Principle 6 and. Subject Access Request Procedures 1

Principle 6 and Subject Access Request Procedures Supporting Document to the Data Protection Policy (For Data Protection Co-ordinators) Version Control Date Version Reason Owner Author 17/11/2008 Draft 1 Outline Draft Jackie Groom Indi Viknaraja 13/01/2008 Draft 2 Re-draft after discussions Jackie Groom Indi Viknaraja with audit and JG 11/03/2009 Draft 3 Re-draft after discussions Jackie Groom Indi Viknaraja with JG 01/07/2009 Final After discussions with JG Jackie Groom Indi Viknaraja 19/09/2012 Version 5 Amendments at review Jackie Groom Indi Viknaraja Subject Access Request Procedures 1

Purpose: To set guidelines for the uniform processing of Subject Access Requests Approved by: Data Protection Co-ordinator s Group Internal Audit Status: Final Date: July 2009 Reviewed Sept 2012 Review Date: July 2014 Consultation: DP Co-Ordinators Subject Access Request Procedures 2

Contents Title Page 1 Introduction 4 1.1 Data Protection Principles 4 1.2 Contraventions of Principle 6 4 1.3 Rights of Subject Access 5 1.4 Requirements for providing Personal Data 5 1.5 Automated decision taking 6 1.6 Fees for processing Subject Access Requests 6 1.7 Timeframes for responding to Subject Access 6/7 Requests 1.8 Repeated Requests under Subject Access 7 1.9 What must be provided under Subject Access 7 2 Southend Borough Council s Internal Processes for 8 handling Subject Access Requests 2.1 Exemptions under the Data Protection Act 8/9 2.2 Other grounds for refusal under the Data Protection 9 Act 2.3 Escalation of Subject Access Requests 9/10 2.4 Disclosure Decision Records-Audit Trail 10 Appendices Appendix A Information and Governance Team, Internal 11/13 Procedures for handling Subject Access requests Appendix B Subject Access Requests Procedures and Roles 14/18 and Responsibilities Appendix C Desk instructions for handling Subject Access 19/20 Requests Appendix D Subject Access Request application form 21/23 Appendix E Disclosure Decision Record 24/25 Appendix F Standard Notification Email to directorates 26/27 Appendix G Standard Letters SAR Acknowledgement letter 28 SAR Clarification letter 29 SAR Ready for collection letter 30 SAR Supplied letter 31 Subject Access Request Procedures 3

1. Introduction This procedure is to be followed by the Data Protection Co-ordinators in dealing with Subject Access Requests 1.1 Data Protection Principles Southend-on-Sea Borough Council s Data Protection Policy sets out the broad organisational and employee requirements to ensure compliance with the Data Protection Act. Specifically, Principle 6 of the Data Protection Act requires that personal information: Shall be processed in accordance with the rights of the data subjects under the Act. These rights are: Rights to Subject Access (section 7 to 9) Right to prevent processing likely to cause damage or distress (section 11) Right to prevent processing for the purposes of direct marketing (section 11) Rights in relation to automated decision taking (section 12) Right to take action for compensation if the individual suffers damage by any contravention of the Act by the data controller (section 13) Right to take action to rectify, block, erase, destroy inaccurate data (section 14, section 12A and section 62) 1.2 Contraventions of Principle 6 of the Act: A person will contravene this Principle, if, but only if: He fails to supply information pursuant to a subject access request under the Section 7 of the Act, or He fails to comply with notices given under the following provisions of the Act: (i) section 10 (right to prevent processing likely to cause damage or distress); (ii) section 11 (right to prevent processing for the purposes of direct marketing); or (iii) section 12 (rights in relation to automated decision- taking); or He fails to comply with a notice given under section 12A of the Act (right to require the Data Controller to rectify, block, erase or destroy inaccurate or incomplete data or cease holding such data in a way incompatible with the data controllers legitimate purpose). Subject Access Request Procedures 4

