Code of practice 3 - Access to personal data by subjects
Code of practice 3 - Access to personal data by subjects
1.1 This Code of Practice, drawn up in association with the College's Data Protection Policy, relates to the access by individuals (data subjects) to data relating to themselves. The Code provides procedures for past and present staff and students of the College and other third parties to access the personal data held on them in College systems in whatever medium that data is held, and for dealing with requests for such subject access.
2. Access to personal information
2.1 The College respects the right of individuals regarding Article 15, Right of Access (also known as subject access rights or SAR) to obtain the following:
· confirmation of whether, and where, the College is processing their personal data;
· information about the purposes of the processing;
· information about the categories of data being processed;
· information about the categories of recipients with whom the data may be shared;
· information about the period for which the data will be stored (or the criteria used to determine that period);
· information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
· information about the existence of the right to complain to the Information Commissioner;
· where the data were not collected from the data subject, information as to the source of the data; and
· information about the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects.
Additionally, the College respects the right of data subjects to request a copy of the personal data being processed.
2.2 In certain circumstances, an exemption to the GDPR requirement to grant access to personal data might apply. Such exemptions include:
- where disclosure would simultaneously disclose data about another person (unless that person consents to the disclosure);
- third party references and examination marks (see paragraphs 3 and 4 below for further information)
2.3 Any data subject wishing to gain access to personal data held about them may do so by the submission of a request to the Central Secretariat Executive Officers (requests received by other areas of the College will need to be forwarded immediately to the Central Secretariat Executive Officers) via email@example.com . The College may also require proof of identity to ensure the individual making the request is the individual to whom the personal data pertains. Where a request is submitted on the behalf of another individual (such as by an individual’s legal representative), then signed authorisation will be required from the data subject. Individuals requiring access to their personal data are invited to submit a copy of the College’s standard request form via link Subject Access Requests. It is not a requirement that the College’s standard form is completed, but it is helpful if individuals requesting access to their personal data use the form provided. The College aims to comply with requests for access to personal data as quickly as possible, but will ensure that it is provided within one month of receipt of the application form. Where the College receives especially complex requests, the time limit may be extended by a maximum of two further months.
2.4 Subject access requests submitted to the College are processed by the College’s Central Secretariat Executive Officers in liaison with College departments and/or staff members (as is appropriate in each case).
3. Confidential references
3.1 References issued by or on behalf of the College
Confidential references issued by the College or an individual member of it in the performance of College duties are exempt from subject access where these references relate to:
- education, training or employment of the data subject;
- appointment of the data subject to any office;
- provision by the data subject of any service.
3.2 References Received by the College
3.2.1 Confidential references received by the College are exempt from the right of access by the data subject to whom they refer provided that such references have been written “In Confidence” and clearly state this. However, this exemption from disclosure to the data subject may not be possible to rely on in all circumstances – and the College may decide in any event that it is reasonable to disclose the reference (possibly, after anonymising it e.g. to remove the identity of the referee or where the referee has given his/her consent).
3.2.2 Where, in response to a subject access request, the College declines to disclose a reference received in confidence from a referee, it will supply clear reasons in writing for doing so. Members of the College may not refuse to disclose references received in confidence from referees without providing, in writing, the reasons for the refusal.
4.1 In accordance with the GDPR, information recorded on their scripts by students during an examination are exempt from subject access. However, students are entitled to information about their marks for both coursework and examinations. In accordance with the GDPR, this will be made available either 5 months from the day on which the Central Secretariat Officers received the request and any fee which may apply, or one month from the announcement of the examination results. The College, however, reserves the right to withhold certificates, accreditation or references in the event that the full course fees have not been paid, or all books and equipment returned to the College.
4.2 A data subject has a right to request a copy or summary "in an intelligible form" of any comments made on an examination script by an examiner, within the same periods as laid down for access to examination marks.
4.3 A data subject has a right of access to those parts of Minutes of Examination Boards or special circumstance committees which contain discussion about themselves where they are named or referred to by identifiers from which the candidate may be identified, unless the data cannot be disclosed without additionally disclosing personal data about a third party.