Where to find things ................................................................................................................... 2 ... 2 ......................................................................................... 2 .............................................. 3 ............................................................ 3 ......................................... 3 ................................................................................................ 4 ............................................................................................... 4 ................................................................................................ 4 ..................................................................................................................... 4 ............................................................................................................ 5 ................................................... 5 .......................................................................................................... 6
Internal, Managers/People Partner’s Guide to Data Subject Access Requests, Version1, Page 1 of 6
Colleagues, customers and other individuals have a legal right to find out: whether Tesco holds, or otherwise uses any personal information about them; how it uses that data and to obtain a copy of it. A data subject access request is any request made by an individual in writing to obtain details about, and a copy of, their personal information which is held by us. The request does not have to be made on any specific form, as long as it is in writing. We have a legal obligation to deal with any written request to exercise this legal right in a certain manner and within a strict 40 day time limit. If we fail to do this, we could be held liable for a breach of that legal obligation. The purpose of this guidance is to assist you if you receive a request, to respond to it in line with our obligations. This guidance only covers requests to see personal data which is held by the following areas of Tesco’s businesses:
Tesco Plc; Tesco Clubcard; Tesco.com; Tesco Direct;
Tesco opticians; F&F; Wine by the Case; and Tesco’s Customer Engagement Centres.
If a request is made to see data held by other areas of Tesco’s business, such as Tesco Mobile, Tesco Pharmacy, Tesco Bank or Tesco’s Nutri-Centres, then a separate request must be made to that business area, using the contact details provided in our subject access request form.
If Tesco fails to respond to a subject access request properly and to provide the data within the compulsory 40 day time limit, then we could be found liable for a breach of the Data Protection Act 1998. This could result in a legal claim for damages against Tesco and/or enforcement action from the authority, the Information Commissioner’s Office. As a result, any failure to comply with this process could result in disciplinary action.
Verbal requests do not have to be treated and responded to in the same way as a written subject access request but should be dealt with by the appropriate People Manager/Partner informally, promptly and effectively, where possible. Verbal requests for specific, easily retrievable data which just relates to the individual making the request, can be responded to in this way. However, it may be necessary to ask for other verbal requests to be put in writing. For example, requests for:
Data that may reveal personal information about someone other than the person making the request; Data that may reveal something confidential or contentious to Tesco; or Significant quantities of data such as cctv.
If an individual is unable to make a written request to see their data, due to a disability, then their verbal request should be treated and responded to in the same way as a written subject access request (see point 4 onwards). If any of these factors apply, ask the individual to send a written request to Data Protection Executive at Corporate Investigations, Group Safety, Security and Resilience, Tesco Stores Ltd, 5 Falcon Way, Shire Park, Welwyn Garden City, Herts, AL7 1TW or email them. If you have any questions, you can also email the Data Protection Executive for advice.
2 October 2015
Provide the colleague with a copy of Tesco’s subject access request form as soon as possible after receiving the request. This form will ask them to provide proof of their identity and to pay a £10 administration fee. It will also ask them for more information about the type of data that they want a copy of. Provide this to the colleague with Letter A, B, C or D as appropriate. Note: we cannot force our colleague to fill out this form or to provide further information about the data they are requesting. However, we can require proof of identity, if we need it and ask the individual to pay a £10 administration fee, before we respond to the request. If a colleague refuses to complete a copy of the subject access request form, then they must be sent a letter which acknowledges their subject access request and asks them for the £10 fee and/or proof of ID (as appropriate). Proof of Identity: This is required to ensure that Tesco doesn’t send out copies of personal data to someone that is not entitled to see it. There may be circumstances where it is not required (for example if the request has been submitted personally by a colleague that is known to you) in which case, the section dealing with proof of ID can be deleted before providing the subject access request form. Examples: 2. 3. You have received a written subject access request from a colleague. You know this colleague 4. personally and have even had a phone conversation with them about the request. It would be unreasonable to ask for further id in this case. 5. 6. receive a written subject access request from someone claiming to be a former colleague. The You 7. on the request matches that of an ex colleague, but there is nothing else in the request to enable name 8. to be confident that the requestor is our ex-colleague. In this situation, it would be reasonable for you 9. to ask for more information before responding to the request e.g. their date of birth, a passport or a you 10. birth certificate. 11. It you are unsure whether proof of ID is needed then please email the Data Protection Executive for advice. £10 Fee: This may be waived where appropriate, for example, where requesting it may inflame an already difficult situation. Where this has been decided, delete the wording from the subject access request form.
If the request is purely for non-controversial information that you hold in the colleague’s personnel file, e.g. absence records then please ensure you deal with this promptly. If the request is for more detailed information e.g. Clubcard information as well as their Personnel File, or for information which also refers to another individual, such as a grievance or appeal file, please promptly email the request to the Data Protection Executive. The Data Protection Executive will monitor compliance with the 40 day time limit. Note that if the fee and ID proof were received with the request/or are not required, then the 40 day time limit starts from the date on which that request was received. If the fee and the ID proof are not received with the request, then, as long as they are promptly requested, the 40 day time limit does not start until they are received (unless they are waived) and receipt of them should be logged separately with the Data Protection Executive.
