Toggle menu

Subject Access Policy

Purpose and Scope

The Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR) allow an individual to make a request to the Councils for copies of all personal information we hold about them. This is known as a subject access request.

The Act gives individuals (known as data subjects) the right to request access and obtain copies of personal data about themselves.

Data subjects have access rights to their personal information irrespective of when the record was created. This is known as a subject access request.

The purpose of this policy is to outline how Chorley Council and South Ribble Borough Council (referred to as the Council) will manage subject access requests in compliance with UK GDPR and Data Protection Act.

This policy applies to all staff as well as third parties and suppliers involved in the receipt, handling or sharing of information held by the Council.



Individuals have the right to request copies of their information that the Council may hold and to also request certain information relating to the processing of their information including:

  • A description of the information.
  • The purposes the information is used for.
  • The disclosures that are made or might be made.
  • The source of the data.

The Council are required to respond to Subject Access requests within one calendar month from receipt of the request.

Failure to do so is a breach of the Act and could lead to a complaint to the Information Commissioners Office (ICO).

If it is anticipated that a request will take longer than this the applicant must be informed providing an explanation of the delay and agree a new deadline.

Failure to comply with a request for subject access may be referred to the ICO.


Who can make a request? 

Subject access requests can be made by:

  • The individual themselves.
  • Individuals requesting access on behalf of a child for whom they have parental responsibility.
  • A representative nominated by the individual to act on their behalf such as solicitors or a relative, where there is valid consent by the individual granting this authority.
  • In certain situations, a person granted an attorney or agent by the Court of Protection on behalf of an adult who is incapable of consent.


Roles and Responsibilities

The Council SIRO is the senior person responsible for ensuring personal information is kept protected and used appropriately.

Requests from employees shall be responded to in conjunction with the HR Department.

Requests received by the Council will be dealt with by the FOI team with support from Legal within 30 days.

All request will be entered into a log and this will be maintained to monitor compliance.

Prior to the release of any information the Council must be satisfied as to the identity of the person making the request. No information will be released until this identification has taken place. No personal information should be provided over the phone.

The preferred format for submitting SARs is electronically. However, the Council recognises that a request may be in any format - verbal, email, social media, written etc and will manage all in the same way.  

SAR's will be undertaken free of charge unless the legislation permits reasonable fees.

This policy applies to all Officers, Councillors and third parties working on or on behalf of the Council.

Where a requestor is not satisfied with a response to a SAR, the Council will manage this as a complaint.


How is a SAR processed? 

 TaskResponsibile Team
1On receipt of a subject access request you must forward it immediately to FOI.ALL
2The request will be checked to ensure it is within the scope of the Data Protection Act.FOI, LEGAL
3The request will be logged, acknowledged and the identity of the individual confirmed.FOI
4The 30 days will begin. 
5The FOI team will email the relevant departments to request the information liaising with legal and the DPO as required.FOI, ALL
6Exceptions applied and communicated to requestor if required. FOI, LEGAL
7Collated information redacted (if required).FOI
8Information released to requestor.FOI


How do I confirm someone's identity? 

Along with their address, the requestor must provide one of the following documents (scanned copies will be accepted):

 Must be dated in the past 12 monthsMust be dated in the last three months
Current UK/EEA PassportState Benefits Entitlement DocumentFinancial Statement issued by bank, building society or credit card company
UK Photocard Driving Licence (Full or Provisional)State Pension Entitlement DocumentUtility bill for supply of gas, electric, water or telephone landline
EEA National Identify CardHMRC Tax Credit Document 
Full UK Paper Driving LicenceLocal Authority Benefit Document 
HMRC Tax Notification DocumentState/Local Authority Educational Grant Document 
Disabled Drivers Pass  
Judiciary document such as a Notice of Hearing, Summons or Court Order  
Most recent Mortgage Statement  
Most recent Council Tax Bill/Demand or Statement  
Tenancy Agreement  
Building Society Passbook which shows a transaction in the last 3 months and your address  


I have been asked to provide information for a SAR what do I do? 

You need to provide all personal information relating to the request. This includes but is not limited to: Emails (including Mimecast), electronic documents, databases, systems, removable media (for example memory sticks, floppy disks, CDs), tape recordings, paper records and any data which your area is responsible for or owns.

You must not withhold personal data. All data must be provided to the FOI team. They will determine alongside legal if exceptions apply.

For any data you provide this information needs to in an intelligible form. e.g. any acronyms etc must be clearly explained.

The personal data must be supplied in a permanent form except where the requestor agrees it is impossible or would involve due effort. You may be able to agree with the requestor that they will view the personal data on screen or inspect files on our premises.

FOI must redact any exempt personal data from the released documents and explain why that personal data is being withheld.


What should I do if I receive a complaint relating to a SAR? 

 TaskResponsible Team
1Forward this to the FOI inbox. ALL
2The request will be logged, acknowledged and the identity of the individual confirmed.FOI
3Complaint investigated by Legal and DPO.LEGAL, DPO
4Information collated by FOI.FOI
5Referred to the ICO if required.FOI, SIRO


Data Processors and SARs

When procuring a service provider to undertake work on behalf of the Council, appropriate protocols must be agreed to ensure that data processors are aware of their responsibility to assist with requests and to provide information (where necessary) that they may hold relevant to a subject access request received by the Council.

Share this page

Share on Facebook Share on Twitter Share by email