1.3 Right of Subject Access Sections 7-9 of the Act provide that upon making a request in writing (including by email) and upon paying the appropriate fee to the Data Controller, an individual is entitled to be told whether the Council or someone on behalf of the Council is processing that individual s personal data, and if so, to be given a description of: The personal data The purposes for which they are being processed; and Those to whom they are or may be disclosed. 1.4 Requirements for providing Personal Data The individual is also entitled to have communicated to them in an intelligible form, all the information which forms any such personal data. This information must be supplied in permanent form by way of a copy, except where the supply of a copy in permanent form is not possible or would involve disproportionate effort, or the Data Subject agrees otherwise. Disproportionate effort is not defined in the Act. The Council will therefore consider any representations made by Data Owners (responsible departments), and in line with guidance provided by the Information Commissioner s Office, in particular: The cost of provision of copies of information The length of time it may take to provide the information How difficult or otherwise it may be for the Data Controller to provide the information The size of the organisation to which the request was made. Such matters will always be balanced against the effect on the Data Subject. But in line with best practice and to minimise negative effects for the Data Subjects, the Council will always endeavour, in the first instance, to provide copies of all data within the scope of the request. In responding to requests under this Principle, the Council will also deploy best practice through another tool, detailed under Subject Access Requests - Appendix B If any of the information in the copy is not intelligible without explanation, the Data Subject should be given an explanation of that information, e.g. where the Data Controller holds the information in coded form which cannot be understood without the key to the code and, subject to third party information referred to below, any information as to the source of that data. Subject Access Request Procedures 5

1.5 Automated decision taking An individual is entitled, by written notice, to require a Data Controller to ensure that no decision which significantly affects that individual is based solely on the processing by automatic means of personal data of which that individual is the Data Subject. The Act specifies specific examples for which such automated decision- taking might be employed i.e. evaluating matters about that Data Subject, such as his performance at work, his credit worthiness, his reliability or his conduct. This is not an exhaustive list. Where a decision which significantly affects an individual is based solely on such automatic processing, Data Controllers must notify the individual that the decision was taken on that basis as soon as reasonably practicable. 1.6 Fees for processing Subject Access Requests A Data Controller may charge a fee for dealing with subject access. Currently, the maximum fee chargeable is 10, (or 2 if it is a request for limited information from a credit reference agency). The Council charges the maximum 10 fee for processing of a request that is made under rights of Subject Access. However, under certain circumstances, the fee can be waived. This decision is to be made by the Group Manager in the service area and the Information Governance Officer (DP&FOI). There are special rules that apply to fees for access to manual health records (where the maximum fee is currently 50) and education records (where there is a sliding scale ranging from 1 to 50 depending upon the number of pages to be provided). Details can be found in S.I. No. 191 referred to above (as amended by S.I. No 3223) and on the Commissioner s website. 1.7 Timeframes for responding to Subject Access Requests The Council must comply with a subject access request promptly, in other words as quickly as we can, and in any event within forty calendar days of receipt of the request or, if later, within forty days of receipt of: a. The information required to satisfy himself as to the identity of the person making the request to enable him to locate the information which that person seeks; and b. The fee There are different time limits for school pupil records which must be provided within 15 school days of the receipt of the request or, if later, within 15 days, of the information referred to in (a) and (b) above. Unless the Data Controller has received a request in permanent form, the prescribed fee and, if necessary, the information referred to above, the Data Controller need not comply with the request. Subject Access Request Procedures 6

However, the Commissioner s advice is that a Data Controller should act promptly in requesting the fee or any other further information necessary to fulfill the request. A deliberate delay on the part of the Data Controller is not acceptable. The Commissioner might make an adverse assessment of a Data Controller where the Data Controller delays requesting payment of any required fee, or the provision of any further information to enable him to comply with the request, where such delays result in the response to the subject access request being provided after forty calendar days from receipt of the original subject access request. 1.8 Repeated Requests under Subject Access Data Controllers do not need to comply with a request where they have already complied with an identical or similar request by the same individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request. In deciding what amounts to a reasonable interval, the following factors should be considered: the nature of the data; the purpose for which the data are processed; and the frequency with which the data are altered. 1.9 What must be provided under Subject Access? The information given in response to a subject access request should be all that which is contained in the personal data at the time the request was received. However, routine amendments and deletions of the data may continue between the date of the request and the date of the reply. To this extent, the information revealed to the data subject may differ from the data which were held at the time the request was received, even to the extent that data are no longer held. But, having received a request, the Data Controller must not make any special amendment or deletion which would not otherwise have been made. The information must not be tampered with in order to make it acceptable to the Data Subject. It is the responsibility of each Data Owner the Directors, Heads of Services and Directorate Manager/s responsible for processing personal data for particular purpose/s, to ensure the above is adhered to and accurate information is returned to the Information Governance Officer (DP & FOI). Data Owners in each department must ensure that teams have local systems/procedures in place for conducting accurate searches of personal data across manual and electronic sets. Subject Access Request Procedures 7