3 October 2015
Once the £10 fee and proof of identification are received, the relevant People Manager/Partner needs to search for Personnel File documents requested. The search for any other personal data will be instigated by the Data Protection Executive.
Once the personal data has been located, it must be reviewed:
To decide whether any data relating to other individuals needs to be redacted (this means we edit it so it doesn’t show any confidential information that the colleague has no right to see); and To check whether any data needs to be withheld, because it falls within an exemption, or if the data relating to other individuals cannot be effectively removed.
The review and any redaction of the personnel data must be carried out by the People Team. If you need further guidance on this, please email the Data Protection Executive.
Once the data has been reviewed and where necessary redacted, copies must be provided to the individual who made the request, together with Letter E which describes:
the personal data held by Tesco about the individual; how and why that data is being used by Tesco; any recipients/classes of recipients that their data has or may be disclosed to; the sources of the data; and the logic involved in any automatic processing of personal data relating to the individual which has or is likely to constitute the sole basis for any decision affecting them.
Once the data has been reviewed and where necessary redacted, the People Manager/Partner must copy it, redact it and send it to Data Protection Executive. Email the Data Protection Executive to let them know when you’ve sent the personnel data to them. The Data Protection Executive will post it to the colleague with any other documents they’ve requested with a covering letter which fulfils our requirements under this legislation.
In some limited circumstances we don’t have to send all of the information we have about a colleague, to them. These are:
Confidential References Health Data Management Information - personal data being processed for management forecasting or planning purposes
we have provided it in confidence, but we do have to provide copies of references which we have received the provision of the data is likely to cause serious harm (this decision must be made by a health professional) disclosure would be likely to prejudice Tesco’s business or other activity.
4 October 2015
Crime and Tax - personal data being held for the purposes of the prevention or detection of crime, the capture or prosecution of offenders or the assessment or collection of tax Negotiations with the Requester - records of our intentions relating to any negotiations which we have entered into with the requestor Legal advice and proceedings which is subject to legal professional privilege
Providing a copy would be likely to prejudice those purposes
this is likely to prejudice those negotiations.
It applies to communications between us and our legal advisers (internal or external) it may reveal a criminal offence (other than an offence under the Data Protection Act 1998) which would expose Tesco to criminal proceedings
If you believe that any of these exemptions may apply to the data which you are being asked to provide in response to a SAR, please email the Data Protection Executive for assistance.
There is no limit on the number of Data Subject Access Requests that a colleague can make, but we don’t have to respond to requests made at unreasonable intervals. We also don’t have to comply with an identical or similar request which we have already dealt with, unless a reasonable interval has elapsed between the first SAR and the subsequent one. Whether there has been a ‘reasonable interval’ or not depends on certain factors, such as how often the data is altered. If you have received a repeat SAR asking for the same or similar information shortly after having responded to a SAR, please email the Data Protection Executive for assistance.
Explain to the police that any request for customer or colleague details must be made to our Data Protection Executive: Corporate Investigations Group Safety, Security and Resilience Tesco Stores Ltd 5 Falcon Way, Shire Park Welwyn Garden City, Herts, AL7 1TW
or by email to
[email protected]
If you receive a direct request e.g. relating to a criminal investigation, please send them immediately to the Data Protection Executive as outlined above. If an Immigration Officer arrives in person, they should have a warrant which allows them to search personnel files and take copies of documents. If they have a warrant you should comply with the request and allow them to take copies (NOT originals) of the documents. Please ensure they have signed the visitors’ book and also signed a document which lists what documents they have taken away. Our pharmacies may be asked to provide access to and/or copies of patients’ records by NHS Counter Fraud Investigators, GPhC (General Pharmaceutical Council) Inspectors, the police service or other third parties. See the Pharmacy Guide for more information, including contact details for the Pharmacy Superintendent’s Office.
[email protected].
5 October 2015
DSAR received by Data Protection Executive (“DPE”)
WARNING: if £10 fee and ID evidence are received / not required- 40 day time limit starts here
PM logs DSAR with DPE / DPE logs DSAR on system to start tracking compliance with 40 day deadline.
WARNING: 40 day time limit starts
PM/DPE provide DSAR Form to individual for completion (insert link/locator to DSAR form)
£10 Fee and ID evidence (and maybe DSAR Form) are received (or are waived)
If DSAR Form is refused PM/DPE send out DSAR Acknowledgeme nt letter PM logs receipt of fee and ID with DPE
DPE instigates search for non-personnel data and will request PM to search for any personnel data requested & notify them of 40 day deadline.
PM instigates search for any personnel data requested
DPE to track compliance with 40 day deadline
DSAR received by Personnel Manager (“PM”)
Data is received, reviewed and redacted/withheld by PM/DPE as permitted/required by the DPA
See the DSAR Guidance in Policy 5.2.3 of the Policies for our People (insert link)
PM sends copy of the personal data, redacted as required, to the DPE
DPE sends copy of redacted personal data and other documents out to the individual with covering letter.
6 October 2015
