1
Operational
GDPR Subject Access Request
Process and Procedure
Purpose of the Procedure
This document provides guidance on how to process requests under GDPR.
It gives a step-by-step sequence of what is required to be done to meet the
different types of requests that data subjects can make. This allows the school
to gain a better picture of the accuracy and consistency of the process.
Background
The UK General Data Protection Regulation lays down rules about the protection of natural
persons in regard to the processing of personal data and the movement of personal data. This
regulation protects the fundamental rights and freedom of natural persons and their rights to
personal data security.
1. The right of access providing copies of the information held about an individual
2. The right to rectification correcting incorrect information
3. The right to erasure deleting all or partial information about an individual; where
consent has been withdrawn and there is no other legal grounds for the processing
4. The right to restrict processing stopping further processing of an individual data;
where consent has been withdrawn, no legal ground for further processing
5. The right to data portability proving information in a machine-readable format and
able to transmit such data to third party upon an individual request
6. The right to object stopping the processing of an individual data for direct
marketing, profiling and where there are no compelling legitimate grounds
7. Rights in relation to automated decision making and profiling - not to be subjected to
a decision based solely on automated processing, including profiling of an individual.
Who should use this procedure
2
This procedure should be used by all members of staff who have the authority to process Data
Subject requests. Info Rights Team will be the first point of contact, where below process will
take place, followed by Divisional, Centre, Institution or Departmental staff member processing
request; will conduct relevant searches for information, correct data where this is part of normal
processes, contact relevant LSE staff as listed in Appendix 2 though any staff holding
personal data on behalf of the School will be required to provide it, including data held on
WhatsApp and other messaging services. See below process flow 2 for step-by-step guide.
Process Flow - There are three parts to this process:
1. The Info Rights Team This is the point at which requests are received or redirected if
received at a different part of the School, through email address
glpd.info.rights@lse.ac.uk
. The Info Rights Team will;
1.1. Acknowledge receipt of the request (Automated, where possible)
1.2.
Confirm the request type i.e. access, right to rectification or erasure of personal data
1.3.
Confirm the authentication of the ID provided or request ID as required
1.4.
Log the request and create a folder in Outlook
1.5.
Confirm validity of the request and accept or refuse to process and inform the Data Subject
1.6.
Allocate to appropriate person/department/division/centre/institution that holds the
information within 3 days of receiving the SAR AND/OR contact the Network Team in
DTS with relevant search terms so that DTS can conduct a search in the M365 tenancy
for any relevant information.
1.
Where necessary for large amounts of material found in a search, external support
will be contracted in to help manage the processing of the request.
1.7.
Respond to any issues raised by staff (not shown on the process flow)
1.8.
Review information provided by staff (not shown on the process flow)
3
DSAR Received
request
Send
Acknowledgement
LSE Advancemen
No
Need; another ID,
clarity as per
request or refuse
to process
Okay
Process Flow 1
Send to Dept.
Human Resources
Summer School
Library
IT Services
Halls of
Residence
Careers Service
General student
information
Finance Division,
including e-Shop
Academic
Department/
Institute
Financial Support
and Fees
Examination
marks or
comment
Type of Rights
(Art. 15-22) and
Advice
The right of access Art. 15
The right to rectification Art. 16
The right to erasure Art. 17
The right to restrict processing Art. 18
The right to data portability Art. 20
The right to object Art. 21
Rights in relation to automated decision making and
profiling. Art. 22
PAGE
DTS
4
2. Divisional, Centre, Institution or Departmental Level This is where the information
relating to the request is gathered. Staff should respond to the Info Rights team with
either the information, confirming they do not hold the information and/or pointing out
where redactions or exemptions may be needed within 21 days of receiving request
from the team. The action below are guides to follow and for certain request, information
may be sitting on more than one data store.
2.1. Acknowledge receipt of subject access request
2.2.
System check for staff name or LSE email address or student number e.g. SITS for
student and HR for staff
2.3.
Conduct searches. Below are the likely Data Stores, however, this is not inclusive and
any store where documents, emails and other information containing personal data will
be potentially searchable, including personal email and cloud storage accounts where
School related business information is stored. Use of non-School stores does not mean
that personal data is not recoverable, what matters is that the School is data controller
for the information which it will be for any personal data processed on behalf of the
School.
