is using their data, and check it is doing so lawfully.
Valid requests
It is the responsibility of all OPCC staff/volunteers to appropriately recognise a request as one for personal data (i.e. information relating to the individual). Failing to recognise a SAR is not an excuse for non-response and the OPCC will still fall foul of the DPA should a response not be provided in a prompt and appropriate manner.
Process on receipt
All SARs must be sent to Correspondence for logging and an acknowledgement sent without undue delay. Correspondence will forward to the Office & Data Protection Manager for processing and copy to the Chief Executive, Head of Policy Coordination & Research, Head of Standards & Regulation and Communications Manager.
The OPCC will comply with a SAR without undue delay and at the latest within one month of receipt of the request or within one month of receipt of:
The time limit is from the day the OPCC receives the request, fee or other requested information (whether it is a working day or not) until the corresponding calendar date in the next month. If the corresponding date falls on a weekend or a public holiday, the OPCC has until the next working day to respond.
Verifying identities / permissions
To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, the OPCC needs to be satisfied that:
The OPCC will always require appropriate valid ID documents and the period for responding to the request will only begin once received.
Forms of ID which are acceptable:
Type of Applicant |
Type of Evidence – copies of |
An individual applying for their own records |
Two documents which prove identity and between them show name and address, e.g. · valid passport; · valid driving licence; · birth/adoption certificate; · utility bill (less than 3 months old) |
Someone applying on behalf of another individual – over the age of 12 |
· One document which proves the person’s identity AND · Two documents which prove the representative’s identity and between them show name and address |
Someone applying on behalf of another individual – under the age of 12 |
· One document which proves the person’s identity AND · Two documents which prove the representative’s identity and between them show name and address PLUS · Proof of Parental Responsibility: Full Birth Certificate or Court Order appointing Parental Responsibility, Adoption Order, etc. |
Power of Attorney/ Agent applying on behalf of an individual |
· One document which proves the person’s identity AND · One document which proves the representative’s identity PLUS · Power of Attorney |
Requests received from representatives or third parties
The DPA does not prevent an individual making a valid request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act on their behalf.
In these cases, the OPCC must be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. For example, by providing a written authority, signed by the individual, stating that they give the third party permission to make a SAR on their behalf.
If there is no evidence that a third party is authorised to act on behalf of an individual, the OPCC will not process the SAR but will provide an explanatory response.
Fees
Under the DPA, in most cases a fee cannot be charged. However, where the request is manifestly unfounded or excessive the OPCC may:
The OPCC can also charge a reasonable fee if an individual requests further copies of their data following a request. The fee must be based on the administrative costs of providing further copies.
Clarification of requests
If a request is received but more information is required for clarification purposes, this will be requested without undue delay. The OPCC will only seek clarification where it is genuinely required in order to respond to the SAR, and it is processing a large amount of information about the individual. The period for responding to the request begins once the additional information is received.
However, if an individual refuses to provide any additional information, the OPCC will still endeavour to comply with the request (i.e. by making reasonable searches for the personal data covered by the request).
Requests involving information about other individuals
Right to access/subject access only gives an individual the right, which is itself subject to exemptions, to their own personal data and not the personal data of a third party.
The OPCC reserves the right not to comply with a SAR, if doing so means disclosing information which identifies another individual, except where:
Where possible, the OPCC will consider whether it is possible to comply with the request without disclosing information that identifies another individual.
Locating the personal data requested
The OPCC will make reasonable efforts to find and retrieve the personal data. However, the OPCC is not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.
Searches will not be limited to “live” files but will cover all information held by the OPCC, regardless of the format it is in or where it is stored. Closed files and archived information will also be considered as part of a request.
In practice, the Office & Data Protection Manager will be responsible for ensuring all reasonable efforts are made to identify and retrieve the personal data. They will coordinate activity across the OPCC and where appropriate liaise with staff/volunteers directly, specifying a response timeframe. All staff/volunteers will respond promptly and within the specified timeframe.
The OPCC does not record telephone conversations or retain voicemail recordings.
Exemptions
The DPA and UK GDPR recognise that, in certain circumstances, there may be a legitimate reason for not complying with a SAR, so there are a number of exemptions from the right of access.
Where an exemption applies to the facts of a particular request, the OPCC may refuse to provide all or some of the requested information, depending on the circumstances.
Not all exemptions apply in the same way. The OPCC will look at each exemption carefully to see how it applies to a particular SAR. Some exemptions apply because of the nature of the personal data in question; others apply because disclosure of the information is likely to prejudice the purpose of processing personal data.
Exemptions will not routinely be relied upon or applied in a blanket fashion. The OPCC will consider each exemption on a case-by-case basis and in line with the accountability principle, justify and document the reasons for relying on an exemption.
Review
Prior to a response being sent to the individual, the Head of Policy Coordination & Research (or a member of the Senior Management Team) will review and approve a draft. This acts as a double check of the content and where appropriate, ensures any third party data has been removed or redacted.
Third party data sent in error to the wrong person constitutes a data breach under the DPA and can have serious consequences for the OPCC.
Responding to a SAR
Right to access/subject access does not give an individual the right to copies of documents containing their personal data. Its purpose is to verify the lawfulness of the processing being carried out by the OPCC, and it is therefore applicable only to the personal data within documents.
When responding to a request, the OPCC will endeavour to provide the information in the preferred format requested.
Response type |
Process |
Where the OPCC requires further information |
The request will be sent by email or post |
Where no personal data is held |
By email: the response will be password protected and confirmation of identity required prior to sending password. By post: the response will be sent in accordance with sensitive and classified information protocols (i.e. double enveloped, data protection disclaimer, special delivery etc.) |
Where personal data is held |
Appealing a decision to refuse disclosure of personal information
If the OPCC refuses to disclose personal data in response to a SAR, the individual may appeal the initial decision.
Once an appeal has been received the individual will receive an acknowledgment and the request and response will be considered by the Chief Executive. The individual will be notified of the outcome as soon as possible; all appeals will be concluded within 20 working days.
If an individual's appeal is successful, they will receive the personal data requested as soon as possible. If the appeal is unsuccessful the OPCC will provide an explanation of the findings and supply information on how to take the matter further.
Complaining to the Information Commissioner’s Office (ICO)
The ICO is the UK's independent body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals, ruling on complaints and taking appropriate action when the law is broken.
The ICO is responsible for ensuring compliance with the DPA and Data Protection in practice for all organisations in England, Scotland, Northern Ireland and Wales.
If an individual remains dissatisfied with the OPCC’s decision, they have the right to submit a complaint to the Information Commissioner.
The ICO address is as follows:
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire
SK9 5AF
Alternatively, guidance on how to complain can be found on their website.