2. Southend on Sea Borough Council s internal processes for handling Subject Access Requests The Council will process all Subject Access Requests in line with corporate procedures as detailed in Appendix A. The Information Governance Officer (DP&FOI) will ensure that Data Protection Co-ordinators are aware of their roles and responsibilities, and will fulfill their own obligations in administering and advising on Subject Access Requests - Appendix B. 2.1 Exemptions under the Data Protection Act The Subject Information Provisions These provisions in the Data Protection Act can be waived in certain circumstances where an exemption applies. The subject information provisions are: the first Principle (and compliance with Schedule 1) Section 7 Rights of Access to personal data (i.e. the right to have information disclosed under Subject Access legislation). The exemptions are: Section 29 Crime and Taxation Data processed for the following purposes are exempt from these provisions. Prevention/detection of crime Prosecution/apprehension of offenders Assessment/collection of any duty/tax Section 34 Information required to be made public If the Data Controller (the Council) is required to make the information public (obligation) other than under FOI it is exempt from these provisions. Schedule 7 (5) Miscellaneous - Management Forecasts/Management Planning Data processed for these purposes is exempt from these provisions if it is processed to assist the Data Controller (the Council) in conducting business. Subject Access Request Procedures 8

Schedule 7 (10) Miscellaneous Legal Professional Privilege Personal data is exempt from these provisions if the data consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings. Note: The term legal professional privilege covers two different privileges; litigation privilege and legal advice privilege. The former protects confidential communications between a lawyer and his client and/or a third party provided that such communications have been created for the dominant purpose of actual or pending litigation. Legal advice privilege is a broader concept and protects confidential communications between a lawyer and his client (and evidence of those communications) provided that the communications are for the dominant purpose of seeking and receiving legal advice. Schedule 7 (7) Miscellaneous Negotiations Data consisting of records regarding the intentions of the Data Controller (the Council) relating to any negotiations with the Data Subject (the applicant) are exempt from these provisions. Note: The information has to relate to those negotiations that should be active at the time of the request and formal (e.g. pay rises, contracts, employee relations discussions, investigations etc). If a decision has already been made the Data Controller and negotiations are completed, the Data Controller should not rely on this exemption. 2.2 Other grounds for refusal under the Data Protection Act As well as these specific exemptions, the Council will also take into account: Social Work; the Data Protection Subject Access Modifications Order, 2000 Guidance from the ICO on access to Social Services records (there is a general exemption for release of information that is likely to prejudice future carrying out of social work) Third Party Data and the Common Law of Confidentiality Guidance from the ICO on SARs and third party data / Common-Law confidentiality issues. 2.3 Escalation of Subject Access Requests The Information and Governance Team will process all Subject Access Requests in line with procedures in Appendix A. This includes adhering to Subject Access Request Procedures 9

the fair processing statement provided to applicants as part of the Subject Access formal Application. However, in certain circumstances there may be a need for the details of a particular request to be escalated over and above standard requirements. The criteria for escalating a request within the Council are detailed in Appendix A. Only the minimum information will be provided in the course of escalation to allow effective sharing where a request might reasonably affect the wider organisation or impact on other current, related procedures such as Human Resources, Legal or complaint processes. Escalation will in no way affect the Council s overall response to the request, which will always be made in line with the rights of the individual (Section 1). 2.4 Disclosure decision records Final decisions on what can be disclosed to Data Subjects will be made by the Information and Governance Team in line with the above, and importantly, on the basis of relevant departmental consultations having taken place in line with procedures detailed in Appendix A and the approach to Escalation. The Information Governance Officer (DP &FOI) and Data Protection Coordinators will complete a Disclosure Decision record for each Subject Access Request. This will ensure there is an audit trail available describing in broad terms how decisions were made - Appendix E. The Disclosure Decision record must include key examples of: Background Information and any links to high-profile or the provision of Sensitive personal data. A description of what data was removed/redacted and why, showing which exemptions/guidance was relied on, with some key examples. A description in broad terms of what data was supplied and why the applicant had an entitlement to it, including reference to any third party consent gained. Subject Access Request Procedures 10