1. Cloud Barclaycard, Doodlepoll, EvaSys, Issue Trak, MailChimp, Moodle, Office 365,
OneDrive, Qualtrics, QuickBooks, Salesforce, Sugar Sync cloud storage,
SurveyMonkey, VN (bytemark.co.uk), CMG Cloud and Others cloud
2. Drive C, P, H, J, K, O, R, S, X, D, USB pen drive, ICEF drive and Google Drive
3. Electronic storage offsite, PaaS platform (heroku.com)
4. Physical storage Department noticeboards, staff and student common room
5. SharePoint, Dropbox, Google server (TLC), Guestline data centre,
6. LSE archive in Wincanton
7. LSE for You
8. LSE hosted database
9. LSE Slough Data Centre
10. IMT Oracle Table
11. Training and development system
12. ThinkPad x250 (internal ssd)
13. SONA system, E REC system
14. School listserv, Resource Link, Poppulo, Nextcloud (Secure server at Bielefeld Uni)
15. CMS, Aptos, Contensis, WPN
16. Diversity Travel
17. Economics server, Unit-e servers
18. Elservier Electronic Editor System (EES)
19. Email, Engage ATS, Eventbrite, Evernote
2.4. Raise any issues with Info Rights team (not shown on the process flow chart). See
Appendix 3 for usual issues that arise.
2.5. For certain requests some information needs to be provided to data subject, see
Appendix 1 for more information and the requirements
2.6. Provide information to the Info Rights team
2.7. Below flow chart describes the full process to follow, Right to Erasure requires Info
Rights team input and authorisation for deletion before an individual data can be
forgotten or erased.
2.8. Automation decision and profiling as sectioned out in Red on the flow chart requires
physical action that may involve another member of staff or external body. Therefore, it is
advisable to include the respond by-date to avoid any delay.
5
Note: Process Flow 2; processes will start from the first row and leads to 2, 3 and 4 depending
on the type of request you are processing.
6
Acknowledge
receipt
Process Flow 2
Start of The Process
Right to Access and Data Portability
(Art. 15 & 20)
Right to Rectification or Erasure
(Art. 16 &17)
Right to Restriction, Objection of processing and
Automation decision & Profiling
(Art. 18, 21 & 22)
Receive Request
from Info Rights
Team
Processing
request
No
LSE system No
Search
Data Store
No
Yes
Processing
request
Yes
Processing
request
LSE system
Yes
End Request
End Request
End Request
Collate requested
data
Retrieve category
of personal data
Request for info
Send response
to
Info Rights Team
Log DSAR
activities
(Art.30)
Log DSAR
activities
(Art.30)
Log DSAR
activities
(Art.30)
Send response
to
Info Rights Team
Confirm
completion
Send response
to
Info Rights Team
Retrieved Data
subject data only
Validate in
a Machine
Readable Format
(Art.20)
Send confirmation
Get confirmation
of Rectification
or
Erasure
Retrieve the
exam(s) papers
Inform
system owner
to apply
request
(Art. 18, 21
and 22)
Identify where
decision was
automation (e.g.
Maths. Exam)
Inform
system owner
to Rectify or
Erase
Third party data
store
Notify the
Examiners for
physical marking
Send confirmation
Collate only
requested
information
Authorise third
party to Rectify
or
Erase
Identify
applicable system
System check e.g.
staff email,
student number
Identify
applicable
system(s)
Identify data
lineage
Collate all
obligated
information
Retrieve source
of data collection
(Art. 13)
Retrieve info
about data
transfer to third
countries
Retrieve
automatic
decision making
Inform third party
of the restriction,
objection or
profiling
Restriction or
Objection type or
profiling site
Identify data
lineage
Collate requested
data
Apply type of
Rights
(Art. 15-22)
Lineage other
possible location,
data journey e.g.
paper Archive,
reports, backups,
files, LSE website
etc.
Flow 2 - Departmental / Centre / Institution / Divisional Level
7
3. Responding to SAR Info Rights team will be responsible for sending correspondence to
data subject in a structured, commonly used and machine-readable format,
will redact the
data as required
and transmit those data to another controller/third party where it has been
indicated by data subject without delay; within 2 days of receiving final report.
Process Flow 3
Yes
Yes
No
Deviations
Any deviations from this Procedure must be documented and approved by the office of School
Secretary, Information Governance Management Board or the Data Protection Officer (Rachael
Maguire).
End
Log SAR
activities
(Art.30)
Inform data
subject
(Ar. 12)
Response
received from
depts./division etc.
Is response
adequate
No
Info Right team
validate response
Request for more
info/clarification
Request to copy
Third Party
(Art. 15)
Send in Machine
Readable format
(Art 20)
8
Example 1
An organisation receives a request on 3 September. The time limit starts from the next day, 4 September. This
gives the organisation until 4 October to comply with the request. However, if the end date falls on a Saturday,
Sunday or bank holiday, the calendar month ends on the next working day.
However, if the end date falls on a Saturday, Sunday or bank holiday, the calendar month ends on the next working
day.
