Accessing information policy
Please be aware that due to the outbreak of the Global Pandemic Covid-19, Subject Access requests and Freedom of Information requests may take longer to process. On advice from the ICO, we will work toward best practice in terms of meeting legislative timings for Data Protection Compliance, but must put public health guidance first. Therefore as access to physical documents is restricted and increasing demands on staff workload continues, this may cause delays to your request.
You have the general right to access personal information that we hold about you and all types of information (with some exemptions) that we hold as a public authority.
We are committed to operating on a transparent level and we welcome ‘The Right to Access’ housed within the General Data Protection Regulations and the Freedom of Information Act 2000.
You can apply to access this information in two ways:
Subject Access Request
If you require access to your personal information you should make a Subject Access Request to us. You are generally entitled to find out what personal data we hold about you, why we are holding it and who we disclose it to.
Freedom of Information Request
The Freedom of Information Act 2000 gives you a general right of access to all types of recorded information held by public authorities, sets out exemptions from that right and places a number of obligations on public authorities.
If you make a Freedom of Information request to us, we will inform you whether we hold that information and, subject to exemptions, you will be supplied with the information requested.
Your right to access information is subject to certain exemptions and we retain the right to deny access on grounds that we see fit. We will provide you with a reason should we refuse an access request.
This ‘Accessing information policy’ sets out below more details on both of these requests, including how to submit them to access information.
2. Policy objective
The objective of this policy is to ensure that there is a systematic approach to the management and processing of subject access requests and FOI requests, in order to ensure that we comply with the requirement of access to personal data under the GDPR and the right to request any recorded information held by a public authority under the Freedom of Information Act 2000.
It is the aim of this policy to inform the public and clarify the process for making a subject access request and/or FOI request to us, as well as ensuring our staff are informed regarding the management of both requests. This policy aims to help distinguish between Subject Access Requests and FOI requests.
Subject Access Requests
3. What is a Subject Access Request?
A subject access request is a written request for personal data we hold about you. You are therefore entitled to find out what personal data we hold about you, why we are holding it and who we may disclose it to. (See Paragraph 5)
4. What is Personal Data?
Personal data relates to all information concerning a living individual who can be identified from that information. The information can potentially affect the privacy of an individual. Expressions of opinion about the individual will also be considered as personal data.
Examples of personal data include:
- Telephone numbers
- Email address
Sensitive Personal data (Special Category Data)
Special categories of personal data are those which contain information about your:
- race or ethnic origin
- medical details or banking details
- political opinions
- membership of a trade union
- sex life
- sexual orientation
Criminal Offence Data
Criminal offence data includes data about criminal allegations, proceedings or convictions; this also specifically extends to personal data linked to related security measures.
5. Information you are entitled to obtain
Generally, you have the right to access the personal data that we hold about you. You can obtain the following:
- Confirmation that your personal data is being processed
- What personal data we hold about you
- Access to the personal data we hold about you
- Supplemental information regarding the processing. Supplemental information that must be provided to you is as follows:
– The purpose of processing
– The categories of data processed
– The envisaged retention period
– Your right to rectification and erasure
– Information regarding where we obtained your data (if we did not collect it from you)
– Any regulated automated decision making where necessary
6. How do you make a Subject Access Request?
A subject access request must be made as a written request for personal data.
Subject access requests to the RCVS can be sent to the Head of Professional Conduct, Ms Gemma Crossley, or by post to:
Royal College of Veterinary Surgeons
38 Chancery Lane
7. What we do if you send us a subject access request
We will first check your identity on our system against the level of information that you have supplied. We may ask you to provide further information required in order to confirm your identity.
If you are seeking information for someone else, you must provide that individual’s consent for the release of their personal information.
If you have been appointed to act for someone under the Mental Capacity Act 2005, we will ask you to confirm their capacity and explain how and why you are authorised to act on their behalf.
Collation of Personal Information
We will check whether we have enough information in order to process the subject access request. If further information is required we will ask you for this or for further clarification. The process of collating any manual or electronic information held on the data subject will then begin. We will also identify if any information is provided by a third party or which identifies a third party.
If information that relates to a third party is discovered, we may write to the third parties to seek information on whether there would be any reason for this information not to be disclosed.
We will not provide third-party information unless the third party concerned consents to the sharing of their information, unless it is reasonable to do so without consent.
Before sharing information we may therefore anonymise information that identifies third parties. We will also redact any information that may affect another individual’s privacy.
Providing the Information
Once collation is complete and any concerns addressed, we will send you a copy of the completed subject access request with all information in permanent form that we are obliged to disclose under Article 15 of the GDPR (See Appendix 1). Further supplemental information may also be provided as suggested in paragraph 5 of this policy.
We will summarise information rather than supply whole documents where appropriate. We will generally provide information in electronic format or in hard copy should you request it. In situations where we cannot provide the information in permanent form, we will make an appointment to allow you to view the relevant information in person.
8. Grounds for not complying with a subject access request
Where requests for information are ‘manifestly unfounded or excessive’, particularly if they are repetitive, we will either:
- Charge a fee (see paragraph 9 below); or
- Refuse to respond
If we refuse to respond to your request, reasons for that refusal and guidance on what next steps you can take will be provided to the individual making the subject access request.
Under the GDPR, we also have a right to withhold data (see paragraph 11 below).
We will provide a copy of the personal information we hold free of charge. However, if the request is manifestly unfounded or excessive, particularly if it is repetitive, we will charge a ‘reasonable fee’. This fee will be decided by our Data Protection Officer (DPO).
