Niall Colgan & Co. Solicitors

Subject Access Request Procedure¹

Effective 25^th May, 2018

1. Introduction & Objective

The Data Protection Acts 1988 – 2003 (hereinafter the Data Protection Acts)and the General Data Protection Regulation (EU) 2016/679 (hereinafter the GDPR) entitles ‘data subjects’ to have access to personal information that is held about them. This document details the issues that need to be taken into consideration when responding to a ‘Subject Access Request.’

This policy details the procedures Niall Colgan & Co. SolicitorsSolicitors will follow to ensure compliance with the Data Protection Acts when dealing with all requests for access to personal data held by Niall Colgan & Co. SolicitorsSolicitors.

2. Individuals entitled to receive copies of personal records held by Niall Colgan & Co. Solicitors

Personal information must not be disclosed unless and until authorisation is obtained from the client/member of staff, or the request is for the purposes of crime or taxation; or is otherwise permitted under the Data Protection Act . Detailed information can be found in Confidentiality: A flowchart showing a ‘Quick Guide’ to the SARS process can be seen at Appendix 1.

The following individuals have access to personal records:

· the individual themselves (i.e. client/user/employee/contractor);

· a representative nominated by the individual e.g. agent acting on behalf of their client (and with the full consent of that client);

· in the case of deceased client the person who has a claim on the estate;

· or in the case of an incapacitated person (in certain restricted circumstances) the next of kin or person granted an attorney or agent of the Court of Protection on behalf on an adult who is incapable of consent;

· Requests for access to a client’s personal and legal record from the police without the written consent of the client should be referred to the An Garda Siochana for approval.

3. Responsibilities

Niall Colgan & Co. Solicitors will oversee the systems and procedures that support the implementation of SARS procedure.

Niall Colgan & Co Solicitors are responsible for:

· Ensuring consent is obtained from the individual for the release of their records, in accordance with the requirements of the Data Protection Acts and the GDPR and Niall Colgan & Co. Solicitors, Guidelines and Procedures for Subject Access Requests under the Data Protection Acts;

· Liaising with third parties to process the access request in the event of shared records/data;

· Co-ordinating the release of the information and ensuring that sufficient identification is given by the applicant;

· Ensuring they have in place a system to respond to requests with a responsible individual identified to assist or manage the process. Responding to requests promptly within the agreed timescales, following Niall Colgan & Co. Solicitors Guidelines and Procedures for Subject Access Requests under the Data Protection Acts and the GDPR;

· Ensuring the record/data is reviewed by the appropriate personnel and the identification of exemptions, and third party information in accordance with the Data Protection Acts and the GDPR;

· Where a specific request for components of a record or specific information is received, to identify and confirm these components for release. Approval for their release is undertaken by a senior and appropriate professional and this approval undertaken as a priorit;

· Ensuring that all employees are aware of, and in all cases follow these Guidelines and Procedures for Subject Access Requests under the Act and the GDPR.

4. Receiving a request for personal information

A request for access to an individual’s personal information held by the Niall Colgan & Co. Solicitors must be received in writing. Written applications can be received by the responsible employee at Niall Colgan & Co. Solicitors. The received date should be recorded on the written requests for records.

The application must contain sufficient information to enable Niall Colgan & Co. Solicitors locate the information requested as well as a copy of an identification document. Niall Colgan & Co. Solicitors will check that the application fulfils the following criteria:

· Ensure full name, address and date of birth of applicant is provided.

· Ensure identification document is enclosed as per instructions.

· Ensure the application is signed and dated by the applicant.

· Ensure the additional agent’s authorisation is appropriate if someone else is acting on behalf of the applicant.

· Ensure the application provides enough data to identify where the records are being held.

Administration – Niall Colgan & Co. Solicitors will:

· Log details of request.

· Record date the application was received.

· Send acknowledgement of application.

· Record date request was sent to appropriate employee and to whom it was sent.

· Record date information was returned from appropriate employee.

If the application is deemed to be incomplete, Niall Colgan & Co. Solicitors will log details of the request. Niall Colgan & Co. Solicitors will then issue a subject access application form with covering letter. If after 3 months no reply has been received, the request will be destroyed using confidential means.

The request should then be forwarded to the service manager for processing (see section 4). This should be done without undue delay or within 72 hours of receipt of the request.

Where an access request has previously been complied with under the Acts and the GDPR, Niall Colgan & Co. SolicitorsSolicitors does not have to respond to a subsequent identical or similar request unless a reasonable interval has elapsed since the previous compliance (The Data Protection Commissioner’s office has defined a reasonable interval to be 12 months). The Data Protection Act imposes a 40-60 day limit on disclosing personal records.

5. Viewing Records

In some cases it may be considered more appropriate for the individual (who may prefer) to view their records instead of receiving copies. This applies particularly in the case of electronic personal and legal records.

The standard procedure (see appendix 1) would generally apply to any request to view records. If, however, for example Niall Colgan & Co. Solicitorsis asked formally by the client during an attendance if they can view their records then and there, it may be appropriate to bypass the usual procedure. This should be noted in the records.

Where requested, the Niall Colgan & Co. SolicitorsSolicitors will allow data subjects to view the information held about them. Arrangements will be agreed with the data subject and relevant Niall Colgan & Co. SolicitorsSolicitors employees to facilitate this within the timescales allowed by the Acts and the GDPR (40-60 days).

6. Acknowledging a request for personal information

Once a written request has been received by Niall Colgan & Co., the request will be logged on the “subject access register”. If the correct subject access form and supporting evidence for proof of identity have not been provided, an acknowledgement letter will be sent to the applicant stating that the Niall Colgan & Co. SolicitorsSolicitors is currently processing their request .

