Step 4: Understanding data subjects' rights

By definition in the GDPR we are all known as data subjects. Data subjects have the right to object to how their personal data is processed.

They also have the right to request access, correct, sometimes delete and restrict the personal data being processed. In addition, they have a right to complain to you and to the Information Commissioner’s Office (ICO). Details of how to complain to the ICO can be found on their website.

Unless subject to an exemption under the GDPR and DPA 2018, a data subject has the following rights with respect to their personal data:

• The right to be informed – they have the right to know how their data will be used by you, especially if this is changing
• The right to access their personal data – they can ask you to share with them the data you have about them. This is a Subject Access Request and is explored further on this page.
• The right to rectification – this just means they can update their data if it’s inaccurate or if something is missing. Adult members will be able to edit and update some information directly on the Adult Membership System.
• The right to erasure – this means that they have the right to request that you delete any personal data you have about them. You must consider these requests very carefully as so long as you have a sound legal basis for retaining the data you are unlikely to need to delete it, for example, some information will be processed for legal reasons.
• The right to restrict processing – if they think that you are not processing their data in line with your privacy notice then they have the right to request that you restrict any further use of that data until the issue is resolved.
• The right to data portability – this means that if they ask you to export their personal data then you will do so in a way that can be read digitally – such as a PDF. This makes it easier to share information with others.
• The right to object – they can object to the ways their data is being used.
• Rights in relation to automated decision-making and profiling – this protects the data subject in cases where decisions are being made about them based entirely on automated processes rather than a human input. It’s highly unlikely that this will be used by local Scouts.

Subject access requests

With these extensive rights available to data subjects it is important that you have a process for responding to a request from the data subject on any of the above. By far the most common of these is a subject access request (SAR).

The response to the data subject needs to be within one month from receiving the request. This can be extended by up to two months, if the request is complex and cannot be completed in time, but notice must be given to the data subject on the extension and the reason why. Further information on this can be found on the ICO website.

The following process can be used as guidance to manage such requests:

• Application: Data subject to provide request scope or complete SAR Request Form.
• Identity Evidence: You must be certain you are giving the data to the correct person. The best way to do this is to ask for identification such as current passport or driving licence.
• Request Logged: The date by which the identification checks and the specification of the data sought must be recorded in a SAR Register.
• Discovery: The Trustee Board discovers all instances where the data subjects' personal data is present (within the scope of the request), the Data Inventory will help guide this.
• Response: Trustee Board to respond to data subject in electronic format and response logged.

Discovery

Discovery will entail either:

• Collecting the data specified by the data subject as part of their defined scope, or
• Searching all databases and all relevant filing systems (manual files) in the Scout Unit.

It is suggested that the Trustee Board maintains a data inventory that identifies where all data within the Scout Unit is stored to make it easier and quicker when undertaking searches.

Responding to a Subject Access Request (SAR)

The Trustee Board is responsible for reviewing all provided documents to identify whether any third parties are identified in it and for either omitting or redacting identifying third party information from the documentation or obtaining written consent from the third party for their identity to be revealed. Consideration must also be given to ensure that nobody is put at risk by disclosing information.

Third party data that is commonly reviewed includes email exchanges and incident reports that involves multiple individuals. Discover further guidance from the ICO.

Any data subject can request access to their personal data, including children. In the case of children’s requests, it is important to assess the competency of that child to make this request. Check out further guidance on this.

If the requested data falls under one of the following exemptions, it does not have to be provided:

• Crime prevention and detection
• Negotiations with the requester
• Information used for research, historical or statistical purposes
• Information covered by legal professional privilege

The information should be provided to the data subject in electronic format unless otherwise requested and all the items provided are listed on a schedule that shows the data subject’s name and the date on which the information is delivered.

In all cases care should be taken to redact all personal data or confidential information that the data subject should not see.

To assist in maintaining a log of the Subject Rights Requests (SRR) received and manage their progress, an SRR Register is available.

In addition to the register, the SAR Form can be used to formalise the SAR with the data subject. The template form can be amended for use with the other types of rights requests.