Example 2
An organisation receives a request on 24 November. The time limit starts from the next day, 25 November. The
corresponding calendar date is 25 December, but 25 December and 26 December are bank holidays. So the
organisation would therefore have until the next working day, 27 December if that was a week day.
Example 3
An organisation receives a request on 30
th
March. The time limit starts from the next day, 31
st
March. As there is
no equivalent date in April, the organisation has until 30
th
April to comply with the request.
However, if 30
th
April falls on a weekend, or is a public holiday, the calendar month ends the next working day.
Timescales
This process must be completed a calendar month of receiving the request. For any delay, please
communicate to the data subject using via email through the Info Rights team. If more time is needed
to respond to complex requests, an extension of another two months is permissible, provided this is
communicated to the data subject in a timely manner within the first month. Where it has been agreed
not to action the request, data subject must be inform of this decision and advice on the right to
complain to the supervisory authority ICO
and to a judicial remedy.
The day of receipt includes when the School has received proof of ID.
What is a calendar month?
A calendar month starts on the day after the organisation receives the request, even if that day is a
weekend or public holiday. It ends on the corresponding calendar date of the next month (ICO, 2018
).
Also, if the corresponding calendar date does not exist because the following month has fewer days,
it is the last day of the month.
Third party/Processor
LSE as a data controller, sometime uses applications and systems not own by the School and
sometimes, contract out data processing activities to a third party who is known as the Processor.
This processor must assist LSE in meeting its GDPR obligations in relation to subject access request.
LSE will request for that individual data or request an action to be taken by the processor based on
the type of the rights data subject is making. E.g. Deletion or Rectification; once authorised, data
stored on the third-party system concerning that individual must also be deleted or corrected as soon
9
as possible within reasonable time (specified by LSE). Where request has been made to a processor,
it is advisable to include respond by-date and send a reminder letter one week before the due date
to avoid any delay.
10
Appendix 1: Information and Requirement
General Data Protection Regulation - This Regulation applies to the processing of personal data
wholly or partly by automated means and to the processing other than by automated means of
personal data which form part of a filing system or are intended to form part of a filing system. It also
lays down rules relating to the protection of natural persons with regard to the processing of personal
data and rules relating to the free movement of personal data. The free movement of personal data
within the Union shall be neither restricted nor prohibited for reasons connected with the protection
of natural persons with regard to the processing of personal data.
1. The controller (LSE) shall not refuse to act on the request of the data subject for exercising his
or her rights under Article 15 to 22 unless the controller demonstrates that it is not in a position
to identify the data subject (Article 11 processing which does not require identification).
2. The information shall be provided in writing, or by other means, including, where appropriate,
by electronic means. When requested by the data subject, the information may be provided
orally, provided that the identity of the data subject is proven by other means.
3. Information provided under Articles 13 and 14 and any communication and any actions taken
under Articles 15 to 22 and 34 shall be provided free of charge. Where requests are manifestly
unfounded or excessive, in particular because of their repetitive character, LSE may either;
3.1.
charge a reasonable fee taking into account the administrative costs of providing the
information or communication or taking the action requested; or
3.2.
refuse to act on the request where administrative cost is found to be very high, LSE must
tell the data subject why without undue delay, within one month and that they have the
right to complain to the supervisory authority and to a judicial remedy.
4. The data subject shall have the right to obtain information from the controller about how their
personal data is being processed and where it will be processed (Article 15); and the following
need to be included;
4.1. the purposes of the processing;
4.2. the categories of personal data concerned;
4.3. the recipients or categories of recipients that whom personal data has been or will be shared
with, especially if the recipients reside in third countries or an international organisation;
and
4.4. the retention period of which the personal data will be stored
5. The existence of the right to rectification or erasure of personal data (Art. 16 and 17) or
restriction of processing (Art. 18) or to object to such processing (Art. 21).
5.1. In cases when the personal data are not collected directly from the data subject, any
available information as to their source as to be provided.
5.2. The existence of automated decision-making including profiling (Article 22)
5.3. The right to lodge a complaint with a supervisory authority (ICO)
6. If personal data are transferred to a third country or to an international organisation, the data
subject shall have the right to be informed of the appropriate precautions (Art. 46) concerning
the transfer.
7. The controller shall provide a copy of the personal data that is undergoing processing where
applicable
1
Appendix 2: Applicable Contact and Why
Contact
Why
Exceptions
ARD Systems:
[email protected]
For a copy of the SITS
record
Student Services Centre:
[email protected]
For a copy of the green
student file (ask for scanned)
Head of Fees Office
For fees records
Head of Financial Support
Office
For financial support records
HR Systems
[email protected]
For all HR related
information, they will co-
ordinate the HR response.