APPENDIX A Internal Procedures 1 Receipt of Application a) Request received by Information Governance Officer DP & FOI (IGO) b) If complete application with fee, acknowledge request in writing using standard letter Appendix G). If application incomplete, send appropriate letter (SAR further information letter- Appendix G) as we cannot process application until all necessary information to hand. c) Create new SAR (as per Desk Instructions at Appendix C) in Excel spreadsheet. Save SAR request, any supporting evidence and copy of acknowledgement letter under consecutive SAR number and complete all sections, name, date received, dedicated SAR officer, deadline and notes on spreadsheet log. Only calculate deadline when complete application is received. Use 40 day calculator and enter deadline. d) Once complete application received, write new SAR number on application form, take cheque to accounts using the Information and Governance budget code of R4701 2073 2073 e) Scan all documents and marry to relevant SAR application on Excel spreadsheet. f) Maintain all original copies in the manual DP folder. Key to DP cabinet with Information Governance Officer (DP &FOI). g) When saving documents in SAR Log, ensure they are saved under relevant folders - received, sent, dialogue and collated. h) If Data Subject has specified an area of interest then send email to relevant DP Co-ordinator/s with the request, all supporting documents and indicating deadline. If no specific service area requested send to all Co-ordinators. 2 Escalation Procedure a) Under certain circumstances the Director and/or Head of Service (HOS) may have to be notified of the receipt of an SAR (even if they are not approached as direct Data Owners. This could be in instances where the request is from a current/ex member of staff who has a live HR investigation with SBC, if they are taking legal proceedings; or if they have an ongoing complaint that might have press coverage. The fact that we choose to notify the Director or HOS will not change the outcome of the SAR, but there may be wider implications. 3 Monitoring a) Add all details on to the SAR Log. b) Diarise the request to ensure we meet deadline. The deadline for a SAR is usually 40 calendar days from the date all information received and date payment processed. c) On the 20 th day (i.e. half way through the 40 days, send an email reminding DP Co-ordinator that information is still outstanding and needs to be submitted as soon as possible. Subject Access Request Procedures 11

d) As part of the audit trail, on the 30 th day, the appropriate Line Manager will be notified of any outstanding case/s. e) Save all dialogues in the relevant SAR folders on the SAR Log in the dedicated dialogue folder. f) During the 40 day period keep the Data Subject appraised of the case. g) Hard copies of SAR and related documents are maintained in a chronological manner and kept secure by the Information Governance Officer (DP &FOI). 4 Preparation for Despatch a) When redacted material received from appropriate DP Co-ordinator call OCE x 4066 to scan documents. b) Write to/telephone Data Subject, to inform papers ready for collection and request they produce a photo id. SAR supplied letter Appendix G). c) When scanned documents received, copy and save in collated folder. d) All documentation and scanned copies to be kept securely whilst awaiting despatch. 5 Despatch a) Data Subject can take away copy if he/she wishes. b) If they wish to view in Council office, then make arrangements with respective officer for viewing (especially applicable for Social Care files) and ensure a social worker is available to assist with viewing. c) If they are unable to come to the Council office, offer them the options they could authorise someone with an identity to collect on their behalf, or it could be sent by Special Delivery through Royal Mail. In all instances it is essential that a risk assessment be done, especially if the records contain sensitive material or financial data and the importance of secure delivery borne in mind. In the worst case scenario, where both options are unsuitable to the subject. As a last resort, consider using a courier. d) If they want papers posted, contact the Post Room for secure Special Delivery through Royal Mail and signature sought on receipt (make Data Subject aware of risk of loss). e) Post Team have details of courier. f) Before data collected, complete delivery note and get Data Subject to complete and sign to confirm that requested data has been supplied. 6 After Despatch a) Advise Data Subject that if they feel any information is missing or if they have any concerns they are free to contact the Information Governance Officer (DP &FOI ). b) Spreadsheet updated c) Copies of all information should be maintained and subsequently destroyed in line with the SBC Retention Policy. Subject Access Request Procedures 12

Subject Access Request (SAR) Procedure and Roles and Responsibilities APPENDIX B Information Governance Officer (DP &FOI)(IGO): receives SAR in writing and conducts the relevant administration e.g. acknowledging / clarifying and charging for the request as appropriate IGO: sends out clarification letter to ensure that application is complete BEFORE day 1 of the 40 day clock ticking. Application should include relevant information from list below: Identity of the applicant DOB/current and previous local addresses if applicable Which records specifically they are interested in requesting The month/year of their last contact with the Council in relation to records requested Whether they have children who have received services from the Council Whether they have received social services themselves from the Council Fee received Decide if consent is needed (if request submitted by an advocate/legal representative or a third party) Obtain written consent Once full information AND clarification AND fee AND consent are received as applicable, the clock starts ticking: DAY 1-3 (3 calendar days) IMO: To issue notice across the Council to all DP Co-ordinators OR to specific relevant DP Co-ordinator/s ESCALATION OF REQUEST DETAILS **NOTE: there may be circumstances in which the Director and Heads of Services (HOS) may wish to be notified of the existence of a SAR (even if they are not approached as data owners). For example if the request is from a current / ex staff member who has a live HR investigation case; if they are taking any other legal proceedings; or if they have an ongoing complaint that might have press coverage. The fact that we choose to notify them will not change the outcome of the SAR in any way but there may be wider implications IMO: issue formal acknowledgement letter to the applicant and log the request on the DP Excel spreadsheet and enter deadline DAY 4-20 (16 calendar days) IGO: On the 20 th day, a chase up reminder email is sent to the respective DP Co-ordinator. Subject Access Request Procedures 13

