View Current

Data Subject Access Request (DSAR) Management Procedure

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Introduction

Purpose and Parent Policy

(1) This procedure outlines the steps involved in managing a Data Subject Access Request (DSAR) received by Hibernia College in order to fulfil the College’s obligation to provide individuals with access to data being held by the College pertaining to them. The parent policy is the Personal Data and Records Policy.

Responsibilities

Staff, Faculty and Adjunct Faculty Responsibilities 

(2) The Records and Data Manager will fulfil the role of Data Protection Officer in the management and implementation of the procedure. 

(3) The Records and Data Manager is responsible for ensuring that all DSARs are responded to within the required one-month period, or any necessary and notified extension period (as described below).

(4) Where applicable, all Staff, Faculty, Adjunct Faculty and students are responsible for engaging with and adhering to this procedure as required and within the defined time frame.

(5) Where Staff other than the Records and Data Manager receive a DSAR, they must inform the Records and Data Manager immediately and furnish a copy of the DSAR received.

Third-Party Processor

(6) All third-party processors are required to provide the necessary technical and operational assistance to enable the College to respond to a DSAR within the permitted time frame.

Top of Page

Section 2 - Procedure

Part A - Procedure for Managing a DSAR

Submitting an Application

(7) A data subject can make a request to obtain personal data held in relation to them by the College at any time.

(8) Applications must be made via email to the Records and Data Manager at dpo@hiberniacollege.net and must include a completed application form, available under the resources section of the Hibernia College Quality Framework, and official photographic identification, e.g. passport or driver's licence.

Receipt and Acknowledgment

(9) The Records and Data Manager will verify that the request has been made using the correct application form and is accompanied by photographic identification.

(10) The Records and Data Manager will send the data subject an acknowledgment email, normally within two working days. 

(11) Where the College holds a large quantity of information concerning the data subject, the College may request that the data subject specify the information or processing activities to which the request relates before the information is delivered. If the data subject refuses to clarify the request, the College must still respond to the request except where it is considered manifestly unfounded or excessive by the College. 

(12) Where a DSAR is considered manifestly unfounded or excessive by the College, having undertaken a detailed assessment, the College may refuse to act on the request in line with Article 12(5) of the GDPR. If this is the case, the College will inform the data subject of its decision. 

Time Frame for Delivering Request

(13) The College must respond to all DSARs within one month.

(14) The date of receipt of the DSAR is the beginning of the one-month period.

(15) Where a request is complex, or multiple requests are received from the same individual, the College can extend this time up to a further two months. 

(16) When an extension is sought, the data subject will be notified within the one-month period of this and will be informed of the expected time frame to complete the request and an explanation why the extension is necessary.

Notification of Departments

(17) The Records and Data Manager will contact any departments required to assist in the preparation of a response to the DSAR, without delay. This may include contacting:

  1. The Information Technology department to request a search of the College servers, and any relevant data archives, for any data pertaining to the request using the data subject’s name and any other appropriate identifier. 
  2. Any member of Staff, Faculty, Adjunct Faculty or students identified as relevant to the completion of the request to request any required information.
  3. Relevant Heads of Department:
    1. Advising them that a DSAR has been made pertaining to data held within their department
    2. Advising them of any specific members of their department whose assistance may be required
    3. Enquiring, to the best of the Head of Department’s knowledge, if there are any other relevant team members who can be of assistance with the request

Data Gathering and Collation of Data

(18) The Records and Data Manager will set up a secured location for any relevant person to submit requested information.

(19) All relevant persons are given a deadline of no more than two weeks to provide the requested data.

(20) The Records and Data Manager sends a reminder to all relevant persons one week before the deadline.

(21) Each department, or individual, is required to notify the Records and Data Manager of any anticipated delays or complications in delivering the data. 

(22) When all relevant data has been collected, it is formally recorded and categorised by the Records and Data Manager.

(23) Omissions and redactions may be applied by the Records and Data Manager to the information as necessary, e.g. to retain data privacy of other data subjects, to protect legally privileged information, intellectual property or commercially sensitive information. Where this occurs, the data subject will be notified of the reason for the omissions/redactions. 

Completion of Request

(24) When all data relevant to the request has been prepared, it is shared with the data subject using a secure electronic medium or another secure medium if explicitly requested.

(25) The Records and Data Manager will issue a response letter to the data subject accompanying the data. 

Records and Evaluation

(26) The Records and Data Manager retains central records of all subject DSARs.

(27) The Records and Data Manager conducts an annual review of all DSARs to: 

  1. Ensure the steps taken during each incident were appropriate and effective 
  2. Identify any areas for improvement

(28) The report is shared with the Executive Management Team.