HR Partners can provide
detail on staff cases and who
to contact in business units if
necessary.
LSE Careers System
Manager
For Careers Service records
PAGE System Manager
For Advancement records,
including alumni records
DTS Departmental Manager
For any DTS related records.
He will co-ordinate the DTS
response
Director of Library Services
For any Library related
records. She will co-ordinate
the Library response
Departmental, Centre,
Institute managers:
Wider requests involving
students, all requests
involving staff, alumni, visitors
Alison Grant is the Law
contact: a.grant[email protected].uk
PhD Academy:
phdacademy@lse.ac.
uk
For PhD related records
May also be held with
departments.
Department Managers or
where available programme
email addresses e.g.
ih.ug.admin@lse.ac.uk
For examination marks,
comments and exam board
minutes
Geography students moving
from 1st year to 2nd and 2nd
to 3rd should be encouraged
to wait until MT of the next
academic year as they will
discuss their marks and
comments with their tutor.
Residences System
Manager
For any residences related
requests. Contact the
relevant hall
For any Summer School
related requests.
Any other: contact the
For requests which mention
If a staff member mentioned
1
person/people mentioned
directly.
specific individuals as likely to
hold the information.
on the request is no longer
with the School, note this for
the response.
Any requests for LSE Students’ Union related information, any pensions related information and any
trade union related information should be directed to those organisations as they are separate data
controllers to the School.
1
Appendix 3: Issues that can arise with a subject access
request
How do I find the information requested?
Generally, people will provide or can be asked for variations of their name, staff ID numbers, student
ID numbers, candidate numbers etc. If a specific time period is important, they will need to say what
it is. If you have kept a folder relating to that individual with everything in it, you can provide that folder.
Otherwise, do a search by their name or other ID wherever you think information could be stored (see
the list in 2.3). If you are fairly certain there won’t be any information in them in a particular storage
area, you do not have to search their initially, but you might have to if there is a complaint and we
have to show the Information Commissioner’s Office what searches we conducted.
What if I don’t hold any information?
Just say so. It is best to conduct a search if you are unsure, but if you are fully aware you have
never dealt with that person, you don’t have to. Again, we may require you to conduct a search if
there is a complaint.
How do I get the information to the Info Rights team?
Email is best (internal email is a secure method). However, sometimes due to the amount of
material you may need to provide can't be sent via email. You can either provide it via File-Drop.
You will need to send to a personal email address for File-Drop, not the Glpd.Info.Rights@lse.ac.uk
email address.
What if the information is in paper format?
If we are in the office, you can either scan it or send it over to us for copying/scanning. If we are
working from home and unable to access the paper file, we will let the data subject know as soon
as possible.
What if the information covers more than one person?
Let the Information Rights team know. They can then redact (remove or black out) the information
that relates to the third party. We shouldn't provide another person's personal data as part of someone
else's request, though we will make an exception for names and email addresses of staff in the course
of their work.
What if I don't want to release the information to the person requesting
it?
There are some exemptions for subject access. For example, legal professional privilege covers any
communications with the School's solicitors. There are exemptions for negotiations, management
information and examination scripts. However, the presumption in data protection is that people can
access personal data relating to themselves, so we should only use exemptions when we have to.
The person making the request has been harassing us for ages and
this is part of a campaign to interfere with our work. Do we have to
comply with the request?
1
Under the old data protection regime yes. Under the GDPR however, there is an ability to refuse a
request based on it being manifestly unfounded or excessive. This has been introduced in particular
to manage multiple requests for the same information or where the intent is not to gain access to
information but to use the subject access process as a punishment. It is useful to respond to initial
requests as fully as possible, but for multiple requests or malicious requests, we can possibly refuse
to respond on this basis.
1
Review schedule
Review interval
Next review due by
Next review start
2 years
31/5/2025
1/5/2025
Version history
Version
Date
Approved by
Notes
1
July 2018
Legal Team
2
29/01/2021
IGMB
Updates on contact details;
removal of named
individuals from Appendix
2
3
19/05/2023
IGMB
Updates to procedure
including
reference to DTS
searches and external
support
Links
Reference
Link
Rights under GDPR
Information-Rights-and-Management
Privacy Policy
Privacy Data Protection
Retention Schedule
School Retention Schedule
Data protection form also
known as Subject Access
Request Form (SAR)
Data Protection Form
Information
Commissioner’s Office
(ICO)
ICO
Contacts
Position
Name
Email
Notes
Data Protection Officer
Rachael Maguire
R.E.Maguire@lse.ac.uk
Reviewer
Communications and Training
Will this document be publicised through Internal
Communications?
TBC
Will training needs arise from this policy
TBC
If Yes, please give details