Directorates: begin processing by completing audit trail - Appendix E. Search all filing systems (includes databases/manual folders/systems/notes) Directorates: conduct initial review of all records (highlighting 3 rd party data and any specific areas of concern about disclosure with notes on reasons for concerns made in each case) Third party information should be removed or blanked out. Directorates: arrange to meet/contact IGO to go through/discuss records/provide the first copy/discuss any concerns about disclosure and reasons. (This meeting should also include Legal services officer if Legal records are held). IGO also to be notified if there are justified concerns that could cause delays to meeting deadline. The reasons should be logged in the audit trail. Directorates: make 1 exact photocopy of all original records held for submission to the IGO with notes on the above considerations. All papers to be sent to the IGO in a secure fashion. DAY 20-30 (10 calendar days) Directorates: consider each category of records and Directorate s concerns on disclosure. Directorates: complete log showing reasons for decisions to withhold/disclose/redact all/parts of records retrieved Appendix E IGO: As part of the audit trail, on the 30 th day, the Line Manager will be notified of any outstanding case/s. IGO: to scan copies of all records taking into account redactions/removals of data and then to marry to respective case file. As per the SBC Retention and Deletion Policy, papers are to be maintained and deleted appropriately. IGO: to write to the applicant to notify Data Subject that their data is ready for collection (includes notification of where records have been retrieved from and if applicable a summary of the reasons for redactions/removals) IGO: to make appointment with Data Subject. Prepare covering letter and request a photo ID before release of documents OR IGO: to liaise with Data Subject and make arrangements, to suit them. Various options are mentioned in the internal procedures Appendix A. Whatever the preferred option, risk assessment to be done and security of records in transit to be borne in mind. Data Subject also to be made aware of the risks of data losses. Subject Access Request Procedures 14

AND For sensitive records IGO: will write to applicant as above but will suggest that the applicant contacts the Directorate directly to make an appointment to collect their records so that any questions can be answered (e.g. if social worker presence is appropriate) BY DAY 40 IGO: Once SAR is ready, Data Subject collects records, letter is sent, deadline is met and case closed on spreadsheet. Once the Request has been met: If the Data Subject raises any concerns about the content of the data, or feels any information is missing, these will initially be dealt with as follow-up enquiries through the Information Governance Officer (DP &FOI). There is no set standard timeframe for responding to such queries. A suitable timeframe will be determined on a case-by-case basis to allow for the individual circumstances of the case and volume of records / further checks that may be required. Should the Data Subject remain dissatisfied with the response, they will have the opportunity to raise the matter as a formal stage 1 complaint through the Council s Complaint s procedure and ultimately they can escalate to the Information Commissioner s Office. Subject Access Request Procedures 15

SUBJECT ACCESS REQUESTS GUIDANCE NOTES and KEY TERMS Definition A Subject Access Request (SAR) is a request from an individual to receive copies of any personal information we (the Data Controller) hold that relates to them. Someone acting on behalf of the Data Subject such as a Solicitor or advice worker can make a request. The request can be specific to one directorate or subject, or can be broad and cover the whole of the Council. Routine Request or a Subject Access Request? Routine requests for personal data should not be treated as Subject Access Requests. A routine request for example would be from a resident to be given recent copies of the Council Tax bills or payment records. These types of requests are routinely responded to within directorates and this should remain the case. A Data Subject s rights include: To be given a description of the data To be told why the data are held To be told who and why the data may have been shared with To be given a copy of the data with any technical terms explained To be given any information available to the controller as to the source of the data To be given an explanation as to how any automated decision taken about them have been made When a request is received in the Council for any/all of the above, (and this can be made to any employee in any department) the Information Governance Officer (DP &FOI) must be made aware. We will then implement the necessary administration on processing the request in line with the procedures above. If the person thinks that the information disclosed to them is not accurate, they can: ask that the data be corrected. This may lead to a dispute between the organisation and the data subject as to what is correct (if for example the Subject Access Request Procedures 16

