What you need to know…
- Data Subject: the individual whose data is being held and processed
- Data Controller: determines the purposes and means of processing personal data
- Data Processor: is responsible for processing personal data on behalf of a controller
- More definitions can be obtained from the JOIC by clicking here
There is stronger legal protection for sensitive information which is also known as special category data, such as: race, ethnic background, political opinions, religious beliefs, trade union membership, genetics or biometrics (where used for identification), health, sex life or orientation, criminal record or alleged criminal activity.
- Be informed about how your data is being used.
- Access personal data.
- Have incorrect data updated.
- Have data deleted (in certain circumstances).
- Limit or restrict the processing of your data (in certain circumstances).
- Data portability (allowing individuals to obtain and reuse your data for different services).
- Object to how your data is processed (in certain circumstances).
SUBJECT ACCESS REQUEST (SAR)
- Anyone can put in a SAR and there is no charge. It must be in writing.
- SARS must be responded to within four weeks. In complex cases, you may be able to apply for an extension.
- The individual should specify exactly what information or processing activities their request relates to. If not, seek clarification.
- If they request the SAR electronically, respond to them in a commonly used electronic form, unless the individual requests otherwise.
- If a company does not comply, they may be faced with a fine.
- Redact names where correspondence contains personal data relating to others.
What you need to do…
- Data protection principles apply wherever you work.
- Have a clear Data Protection policy in place and refresh.
- Train employees regularly on what is acceptable and any new updates.
- Don’t ignore SARs, action them immediately.
- Remember they apply when working remotely!