Luminas Data Subject Rights Policy 

 1.0 Overview 

The Data Protection Act 2018 (DPA) and the UK GDPR provides individuals with rights in connection with personal data held about them. It provides those individuals with a right of access to that data subject to the rights of third parties and the satisfaction of a number of criteria. 

This procedure defines the process to be followed when a request for access to personal data is received. 

2.0 Responsibilities and Definitions 

Data Controller is the person or organisation who determines the purposes for which and the manner in which any personal data are, or are to be, processed. In our case Luminas is the registered Data Controller. 

Data Processors are any individual or company or other body which processes personal data in any form on behalf of Luminas and therefore subject to the requirements of this policy. Compliance with this policy is normally managed by contract. 

Data Protection Legislation means all applicable data protection and privacy laws including, but not limited to, the DPA 18 and UK GDPR, and any applicable national laws, regulations, and secondary legislation in England and Wales concerning the processing of personal data or the privacy of electronic communications, as amended, replaced, or updated from time to time. 

Data Subject is a living, identified, or identifiable individual about whom the Company holds personal data. 

Personal Data is any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that data subject. 

Processing is any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Special Category Data is personal data that needs more protection because it is sensitive. UK data protection legislation defines special category data as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric, or genetic data. 

3.0 Scope of Policy 

3.1
Luminas’ Operations Manager is responsible for administering this Policy; for developing and implementing any applicable related policies (including those referred to in this Policy), procedures, and/or guidelines; for ensuring that all data subject access requests are handled in accordance with the Data Protection Legislation; and for ensuring that all employees, agents, contractors, or other parties working on behalf of the Company have an understanding of the Data Protection Legislation and their obligations under it as it applies to their job role(s). 

3.2
Luminas collects, holds, and processes personal data about staff, contractors, suppliers, business contacts and clients and the organisation is a ‘data controller’ for the purposes of the Data Protection Legislation. As Luminas also processes personal data on behalf of other organisations, it may also be a ‘data processor’ for the purposes of the Data Protection Legislation. 

3.3
Data subjects including participants, employees, etc have rights with respect to their personal data under the Data Protection Legislation. This Policy deals specifically with the right of access (Article 15 of the GDPR). Data subjects have the right to find out whether Luminas collects, holds, or processes personal data about them, the right to obtain a copy of any such data, and certain other supplementary information. The right of access is designed to help data subjects to understand how and why we use their data, and to check that we are doing so lawfully. 

3.4
This Policy is an internal company policy designed to provide guidance on handling data subject access requests. Any questions relating to this Policy, Luminas’s collection, processing, or holding of personal data, or to the Data Protection Legislation should be referred to the Compliance Manager. 

4.0 Recognising a Subject Access Request 

4.1
The Data Protection Legislation does not set out a particular format which a data subject access request (hereafter “SAR”) must follow. A SAR may be made orally or in writing, to any part of Luminas, and by any means of communication. A SAR does not need to use the words ‘subject access request’, ‘data protection’, ‘personal data’ or similar terms, or refer to Article 15 of the GDPR. This means that anyone in Luminas could receive a SAR and it may not be immediately obvious that a SAR has been received. 

4.2
Data subjects are under no obligation to use any particular format and care must be taken at all times to identify SARs made in other ways. SARs may instead use more general terminology, using terms such as ‘information’ rather than ‘personal data’. For example, a message sent via social media such as ‘please provide details of all the information you have about me’ will be a valid SAR and must be treated in the same way as a more formal communication which refers specifically to a ‘subject access request’ and data subjects’ rights under the GDPR. 

4.3
Individuals may make SARs on their own behalf. It is also possible to make an SAR via a third party such as a solicitor making a request on behalf of a client, or it may be a private individual making the request on behalf of another e.g., a carer on behalf of vulnerable participant. This is permissible, but there is an obligation to be satisfied that any individual making a request has the authority to act on behalf of the data subject concerned. 