Council records show that the information was in fact supplied by the Data Subject themselves). In this instance good practice states that the Data Controller should add a formal note (dated) to the file to explain that the Data Subject disputes the accuracy of the content and the reasons why. They should then be told that this has been done. approach the Information Commissioner if they think that the correction has not been made. apply to the court for an order requiring the data controller to rectify, block, erase or destroy the data. The court can also order the data controller to notify other organisations of the correction The individual may be entitled to compensation for damage caused. Subject Access Request Procedures 17

Appendix C Step by step desk Instructions for recording, scanning, despatching SARs 1. Acknowledge letter appropriately, depending on contents 2. Scan rec d docs: fax/scan DP button Start Then to the DP folder From there copy to relevant SAR folder 3. To create new SAR: Go to S drive/data Protection/DP Create new folder and enter new SAR number Then press enter Then open shortcut to status excel spreadsheet (on same page) and enter Write in new SAR number and press enter to activate Press enter Then right click on new SAR and activate hyperlink Write new SAR number in Address column and OK Left click on created SAR and create folders: rec d, sent, dialogue and collated documents Copy all scanned docs to relevant folders To copy a host of files Press shift down Then with left button click on all relevant files to be copied Paste 4. Calculate deadline Click on calculator Enter receipt date in first box and then the 40 day period Enter deadline Enter all action taken under notes Note SAR number on correspondence Write SAR details on cheque with budget code R4701 2073 2073 Cheque to accounts Despatch request to relevant policy leads with relevant scanned docs Once despatched to relevant Co-ordinator/s keep track 5. Ensure all emails are copied on to dialogue folder Subject Access Request Procedures 18

6. To copy email into SAR folder: Inbox File Save as Desk top Short cut to DP To relevant SAR and save with new number Scan docs 7. When papers received from service areas Call OCE x 4066 to arrange scanning. Write to data subject using SAR collection letter in standard letters and request form of photo id required for collection of papers When scanned documents received, scan documents from CD to collated documents Prepare documents for collection Complete delivery note (in standard letters) which needs to be completed by subject upon delivery of documents 8. If data subject unable to pick up papers, send by Special Delivery (and inform of risk of data loss). Contact post team to arrange for delivery with signature at pick up point. 9. Courier details available from post team To check status of a case on SAR spreadsheet click on first column on left. Traffic light status applies to cases. Red completed but outside deadline Green - case commenced but documents outstanding and clock has not started ticking Amber being processed Subject Access Request Procedures 19

Appendix D SAR Sept 2008 Data Protection Act 1998 Subject Access Request (SAR)Form DATA PROTECTION STATEMENT: The data gathered on this form will be used to process your request for personal data. The information supplied here will be shared with other Directorates within the Council for the purposes of checking your identity and locating any information we hold on you. Once we have dealt with your request, we will retain this document for audit purposes, in line with the Council s Retention Policy. The information will then be held securely before being disposed as per the Council s Retention and Deletion policy. PART 1: The Request Please complete in BLOCK CAPITALS I am the Data Subject (The person the information is about) If yes, please tick and then complete Parts 2,3,4,5 OR I am acting on behalf of the Data Subject AND I: Enclose evidence that I am legally able to act on their behalf/advocate Enclose evidence that I have parental responsibility for my child (If you are acting on behalf of a child please indicate date of birth and age..) Am a Solicitor acting on behalf of my client and enclose their signed consent If you are requesting information on behalf of someone else, please give your own contact details : Full Name: Relationship to data subject:... Address Post Code.. Contact telephone number: Email:. PART 2: Data Subject s Personal Details Surname:.. Full Forenames:.. Title: Any former names: Date of Birth:. (will help with certain searches) Address:.. Post Code:.. Previous addresses Post code Contact telephone number: Email.. You do not have to supply a telephone number or email address; however, it may assist us in dealing with your request if we can contact you quickly. Please indicate your relationship with Southend on Sea Borough Council: Subject Access Request Procedures 20

Current Employee: Former Employee: Resident of Southend Former resident of Southend Other: PART 3 Information Requested: Please provide as much information as possible to assist us in locating your data. If relevant, include any Directorates you have or have had dealings with, contract number or reference number (such as National Insurance No, Benefit Claim details) How would you like to view/receive the information? Visit the Council Offices, on paper, a CD, Braille. Please tick as appropriate: Visit Papers CD Braille Any other (state) Please Note: Whilst we try our best to supply the information to you in the format you require, this may not be possible in all circumstances. If you are unable to come to the Council Office, you could authorise someone with an identity to collect on your behalf. If you would prefer the papers to be copied on to a CD or the papers sent by Special Delivery, care is taken to ensure security in transit. PART 4 Declaration : ( tick as appropriate) I certify that I am the person named on this form I certify that I am requesting information on behalf of. and wish to be provided with the described data relating to myself/ the data subject under Sections 7-9 of the Data Protection Act 1998. I will not publish any data which is supplied to me without prior permission from Southend-on- Sea Borough Council or the copyright owner (if not owned by the Council), except where permitted by law. Signature: Date: Part 5 Information You need to provide: Please enclose the following with this form: Please Note: 1. A cheque for 10.00 made payable to Southend - on -Sea Borough Council 2. Proof of your identity. Please provide a photocopy of one of the following: o Photo page of your passport o Photo driver s licence o Birth certificate 3. Please send the completed form, fee and proof of identity to: Southend -on- Sea Borough Council Information Governance Officer Support Services P o Box 2 Civic Centre Victoria Avenue Southend on Sea Essex SS2 6EP Subject Access Request Procedures 21

