(1) This (2) The Data Protection Officer (DPO) is responsible for the management and implementation of the (3) The Data Protection Officer is responsible for ensuring that all DSARs are responded to within the required one-month period, or any necessary and notified extension period (as described below). (4) Where applicable, all Staff, Faculty, Adjunct Faculty and students are responsible for engaging with and adhering to this (5) Where Staff other than the Data Protection Officer receive a DSAR, they must inform the Data Protection Officer immediately and furnish a copy of the DSAR received. (6) All third-party processors are required to provide the necessary technical and operational assistance to enable the College to respond to a DSAR within the permitted time frame. (7) A data subject can make a request to obtain personal data held in relation to them by the College at any time. (8) Applications may be made via email to the Data Protection Officer at dpo@hiberniacollege.net and must include a completed application form, available under the resources section of the Hibernia College Quality Framework, and official photographic identification, e.g. passport or driver's licence. (9) The Data Protection Officer will verify that the request has been made using the correct application form and is accompanied by photographic identification. (10) The Data Protection Officer will send the data subject an acknowledgment email, normally within two working days. (11) Where the College holds a large quantity of information concerning the data subject, the College may request that the data subject specify the information or processing activities to which the request relates before the information is delivered. If the data subject refuses to clarify the request, the College must still respond to the request except where it is considered manifestly unfounded or excessive by the College. (12) Where a DSAR is considered manifestly unfounded or excessive by the College, having undertaken a detailed assessment, the College may refuse to act on the request in line with Article 12(5) of the GDPR. If this is the case, the College will inform the data subject of its decision. (13) The College must respond to all DSARs within one month. (14) The date of receipt of the DSAR is the beginning of the one-month period. (15) Where a request is complex, or multiple requests are received from the same individual, the College can extend this time up to a further two months. (16) When an extension is sought, the data subject will be notified within the one-month period of this and will be informed of the expected time frame to complete the request and an explanation why the extension is necessary. (17) The Data Protection Officer will contact any departments required to assist in the preparation of a response to the DSAR, without delay. This may include contacting: (18) The Data Protection Officer will set up a secured location for any relevant person to submit requested information. (19) All relevant persons are given a deadline of no more than two weeks to provide the requested data. (20) The Data Protection Officer sends a reminder to all relevant persons one week before the deadline. (21) Each department, or individual, is required to notify the Data Protection Officer of any anticipated delays or complications in delivering the data. (22) When all relevant data has been collected, it is formally recorded and categorised by the Data Protection Officer. (23) Omissions and redactions may be applied by the Data Protection Officer to the information as necessary, e.g. to retain data privacy of other data subjects, to protect legally privileged information, intellectual property or commercially sensitive information. Where this occurs, the data subject will be notified of the reason for the omissions/redactions. (24) When all data relevant to the request has been prepared, it is shared with the data subject using a secure electronic medium or another secure medium if explicitly requested. (25) The Data Protection Officer will issue a response letter to the data subject accompanying the data (26) The Data Protection Officer retains central records of all subject DSARs. (27) The Data Protection Officer conducts an annual review of all DSARs to: (28) The report is shared with the Executive Management Team.Data Subject Access Request (DSAR) Management Procedure
Section 1 - Introduction
Purpose and Parent Policy
Responsibilities
Staff, Faculty and Adjunct Faculty Responsibilities
Third-Party Processor
Section 2 - Procedure
Part A - Procedure for Managing a DSAR
Submitting an Application
Receipt and Acknowledgment
Time Frame for Delivering Request
Notification of Departments
Data Gathering and Collation of Data
Completion of Request
Records and Evaluation
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.