4.4
In certain limited cases, an individual may not have the mental capacity to manage their own affairs. In these cases, the Mental Capacity Act 2005 enables a third party to make a SAR on behalf of that individual. Adults, such as parents or guardians, may also make SARs on behalf of children. The right of access itself, however, remains the child’s right. When dealing with a SAR about a child it is important to consider whether that child is mature enough to understand their rights. If so, a response directly to the child should be considered. It may, however, be permissible to allow the adult to exercise the child’s right on the child’s behalf if the child has given their authorisation, or if it is evident that doing so is in the child’s best interests. 

4.5
When a SAR is identified, or if a communication or request is received it should be immediately forwarded to Luminas’s Compliance Manager, or to your line manager. 

5.0 Procedure 

5.1
Luminas has a limited timeframe within which to respond to a SAR, so it is important to act quickly. 

5.2
Unless you are authorised to handle a SAR, it must be forwarded to the Operations Manager or to your line manager immediately. Please do not take any further action with respect to any SAR unless you are authorised to do so. 

5.3
Luminas Company’s Operations Manager should respond to you, confirming receipt of the SAR, within two business days of you sending it. If you do not receive a response, contact them again to confirm receipt. 

5.4 Receipt of Subject Access Request 

5.4.1 Identifying and clarifying requests 

5.4.1.1
Before responding to a SAR, all reasonable steps must be taken to verify the identity of the individual making the request to clarify their request (i.e., to specify the personal data or processing to which their SAR relates). Information requested for such purposes must be reasonable and proportionate. Individuals must not be asked to provide any more information than is reasonably necessary. 

5.4.1.2
If additional information is required to confirm an individual’s identity, the individual must be informed as soon as possible. If additional information is required, the time limit for responding to a SAR does not begin until that information is received. 

5.4.1.3
If additional information is required to respond to the SAR, the individual must be informed as soon as possible. Note, however, that if additional information is required, the time limit for responding to a SAR is not affected and a response must still be given within one month of receipt of the SAR (subject to the possible extensions to the time limit). 

5.4.1.4
If a SAR is made by a third party on behalf of a data subject the individual acting on behalf of the data subject must be required to provide sufficient evidence that they are authorised to act on the data subject’s behalf. 

5.4.1.5
The information we can ask for should be sufficient to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that it must be reasonable and proportionate. If the requester’s identity is obvious no further information is required. This is particularly the case if we have an ongoing relationship with the individual e.g., a staff member. 

5.4.1.6
If, having requested additional information to verify an individual’s identity, it is still not possible to do so (if, for example, the individual does not comply), then Luminas may refuse to comply with a SAR. 

5.4.1.7
If, having requested additional information to clarify a SAR, the individual does not comply, the Luminas must still endeavour to comply with the SAR by making reasonable searches for the personal data relating to the request. 

5.4.1.8
Luminas does not retain personal data for the sole purpose of being able to respond to a potential SAR. 

5.4.1.9
Luminas does not charge a fee for processing a SAR. 

5.4.2 Time Limits 

5.4.2.1
Under normal circumstances Luminas must respond to a SAR within one calendar month of receipt of within one month of receipt of any information requested to confirm the requester’s identity. 

5.4.2.2
If Luminas process a large amount of information about an individual, we may ask them to specify the information or processing activities their request relates to before responding to the request. The time limit for responding to the request is paused until clarification is received. This is referred to as ‘stopping the clock’. 

5.4.3 Responding to a Subject Access Request 

5.4.3.1
The UK legislation places a high expectation to provide information in response to SARs. This will include physical records as well as digital records including for example recordings of groups. It also includes any data held in other locations and/or held by subcontractors. When fulfilling a SAR, a SAR Request Form must be completed to track the completion of the process, and the request logged on the Log of Data Subject Requests. 

5.4.3.2
However, there is no obligation to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information. To determine whether searches may be unreasonable or disproportionate, you must consider: 

  • The circumstances of the request, 

  • Any difficulties involved in finding the information; and 

  • The fundamental nature of the right of access. 