1. We are required by law to respond to your request within 40 calendar days of receipt of your request. If, however, the notice is incomplete or we have to make further enquiries, this period starts from the date those enquiries were completed. 2. In instances where a request is not followed on with the required fee or relevant information within 28 calendar days of the initial enquiry, this office will assume that the information is no longer required and close the case. 3. Depending on what information you require, in some cases we may be able to make a reasonable charge (in addition to the 10 initial fee) to supply this information to you. We will contact you if a further charge is to be applied. 4. If you have any queries or need assistance with completing the form please contact Indi Viknaraja on 01702 215000 or email:dataprotection@southend.gov.uk Part 6 Office Use Only: Application Received on:. Is application complete: Fee(s) received Paid in on:.. Date of Initial Acknowledgement:.. SAR Reference No:. Target date:. Deadline:. Passed to: Co-ordinator:. Sent:.. Returned: Relevant comments by Co-ordinator/s on progress.... Outcome: Data ready for dispatch: Date data passed to client: Subject Access Request Procedures 22

APPENDIX E DATA PROTECTION SUBJECT ACCESS REQUEST AUDIT TRAIL DISCLOSURE DECISION RECORD Data Subject Name: Advocate s/representative s Name (if appropriate): Deadline for Response: Summary of scope of request: Records submitted from the following directorate/s (give officer name/s): Sensitive information held as part of the above? Date of meeting with directorate officer (give officer name/s): Consultation with Legal Services (give officer name/s): Background Information provided: Subject Access Request Procedures 23

The information highlighted by the data owners (responsible directorate) and/or IGO as being of concern should be withheld in whole/part for the following reasons AND Enter text describing what data was removed/redacted and why, showing which exemptions/guidance was relied on. Give some examples. Enter text describing in broad terms what data was supplied and why the applicant had an entitlement to this. Include reference to any third party consent gained. Subject Access Request Procedures 24

APPENDIX F STANDARD EMAIL TO BE SENT TO RELEVANT SERVICE AREAS UPON RECEIPT OF A NEW SAR Dear XXXXXXX. The Council has received a Data Protection Subject Access Request from the following individual: Name: Address: DOB: Any other supporting information: They have asked for the following: Insert exact nature of request including the SAR application form. xxxxxxxxxxxx The Council has a legal duty to comply with this request under Principle 6 of the Data Protection Act (1998). Please use the table below and return by email to me once the relevant tasks have been completed. Task Due Date Nil Return (tick if applicable) Search all relevant systems/databa ses) folders, Check for third party data and areas of concern. Provide copies of all records in scope to IGO (or meet with IGO to discuss) Search all Email accounts in Outlook, Check for third party data and areas of concern. Provide copies of all records in scope to IGO (or meet with IGO to discuss) (This will be a total period of 16 calendar days as per procedures) As above Date completed Officer Initials Subject Access Request Procedures 25

Search all manual files, Check for third party data and areas of concern. Provide copies of all records in scope to IGO (or meet with IGO to discuss) As above Please note: Failure to respond fully or in time to this request could result in the Council breaching the Data Protection Act, which could incur sanctions from the Information Commissioner's Office against the Council. Please use the following Guidance when conducting this work: SAR Procedures - Roles and Responsibilities Exemptions under the Data Protection Act Third party data/confidentiality and Social Care records These are available in the Data Protection Supporting Documents on the Intranet. Subject Access Request Procedures 26

