(1) This (2) The Records and Data Manager will fulfil the role of Data Protection Officer in the management and implementation of the procedure. (3) The Records and Data Manager is responsible for ensuring that all DSARs are responded to within the required one-month period, or any necessary and notified extension period (as described below). (4) Where applicable, all Staff, Faculty, Adjunct Faculty and students are responsible for engaging with and adhering to this procedure as required and within the defined time frame. (5) Where Staff other than the Records and Data Manager receive a DSAR, they must inform the Records and Data Manager immediately and furnish a copy of the DSAR received. (6) All third-party processors are required to provide the necessary technical and operational assistance to enable the College to respond to a DSAR within the permitted time frame. (7) A data subject can make a request to obtain personal data held in relation to them by the College at any time. (8) Applications must be made via email to the Records and Data Manager at dpo@hiberniacollege.net and must include a completed application form, available under the resources section of the Hibernia College Quality Framework, and official photographic identification, e.g. passport or driver's licence. (9) The Records and Data Manager will verify that the request has been made using the correct application form and is accompanied by photographic identification. (10) The Records and Data Manager will send the data subject an acknowledgment email, normally within two working days. (11) Where the College holds a large quantity of information concerning the data subject, the College may request that the data subject specify the information or processing activities to which the request relates before the information is delivered. If the data subject refuses to clarify the request, the College must still respond to the request except where it is considered manifestly unfounded or excessive by the College. (12) Where a DSAR is considered manifestly unfounded or excessive by the College, having undertaken a detailed assessment, the College may refuse to act on the request in line with Article 12(5) of the GDPR. If this is the case, the College will inform the data subject of its decision. (13) The College must respond to all DSARs within one month. (14) The date of receipt of the DSAR is the beginning of the one-month period. (15) Where a request is complex, or multiple requests are received from the same individual, the College can extend this time up to a further two months. (16) When an extension is sought, the data subject will be notified within the one-month period of this and will be informed of the expected time frame to complete the request and an explanation why the extension is necessary. (17) The Records and Data Manager will contact any departments required to assist in the preparation of a response to the DSAR, without delay. This may include contacting: (18) The Records and Data Manager will set up a secured location for any relevant person to submit requested information. (19) All relevant persons are given a deadline of no more than two weeks to provide the requested data. (20) The Records and Data Manager sends a reminder to all relevant persons one week before the deadline. (21) Each department, or individual, is required to notify the Records and Data Manager of any anticipated delays or complications in delivering the data. (22) When all relevant data has been collected, it is formally recorded and categorised by the Records and Data Manager. (23) Omissions and redactions may be applied by the Records and Data Manager to the information as necessary, e.g. to retain data privacy of other data subjects, to protect legally privileged information, intellectual property or commercially sensitive information. Where this occurs, the data subject will be notified of the reason for the omissions/redactions. (24) When all data relevant to the request has been prepared, it is shared with the data subject using a secure electronic medium or another secure medium if explicitly requested. (25) The Records and Data Manager will issue a response letter to the data subject accompanying the data. (26) The Records and Data Manager retains central records of all subject DSARs. (27) The Records and Data Manager conducts an annual review of all DSARs to: (28) The report is shared with the Executive Management Team.Data Subject Access Request (DSAR) Management Procedure
Section 1 - Introduction
Purpose and Parent Policy
Responsibilities
Staff, Faculty and Adjunct Faculty Responsibilities
Third-Party Processor
Section 2 - Procedure
Part A - Procedure for Managing a DSAR
Submitting an Application
Receipt and Acknowledgment
Time Frame for Delivering Request
Notification of Departments
Data Gathering and Collation of Data
Completion of Request
Records and Evaluation
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.
