Artifax Software Limited is aware of its obligations as a Data Controller, with primary responsibility for, and a duty of care towards the personal data within its control.
Data Subjects whose personal data is held by Artifax Software Limited are entitled to ask Data Controllers:
Note - Data Subjects are advised that with regards to Data Subject Access Requests (DSAR's) relating to any personal data located within Artifax Software Limited’s commercially available software products, our customers are the point of contact as they are the Data Controller. Artifax Software Limited operates as the Data Processor and will obviously assist our customers to expedite requests if this assistance is required.
A request for Personal Data is a known as a Subject Access Request. However, it may not always be necessary to treat a request for information as a formal request under the Data Protection Act 2018 also known as the UK General Data Protection Regulation (UK GDPR).
If the request for information is one which Artifax Software Limited would normally deal with within the normal course of business, e.g. a request for a copy of a statement by a bank customer, Artifax Software Limited will consider whether this is a formal subject access request under UK GDPR, or whether it can be managed as a ‘business-as-usual’ process.
Note - In order to be valid, a Subject Access Request should be in writing, and should include sufficient information to identify the Data Subject to the Data Controller’s satisfaction. The Data Controller will issue the Data Subject with a Data Subject Access Request Form in order for them to complete this to clarify their request and to confirm their identity. This will be a mandatory requirement for the request to be considered valid.
The Data Controller will also issue the Data Subject with a Data Subject Access Request Privacy Notice informing them of their rights and further information about the nature of the processing undertaken by Artifax Software Limited.
When these criteria are satisfied, the Subject Access Request is considered valid, and the 1 month response period commences.
Artifax Software Limited will strive to respond to a valid request as quickly as possible, but nonetheless within this 1-month period.
Artifax Software Limited will communicate directly with the Data Subject once a valid Subject Access Request has been received.
Rather than having to provide a copy of all data held by the Controller, this contact may help the Data Subject to specify the exact information he or she wishes to receive, thereby reducing both effort and the time and cost required to collate and provide the data being sought.
However, we acknowledge that, where the Data Subject is adamant that he or she wishes to receive a copy of everything the Data Controller holds about them, then we will fulfil a complete and exhaustive search of the computerised and manually-held data in the organisation.
Unless there is a legitimate option to reduce the scope of the Request, a search of all databases and all relevant filing systems (manual files) which are relevant under the GDPR will be carried out throughout the organisation.
There is no obligation to search back-up files, on the basis that the data in back-up is a copy of the data already held either on the ‘active’ systems, or in archive.
Artifax Software Limited will organise the response to the Request by giving one individual the responsibility for issuing requests for information throughout the organisation and receiving all the returns. This co-ordinator role will normally fall to the Data Protection Officer, where one has been appointed.
The co-ordinator will then have the job of printing out all computerised information which has been returned to them by each department. They will also have received photocopies of all relevant manual files and will therefore collate two sets of material, one being a computer printout and the other being a photocopied manual file.
The manual files which are relevant to the UK GDPR are those which pass the conditions set out in the definition of a relevant filing system. The key criterion is whether the file in question forms part of a structured set. The set has to be structured by reference to the Requestor or characteristics relating to Requestor. If, for example, the manual files are organised in alphabetical name order, or by payroll number, they will form a structured set.
Compliance with the UK GDPR is not intended to interfere with the normal running of a Data Controller’s business following the receipt of a valid request.
We are not permitted to make changes to the requested information (during the normal course of operation). This includes the correction of any incorrect data held as the principle is that the individual has a right to request the actual information held about them (whether or not it is accurate or correct at the time of the request).
Once the information has been collected, the Request Co-ordinator will consider their obligations to other data subjects.
The Co-ordinator will put themselves ‘in the shoes’ of the individual making the Subject Access Request. They have to read every single page of information to see whether it reveals the identity of any third party, when viewed from the perspective of the person making the request. If the identity of a third party is already known to the Data Subject, then the data containing the information relating to the third party can be revealed to the Data Subject, because he/she is already aware of that information.