SAR Application Acknowledgement letter APPENDIX G Southend on-sea Borough Council Department of Support Services PO Box 6, Civic Centre, Victoria Avenue, Southend-on-Sea, Essex, SS2 6YL Our ref: SAR XXX/ /IV Direct Dial: 01702 215501 Your ref: Fax No: 01702 215162 Contact name: Indi Viknaraja E-mail: indiraniviknaraja@southend.gov.uk Date: XXXXX Dear XXXXX REQUEST FOR INFORMATION UNDER THE DATA PROTECTION ACT Thank you for completing the application form in relation to your request for information, which we received on XXXXX. I also acknowledge receipt of the 10.00 fee and confirm that we have started to process your request. The Data Protection Act requires us to process your request within 40 calendar days of receipt of the above, which takes us to XXXX. We aim to deal with all requests as quickly as possible, certainly within the above timeframe, unless more time is needed to retrieve the information. However, if your enquiry does need further research, you will be contacted to inform how long it might take. If at any time you are unhappy with the way we are dealing with your enquiry, or you need any more information, please do not hesitate to contact me on the direct line or email me on the contact details above. Yours sincerely Indi Viknaraja Information Management Officer. Subject Access Request Procedures 27

d-ssos Southend on-sea Borough Council Department of Support Services PO Box 6, Civic Centre, Victoria Avenue, Southend-on-Sea, Essex, SS2 6YL Our ref: SAR XXX/ clarification/iv/ Direct Dial: 01702 215501 Your ref: Fax No: 01702 215162 Contact name: Indi Viknaraja E-mail: indiraniviknaraja@southend.gov.uk Date: XXXXX Dear xxxxxxx Request for Information under the Data Protection Act Re. xxxxxxxxxxxxxxx Thank you for your request for the above information that we received on xxxxxx The legislation requires that we respond to your request within 40 calendar days from the date we receive payment and from the point at which we have all the necessary information to enable us to process your request. In this case, we would like to clarify the nature of your request and ask you the following questions. Kindly respond as soon as possible. If we do not hear from you we will be unable to progress your request. Clarification required: Xxxxxxxxxxxxx Third-party consent: If applicable: We must also ask you to provide us with a record of explicit consent from your (client/relative) that (he/she) authorises you to act on his behalf in relation to this Subject Access Request. Please provide us with a signed and dated note of consent from xxxxxxxxxxxxxxxxx to this effect. If we do not receive consent we will be unable to progress your request. If at any time you are unhappy with the way we are dealing with your enquiry, or you need any further information, please do not hesitate to contact me on the details above. Yours sincerely, Indi Viknaraja Information Governance Officer Subject Access Request Procedures 28

nd-on-sea Southend on Sea Southend on Sea Borough Council Department of Support Services PO Box 6, Civic Centre, Victoria Avenue, Southend-on-Sea, Essex, SS2 6YL Our ref: SAR xxx Direct Dial: 01702 215501 Your ref: xxxx Fax No: 01702 215162 Contact name: Indi Viknaraja E-mail: indiraniviknaraja@southend.gov.uk Date: xxxx Dear xxxx REQUEST FOR INFORMATION UNDER THE DATA PROTECTION ACT I am writing to confirm that we have gathered the information you require in accordance with your above Subject Access Request. Your request was retrieved from the xxxxxxxxxxxxx service area. Copies of the documents are attached. I trust the information satisfies your request and if you have any queries please do not hesitate to contact me. Yours sincerely Indi Viknaraja Information Governance Officer. Subject Access Request Procedures 29

end on Se Southend -on-sea Borough Council Department of Support Services PO Box 6, Civic Centre, Victoria Avenue, Southend-on-Sea, Essex, SS2 6YL Our ref: SAR xxx Direct Dial: 01702 215501 Your ref: xxxx Fax No: 01702 215162 Contact name: Indi Viknaraja E-mail: indiraniviknaraja@southend.gov.uk Date: xxxx Dear xxxx REQUEST FOR INFORMATION UNDER THE DATA PROTECTION ACT I am writing to confirm that we have gathered the information you require in accordance with your above Subject Access Request. Your request was retrieved from the xxxxxxxx service area. Copies of the documents are attached. Only information constituting to your personal data has been included in this disclosure. In line with our procedures and guidance provided by the Information Commissioner s Office, we have excluded any information that does not constitute as your personal data. Third Party Data and Extractions In some instances, it has been necessary to redact (black out) third party personal data. This has been necessary in order to protect the rights of those individuals privacy and confidentiality where their identities would be unreasonably disclosed to you. We will require you to provide some form of photo identification so that we can confirm your identity before we give you the information. Or xxxxx If, someone else is hoping to receive the documents, they should provide a letter of Authority from you and a photo ID to receive the documents on your behalf. If you have any questions or concerns, please do not hesitate to contact me. Yours sincerely Indi Viknaraja Information Governance Officer. Subject Access Request Procedures 30