Supporting evidence for proof of identity must be the original version or authenticated copies from a solicitor of one of the following:

· Driving licence;

· Birth certificate;

· Passport;

· Marriage certificate ;

· Court order establishing legal guardianship over a child or incapacitated individual;

· Testimony or will from a solicitor establishing entitlement to a claim on the estate.

If the records are held by another organisation, the request will be forwarded to that organisation and a letter will be sent by Niall Colgan & Co. Solicitorsto the applicant informing them that this is the case. In this way, the responsibility for the SAR will be discharged from Niall Colgan & Co. SolicitorsSolicitors. Obligations under the Data Protection Acts and the GDPR are in general placed on the holder of the record. If records are shared between two institutions (firms, barristers’ practices, other relevant third party data processors), they will be joint data controllers. Each organisation is obliged to deal with the access request and the authorisation to release the parts of the record in order to ensure the request is processed within the 21 to 60-day timescale. Each organisation processing the access request will accept full responsibility for their own decisions with regard to that request.

If the original application does not contain the appropriate information, a SAR application request form will be sent to the applicant for completion. The deadline of 40 calendar days for response will start from the date of receipt of the completed application.

7. Consent

Where a client is unable to manage his/her own affairs then Niall Colgan & Co. Solicitors will only accept an application by a person appointed by the Courts e.g., under the Court of Protection (or acting within the terms of a registered Enduring Power of Attorney).

8. Processing a request for personal information

Communications with Niall Colgan & Co. Solicitors and applicant concerned should be held until the application has been completed and closed. Niall Colgan & Co. Solicitorswill follow-up the application at 15 days and 25 days after receipt of the application, with a final reminder to the appropriate employee on day 30, informing them that the application must be completed with 40 calendar days of receipt of the request and asking the employee to confirm to Niall Colgan & Co. Solicitorsthat the request has been processed. Niall Colgan & Co. Solicitorswill update the ‘subject access register/log’ accordingly.

There will not normally be a charge for SAR requests. However, if it is estimated that the cost of processing the request might exceed €50, (through the use of any resources including paper or employee time), fees may be levied on the request at a maximum of €50 (including postage and packing). If this fee is to be charged, the applicant must be notified of this via a letter or email prior to the request being completed.

9. Reviewing the personal records

It will be necessary to review the information before release to verify:

a. if there are any references to third parties.

Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual. As per the Data Protection Acts and the GDPR, data controllers and processors do not have to comply with the request if to do so would mean disclosing information about another individual who can be identified from that information, except where:

· the other individual has consented to the disclosure; or

· it is reasonable in all the circumstances to comply with the request without that individual’s consent.

Therefore, although Niall Colgan & Co. Solicitors may sometimes be able to disclose information relating to a third party, we need to decide whether it is appropriate to do so on a case-by-case basis. This decision will involve balancing the data subject’s right of access against the other individual’s rights in respect of their own personal data. If the other person consents to us disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, we must decide whether to disclose the information anyway.

For the avoidance of doubt, Niall Colgan & Co. Solicitors cannot refuse to provide subject access to personal data about an individual simply because you obtained that data from a third party. The rules about third party data apply only to personal data which includes information about the individual who is the subject of the request and information about someone else.

Third party, in relation to personal data, means any person other than:

i.            the data subject,

ii.            the data controller, or

iii.            any data processor or other person authorised to process data for the data controller or processor.

b. If there are any abbreviations or complex terms which require explanations as to the content or their meaning (for example use of codes, jargon or acronyms). If the information is terminologically difficult or of a technical nature, Niall Colgan & Co. SolicitorsSolicitors can offer to review the information with the data subject to explain the meanings.

c. If there are grounds to withhold information under other exemptions in the Acts or the GDPR.

A record must be made of information withheld, along with justification of the exemptions that were applied. It is the responsibility of the service manager or lead ‘appropriate health professional’ to review the record prior to its release and to decide what information, if any, should be released and what should be withheld. Advice on Data Protection/Confidentiality is available from the Niall Colgan & Co. Solicitors website, or www.dataprotection.ie

On inspection of the personal and legal records, Niall Colgan & Co. Solicitorscan advise that certain personal information is not released on the grounds that its release would be likely to cause serious harm to the physical or mental health of the client or to any other individual. There is no requirement to tell the client or their representative that this information has not been released.

10. Finalising the request

A letter should accompany the information intended for release. The letter should confirm the response to the original request.

Records will not be forwarded on to third parties but will only be sent to the original applicant. A copy of the information will normally be supplied in hard copy format except where the individual agrees or where it is impossible or would involve undue effort or cost. An alternative would be to allow the individual to view the information. Copies will not be sent via fax or email.

Copies of records sent externally in the post should be:

· In a sealed, tamper-proof envelope e.g. self-sealing jiffy bag;

· Addressed to a named person;

· Marked ‘Private and Confidential;

· Sent by special/recorded delivery.

Copies of records sent internally should be as above but sent by internal secure courier.

The “subject access register” should contain a record of the date the final correspondence was sent and the request should then be marked in the register as “closed”. All correspondence must be kept on file for two years, in case any further action is required. If the data subject themselves indicates that information about him or her is inaccurate or claims that the processing causes them damage or distress, it will be necessary for Niall Colgan & Co. Solicitors to liaise with any relevant third parties/data processors to investigate. Further guidance is available from the Data Protection Commissioner, under “Data Protection Act Incorrect information- what can I do” at www.dataprotection.ie.