Subject Access Requests Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance or instruction by any police officer or employee as it may have been redacted due to legal exemptions Owning Department: Version Number: Professionalism and Assurance 2.00 (Publication Scheme) Date Published: 25/05/2018 Version 2.00 (Publication Scheme)
Compliance Record Equality and Human Rights Impact Assessment (EqHRIA) Date Completed / Reviewed: Information Management Compliant: Health and Safety Compliant: Publication Scheme Compliant: 23/05/2018 Yes Yes Yes Version Control Table Version History of Amendments Approval Date 1.00 Initial Approved Version 16/07/2013 2.00 Cyclical Review to ensure compliance with the implementation of General Data Protection Regulations and updated formatting standards applied. 23/05/2018 Version 2.00 (Publication Scheme) 2
Contents 1. Purpose 2. Dealing with Subject Access Requests (SARs) 3. Process for Receiving Officer 4. Certificates of Conviction 5. Response Period Appendices Appendix A Appendix B Appendix C Appendix D List of Associated Legislation List of Associated Reference Documents List of Associated Forms Glossary of Terms Version 2.00 (Publication Scheme) 3
1. Purpose 1.1 This Standard Operating Procedure (SOP) supports the Police Service of Scotland (hereafter referred to as Police Scotland) policy for Data Protection. 1.2 Section 45 Law Enforcement/Article 15 of General Data Protection Regulation (GDPR) provides an individual with the right of access to their own personal data. Subject Access is the method used by an individual to obtain this information from Police Scotland. 1.3 Upon making a request in writing and proving their identity, an individual is entitled to know if personal data is held about them and be provided with a copy of it, subject to certain exemptions. Note: members of staff should make use of the Interpreting and Translating Services SOP if appropriate. 2. Dealing with Subject Access Requests (SARs) 2.1 Subject access application forms should be made freely available to individual applicants or their representatives. 2.2 Any application received from a representative of the data subject should be accompanied by a mandate form. Lawyers produce their own mandate forms and these are signed by the applicant authorising the lawyer to work on their behalf. Specialist advice in this respect can be obtained by contacting any of the Data Protection teams throughout the Force. 2.3 Applications for subject access may be made on a Request for Access to Information Form (052-002); however as long as the applicant provides all the required information an application may be processed without a form. 2.4 Forms should be made available from: All police stations; Police Scotland website; By post from Data Protection teams. 2.5 Applications can be sent or handed into any public facing Police Scotland office. 2.6 If the application is handed into a police station, the receiving member of staff will check the following: The application form is fully completed, signed and legible; Two forms of acceptable identification are provided. Version 2.00 (Publication Scheme) 4
2.7 The application form shall not be accepted by staff where: It has not been fully completed; It is illegible; Identification is neither supplied, nor identifies the individual s name, date of birth, current address and signature. 2.8 Where an applicant refuses to provide 2 forms of the prescribed pieces of identification, the application shall be rejected. 2.9 It is important to confirm the identity of the person making the application to ensure that personal data is disclosed to the data subject and not someone impersonating them. 2.10 As a minimum, applicants are required to provide at least two different official documents, which between them, provide sufficient information to confirm the identity of the applicant. 2.11 For example, a combination of driving licence, medical card, birth/adoption certificate and any other official documents which include name, date of birth and current address (utility bill etc). Utility bills/credit/bank statements must be less than 3 months old. 2.12 Photocopies of identity documents will be accepted. 2.13 Where original documents are supplied, the staff member accepting the request shall photocopy the identification and attach it to the completed application form. The applicant should have original identification documents returned to them. 3. Process for Receiving Member of Staff 3.1 Upon receiving a completed application form, staff shall endorse the Staff Use Only section of the application form to record: That they have checked the form and all sections are completed and legible; That original identification documents have been returned; The receipt number; The date the application was received; and The receiving employees job title, name and station. 3.2 Due to the limited response period available, (as per Section 5 below) application forms must be scanned and emailed immediately to dataprotectionsubjectaccess@scotland.pnn.police.uk. If this facility is unavailable application forms must be sent immediately by mail to Information Management Dept, Queen St, Aberdeen AB10 1ZA. Version 2.00 (Publication Scheme) 5
4. Certificates of Conviction 4.1 It is not the practice of the police to furnish testimonials of character. However, individuals requesting information specifically for Scottish centred employment purposes should be directed to Disclosure Scotland, Pacific Quay, Glasgow, G51 1YU, telephone 0870 609 6006, where they can obtain a basic disclosure which will show only unspent convictions in term of the Rehabilitation of Offenders legislation. 4.2 It should be noted that Enhanced Disclosures, which are issued to individuals who are applying to work with children and vulnerable adults in Scotland, can only be obtained through an appropriate registered body as part of the Protecting Vulnerable Groups (PVG) Scheme and the individual should discuss this with their employer. 4.3 If the request is for visa purposes the applicant should be directed to the National Police Chief s Council (NPCC) ACRO Criminal Records Office who will provide a certificate acceptable to Embassies. 5. Response Period 5.1 A full response will be made by the Data Protection team(s) within the legislated time frame (30 days) from the date the completed application was received by Police Scotland. This is a legal requirement. A register of all subject access applications will be maintained by the Data Protection team(s). Version 2.00 (Publication Scheme) 6
Appendix A List of Associated Legislation General Data Protection Regulations (GDPR) Version 2.00 (Publication Scheme) 7
Appendix B List of Associated Reference Documents Policy Data Protection Policy Standard Operating Procedures Interpreting and Translating Services SOP Version 2.00 (Publication Scheme) 8
Appendix C List of Associated Forms Request for Access to Information Form (052-002) Version 2.00 (Publication Scheme) 9
Appendix D Glossary of Terms NPCC ACRO SAR National Police Chiefs Council ACRO Criminal Records Office Subject Access Request Version 2.00 (Publication Scheme) 10