5.4.3.3
Archive and back-up files should be included in the fulfilment of any SARs. 

5.4.4 Deleted Personal Data 

5.4.4.1
If any personal data relevant to a SAR is amended, deleted, or otherwise disposed of between the time at which a SAR is received and the time at which a response is made, Luminas is able to take this into account in its response provided that amendment, deletion, or disposal would have been made irrespective of the receipt of the SAR in question. 

5.4.4.2
The Right of Access does not, therefore, prevent Luminas from managing personal data in accordance with normal procedures, in particular those set out in Luminas’s Data Protection Policy and Data Retention Policy. It is not, however, permissible to amend, delete, or otherwise dispose of data as an alternative to complying with a SAR. 

5.4.5 Refusing a Subject Access Request 

5.4.5.1
In certain cases, it is permissible for the Company to refuse to comply with a SAR: 

  • if it is not possible to identify the individual making the SAR after requesting additional verification; or 

  • if the request is ‘manifestly unfounded’ or ‘excessive’, taking into account whether the request is repetitive in nature. In such cases, it is also possible to request a ‘reasonable fee’ to handle it. 

5.4.5.2
If either of the above grounds applies, Luminas’s refusal to comply with the SAR must be justified and an explanation must be provided to the individual making the SAR within one calendar month after receiving the SAR. The individual must also be informed of their right to complain to the ICO or another supervisory authority and of possibility of seeking a judicial remedy. Certain exemptions to the right of access are also included in the Data Protection Legislation. 

6.0 Individual Right for Rectification 

Individuals/data subjects have the right to ask for inaccurate data to be corrected or for incomplete data to be fulfilled. 

6.1 The Right for Erasure 

Individuals/data subjects can ask for the organisation to erase personal data in many situations and these can include, but may not exclusively be limited to: 

  • the personal data is no longer necessary for the purpose for which they were collected 

  • the organisation processes the personal data unlawfully 

  • the organisation has to erase the personal data due to a legal obligation 

  • the data subject withdraws consent and the processing has no other legal basis 

  • the data subject has successfully exercised the right to object 

  • minors who have given their consent to use an online service can always request the erasure of such personal data (regardless of their current age) 

If personal data that is to be erased was previously transferred to other organisations, we do inform the recipients that the data subject has requested erasure. This is carried out unless this is an impossible task or needs disproportionate efforts. 

As a company we understand that we may only refuse to erase personal data in certain and specific circumstances: 

  • when the right to freedom of expression and information is involved; 

  • the establishment, exercise or defence of a legal claims; 

  • compliance with a legal obligation 

  • reasons of public interest in the area of public health; 

  • archiving purposes. 

6.2 The Right to restriction of the processing 

The individuals/data subjects cany request a data processing restriction – we then still retain the personal data, but do not carry out other processing activities. 

The data subject has the right to obtain the restriction of the data processing when: 

  • Lack of accuracy 

  • Unlawful basis 

  • The data is no longer needed 

  • There is a right to object. 

6.3 Right to data portability 

Individuals/data subjects can ask for their data to be supplied in an easy to use format so that they can easily process and send their data to other parties as they choose. 

However data portability is possible only when 3 conditions are present: 

  • the processing is based on consent or a contract; 

  • the processing is automated (i.e. no paper documents); 

  • and the data subjects have provided the data themselves. 

7.0 Document Control 

This Procedure needs to be formally reviewed on an annual basis, as a minimum, or if required changes are identified to address one or more of the following: 

  • A change in business activities, which will or could possibly affect Luminas’s ability to fully comply with GDPR and other related data protection requirements. 

  • A change in the way in which Luminas manages personal data, or specifically the activities related to Subject Access Requests. 

  • A change in data protection regulations or associated legislative requirements related to subject access requests and reporting. 

  • An identified shortcoming in the effectiveness of this Procedure for example as a result of a data breach, ICO investigation, formal review or an audit finding.