The Information Request Procedure outlines the steps that should be taken when an individual contacts an organization regarding their personal information. Citizens are granted certain rights in regard to their personal information under the General Data Protection Regulation, and a proper information request procedure should outline a process to be taken to uphold each right.

The rights that should be addressed in the procedure include:

  • Right to be informed: An individual can ask for confirmation that the organization has collected their personal information.
  • Right of access: An individual can ask for a copy of their personal information.
  • Right of rectification: An individual can ask for their personal information to be corrected if evidence of an inaccuracy is given.
  • Right of erasure: In certain circumstances, an individual can ask that their personal data be erased from the organization’s records.
  • Right to restrict processing: An individual can ask that their data only be stored and not processed.
  • Right to object: An individual can object to the use of their personal data in a particular processing function.

This procedure should be clear so that any employee who handles an information request can easily follow the procedure.

The procedure should make clear that every information request must be responded to, and fulfilled, within a calendar month (or 28 days as a rule).

Activity Ideas

In groups of three or four, develop a general Information Request Procedure that addresses the steps that should be taken when any type of information request is received. Don’t worry about addressing each of the rights individually.

Each group should be prepared to present their general procedure.

 

Trainer’s Tip

A sample Information Request Procedure can be handed out to show the format and content of a complete, specific Information Request procedure that addresses each right. Students can use this handout as an example of the level of detail required for a completed Information Request Procedure.

Extra Information – Handout

Some of these rights are not absolute; there are certain circumstances when you can and cannot comply with these requests.

Access Requests:

Access to personal information cannot be given:

  • If disclosure would reveal personal information about someone else
  • If the information is protected by solicitor-client privilege
  • If disclosure would reveal confidential commercial information
  • If disclosure could reasonably be expected to threaten the life or security of another individual
  • If the information was collected in relation to a legal investigation, and it would be reasonable to expect that the availability or accuracy of the information needed in the investigation would be compromised if access is given
  • If the information was generated in the course of a formal dispute resolution process

If the information that is exempt under the above conditions can be severed or removed, that must be done, and the individual must be given access to the remaining information.

If access cannot be given under one of the previous exemptions, the individual must be notified with an explanation of the decision, including the specific exemption applied, and informed of their right to complain to a Supervisory Authority.

Erasure Requests:

An erasure request can be fulfilled:

  • If the personal information is no longer necessary for the purpose that it was collected
  • If the individual withdraws consent to use the data, or objects to its usage in non-consent contexts
  • If the erasure is in compliance with a legal obligation

An erasure request cannot be fulfilled:

  • To exercise the right of freedom of expression and information
  • In compliance with a legal obligation
  • To perform a task carried out in the ‘public interest’ or in exercise of an official authority
  • For the establishment, exercise or defense of legal claims

If erasure cannot be completed, the individual must be notified, along with an explanation of the decision.

Restriction of Processing Request:

Processing can only be restricted:

  • If personal information is no longer needed (and subject to erasure), but the individual needs it to establish, exercise or defend a legal claim
  • If the individual has objected to the processing of their data, and their objection request is being considered (GDPR – Right to Object)

If restriction cannot be completed, the individual must be notified, along with an explanation of the decision.

This is an excerpt from Velsoft’s latest softskills course: GDPR Readiness: Creating a Data Privacy Policy. With the advent of the General Data Protection Regulation (GDPR), businesses need to take data privacy seriously. Writing a data privacy plan is one of the best ways to kick-start compliance by outlining important policies and procedures. Learn how to create a data privacy plan for your organization in this course.