Please note, our office and phone lines will be closed from 23rd December to 3rd January. All queries will be responded to in the new year. 

subject access request policy

1. Statement of Policy

In the course of business, caba captures personal data about its beneficiaries, donors, employees, members, other eligible parties, suppliers and volunteers. caba regards the proper treatment of such data as critical to its effectiveness and to maintaining confidence between caba and those with whom it works. In light of this, caba is fully committed to abiding, not only to the letter, but also in the spirit of Data Protection Legislation, and, in particular, is committed to the observation of the highest standard of conduct mandated by that legislation.

This policy informs you of your rights, under article 15 of the GDPR, when requesting copies of your information from caba, why caba need to verify who you are and what you should expect caba to provide to you. It also describes how you can go about making a Subject Access Request.

2. Why caba may ask you for further information

You can request copies of your information in any reasonable way you would like, by contacting caba online, by email or over the phone. Contact details can be found at the end of this document.

In order to deal with your request, caba must be able to identify your records with absolute certainty. This may mean caba ask you to supply additional information, including but not limited to: date of birth, postal address, email address and postcode

Subject access is not in itself an objection to processing and so in processing your request caba may continue to record further information, specifically that a request has been made and what information was provided.

3. Why does caba have my personal information?

You provide information directly when you:

  • register your details with caba
  • enquire about caba’s services
  • sign up to attend a course
  • make a donation
  • use caba’s online resources
  • communicate with caba through our website

Information is provided to us indirectly:

  • your information will be shared with caba by the ICAEW when registering or renewing your membership
  • your information may also be shared with caba by 3rd parties, for example: independent event organisers when caba jointly support an ICAEW event or provide a workshop at your firm

When you use caba’s website we'll collect your personal information using 'cookies' and other tracking methods. For more information on the cookies and tracking methods caba use, please refer to caba's cookie policy at caba.org.uk/cookie-policy

caba is the Data Controller, which means caba determine the manner in which personal data is processed and for what purposes, this can either be alone or in rare instances this can be jointly with another controller. caba is ultimately responsible for the data caba hold. Any 3rd party who process that information on caba’s behalf is a Processor.

caba ensure all of our processors are compliant with Data Protection Legislation, this is warranted in caba’s contractual agreements with them and due diligence checks are also undertaken.

4. Your rights

As defined in article 15 of the GDPR:

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

the purposes of the processing;

  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, caba may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

The right to obtain a copy referred to shall not adversely affect the rights and freedoms of others.

5. How caba will carry out your request

No two Subject Access Requests will be the same. Below are the important points for you to consider. Should anything else reveal itself during the course of the request, caba will contact you directly:

  • caba are required to provide you with a copy of your information within 1 month of a valid request
  • In circumstances where caba cannot meet this deadline, caba will notify you within that month, providing an explanation for the delay and a realistic estimate of when you should expect the information. This must be no longer than 3 months from the valid request being made
  • Unless they give consent, any third party information contained within your information will be redacted
  • Where requests are excessive or frequent and in line with legislation, caba reserve the right to charge a reasonable fee to cover the costs of providing the information. caba will tell you this at the outset
  • caba will retain a copy of your Subject access for 6 months from providing it to you, after which it will be destroyed. The original information from which it was sourced will remain in those original systems until such time that caba’s retention schedule dictate that they should be destroyed.
  • It may be necessary for other members of caba staff to assist our Data Protection Representative with your request. All of our staff have up to date training in data protection, which is refreshed annually. They have also signed confidentiality agreements.


6. How to make a subject access request or contact us if you suspect inaccuracies in the information caba holds.

To make a subject access request, please contact us.

If you are unhappy with the way your subject access has been carried out or the accuracy of the final content, you can raise these concerns by contacting caba’s Data Protection Representative at:

Michael Smith
caba
Merrett House
Swift Park
Old Leicester Road
Rugby
CV21 1DZ
Telephone: 01788 556 366

Email: [email protected]

If you are still unhappy with the outcome and would like to complain to the ICO, then you can do so at:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
www.ico.org.uk/make-a-complaint/

7. This policy is regularly reviewed.

Any amendments will be posted as revised copies which can be found on our website.