10. Time to Respond
We will ordinarily provide information within one month of receiving a subject access request. Where necessary, we will extend the period of compliance by a further two months. This will happen when requests are complex and numerous.
We will inform you of any necessary delay within one month of receiving your request.
11. Rights under the GDPR
Right to withhold
Whilst Article 15 of the GDPR provides a right of access to personal information for an individual, we can also withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others’. [Article 15(4)]. This decision will rest with the Head of Professional Conduct and our DPO.
Where applicable, we may apply appropriate exemptions in accordance with the legislative provisions.
The right to withhold information may also extend to intellectual property rights.
Right to rectification
We will rectify any inaccuracies that you have highlighted regarding your personal information. If personal information is incomplete, you can ask us to complete the data or to record a supplementary statement.
Freedom of Information Requests
12. What is a Freedom of Information Request?
We are committed to ensuring the public have access to information on our activities, unless there is a good reason for them not to and certain exemptions apply.
Keeping in line with the principles of openness and transparency under the GDPR, Freedom of Information (FOI) requests are intended to promote a culture of openness and accountability by conferring on people a general right of access to recorded information.
Both the Freedom of Information Act 2000 and the GDPR place a duty on us to confirm to you whether we hold specified information and, if so, to provide you with the information you request, unless exemptions apply.
13. What are you entitled to access under an FOI request?
Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.
The Freedom of Information Act 2000 does not give you access to your own personal data (information about you), such as your health records or credit reference file. If you want to see information that we hold about you, you should make a subject access request to us (see above).
14. How do I make an FOI request?
The process of making an FOI request is similar to a subject access request. It must be a written request for information. However, the FOI Act does impose some procedural requirements on you. Requests must:
- be in writing (email is acceptable)
- state your name
- state an address for correspondence (this can be an email address)
- describe the information in sufficient detail to enable us to identify what information has been requested.
FOI requests can be sent to our Head of Professional Conduct, Ms Gemma Crossley, or by post to:
Royal College of Veterinary Surgeons
38 Chancery Lane
15. What happens when we receive an FOI request
Upon receiving an FOI request, we will identify which of two categories the request is likely to fall into. They are:
- Request for general information about our conduct (such as a request for a procedure).
- Request for specific information about our work and conduct.
Our DPO will work with the designated lead in the team holding the information to:
- establish whether we have the information
- if we do, collate the information
- liaise with any third parties, as appropriate
- identify information which may be subject to exemption, and
- liaise with our legal advisor where necessary
Once we have decided whether to disclose the information to you, we will tell you.
We will, as far as is reasonably practicable, disclose the information to you according to your stated preference. You must specify your preferred format; it is not sufficient to ask for information in ‘all forms in which it is held’.
If we cannot provide the information in the form you have requested, we will explain why. If you have not stated a preference then we may provide the information by any means that are reasonable in the circumstances.
16. Time to respond
We will provide the information within the 20 working-day time limit set in the FOI Act 2000.
If there is a delay in providing the information, either because we need to consider the public interest in disclosing the information, or we need further information, we will explain to you the reason for the delay.
17. Fee for request
The FOI Act 2000 provides that public authorities do not have to comply with a request where the cost of providing information exceeds £450.
When estimating the costs we reasonably expect to incur we take into account the time taken to determine whether we hold the information, and then to locate, retrieve and extract it. The cost per hour is £25.
If we estimate the cost will exceed £450, we can:
- refuse to handle your request but offer advice and assistance on how to refocus the request to bring it within the acceptable limit, or
- handle your request and charge a fee.
We will advise you of the fee before we process your request.
18. When can we refuse an FOI request?
We can refuse a request made under the Freedom of Information Act if:
- it would cost too much or take too much staff time to deal with the request
- the request is vexatious. (The ICO have provide guidance on determining whether a request is vexatious. We will follow this guidance and may seek legal advice), and/or
- the request repeats a previous request from the same person.
If we refuse your request, we will tell you and explain why we have refused it.
Under the Freedom of Information Act, there are a number of exemptions to the right of access. Exemptions are either qualified or absolute (see Part 2 Sections 21-44 of FOI Act).
Some exemptions are qualified. This means that in such cases we must apply a two-stage test.
- We will decide whether the exemption applies to the information you have requested and, if it does, we must then apply the public interest test.
- In applying the public interest test, we consider whether the public interest lies in:
– confirming or denying the existence of the information, and
– providing the information or maintaining the exemption.
There are also a number of absolute exemptions. Once an absolute exemption applies there is no need to consider the public interest. In some cases, there is also an exemption from the duty to confirm or deny whether the information is held.
If an exemption applies, we will inform you of our decision and reasons for applying that particular exemption. This is a complex part of the Act and we may seek legal advice when considering applying the test
20. Refusing a request
Where we refuse a request for information, or where we can neither confirm nor deny whether we hold the information, we will send you a refusal notice explaining in detail the reasons for refusal.
If we rely on an exemption within the FOI Act to refuse disclosure, we will explain why the exemption applied or why it may be in the public interest not to disclose the information.
21. Our complaints procedure
If you are dissatisfied with the outcome of your subject access request and/or Freedom of Information request you may contact our Data Protection Officer (DPO), Ms Eleanor Ferguson, or by post to:
Royal College of Veterinary Surgeons
38 Chancery Lane
Our DPO will review and assess the decision of the Head of Professional Conduct and will respond appropriately.
If you are not satisfied with our DPO’s decision, you may contact the Information Commissioner’s Office or by post to:
75-77 Great Portland Street
The information on this page was last updated on Monday, 09 July 2018.