However, where the identity of a third party is not already known to the Data Subject in the context revealed by the documents, the Request Co-ordinator will consider whether the request requires the disclosure of the information relating to the third party, or whether it is possible to separate this information from the other information to be disclosed. For example, by blanking out (redacting) the name of the individual or blanking out other identifying particulars or any other material. It would be sufficient to disguise the identity of the third party from the Data Subject.
At this point, all other information which is likely to come into the hands of the Data Subject must be considered as well. If the identifying material can be blanked out with black marker pen and the rest of the information on that page can be handed over without revealing the identity of the third party, then this information will be included in fulfilling the Subject Access Request.
Some material is exempt from inclusion in the response to a Subject Access Request.
This includes the content of negotiations with the Data Subject. If the Data Controller is negotiating with the Data Subject at the time at which the Data Subject makes the Subject Access Request, the Data Controller does not have to reveal requested information if to do so would be likely to prejudice those negotiations. Once the negotiations are complete and have been put into effect, the whole file becomes subject to Subject Access in the normal way.
Emails are subject to Subject Access, as are archived computerised and manual data. It must be remembered that CCTV footage and tapes of telephone conversations will also be included within the scope of the request and must be searched on receipt of a Subject Access Request if the data subject so requires.
Other general exemptions to subject access are national security and the prevention or detection of crime, or the apprehension or prosecution of offenders.
Where the personal data contain health information, there is a duty on the Data Controller to consult an appropriate health professional before the information can be released to the Data Subject. This is to avoid disclosing information about adverse health conditions to a Data Subject where the disclosure may be harmful or distressing to the Data Subject, or to another person.
This requirement does not apply where the Data Subject has already had access to the information, or where the Data Subject originally provided the information himself or herself.
We recognise that failure to respond to a Subject Access Request within the 1 month period gives rise to the ability of the individual to complain to the Information Commissioners Office (ICO) and may well give rise to an investigation by the Commissioner.
In addition, failure to respond within 1 month will be a breach of the UK GDPR.
If it is possible to do so, Artifax Software Limited will liaise with the Data Subject as to the form in which we hand over the information to the Data Subject.
The default position is that the Data Subject gets a hard copy of the information in a “permanent and intelligible format” (which may make it necessary for any internal codes released with the information to be explained), unless the supply of such a copy is not possible or would involve a disproportionate effort, or the Data Subject agrees otherwise. Any terms which are not intelligible without an explanation, must be accompanied by an explanation (e.g. a Glossary of Terms).
Finally, once the response to the Subject Access Request has been finalised, the Request co-ordinator will make a full copy of the material to be retained for our own reference.
The copy of the requested material will be dispatched by secure, registered delivery, and we will seek timely confirmation from the Data Subject on receipt of the material.
These records will be used as reference material should, in the future, there is any dispute as to the content or timeliness of the response provided to the Data Subject.
Policy for Specific Rights of Data Subjects (as related to the Articles below).
The following documents our specific policies for the following rights of data subjects:
Rights to be Informed – Articles 12-14
Artifax Software Limited adhere to the Data Subjects right to be informed of the processing that we undertake:
Right to Access – Article 15
Artifax Software Limited will provide the following information to the Data Subject upon validating their identity and the overall validity of the access request:
Right to Rectification – Article 16
Artifax Software Limited will action this request on from the Data Subject upon validating their identity and the overall validity of their request. We will therefore:
Right to Erasure (right to be ‘forgotten’) – Article 17
Artifax Software Limited will adhere to the rights of data subjects in the following cases:
Note – We will not comply with the rights of data subjects in relation to this Article when:
Right to Restriction of Processing – Article 18
Artifax Software Limited will adhere to the rights of data subjects and restrict the processing providing:
Right of Data Portability – Article 20
Artifax Software Limited will adhere to the rights of data subjects in the following manner:
Right to Object – Article 21
Artifax Software Limited will adhere to the rights of data subjects when the data subject has the right to object to the following: