Subject Access Requests

1.      Scope

All personal data as defined by the General Data Protection Regulation (GDPR) processed by ICNARC is within the scope of this procedure.

Data subjects are entitled to obtain:

  • Confirmation as to whether ICNARC is processing any personal data about that individual;
  • Access to their individual personal data;
  • Any related information; 


2.1  The Data Protection Officer / GDPR Owner is responsible for the application and effective working of this procedure, and for reporting to the information owner subject access requests (SARs).

2.2  The Data Protection Officer / GDPR Owner is responsible for handling all SARs.

3.        Procedure

3.1  SARs are made using the Subject Access Request Form (DSP REC 01-1.3.5)

3.2  The data subject provides ICNARC with evidence of their identity, in the form of a current passport/driving licence, and the signature on the identity must be cross-checked to that on the application form. 

3.3  The data subject specifies to ICNARC specific set of data held by ICNARC on their SAR. The data subject can request all data held on them.

3.4  ICNARC records the date that the identification checks were conducted and the specification of the data sought.

3.5  ICNARC intends to provide the requested information to the data subject within one month from the day after this recorded date.

3.6  Once received, the SAR application is immediately forwarded to the Data Protection Officer / GDPR Owner, who will ensure that the requested data is collected within the specified time frame in clause 3.4 above.

Collection entails:


3.7.1   Collecting the data specified by the data subject; or

3.7.2  Searching all databases and all relevant filing systems (manual files) in ICNARC, including all back up and archived files (computerised or manual) and all email folders and archives. The Data Protection Officer / GDPR Owner maintains a data map that identifies where all data in ICNARC is stored.

3.8   The Data Protection Officer / GDPR Owner maintains a record of requests for data and of its receipt, including dates

3.9   The Data Protection Officer / GDPR Owner reviews SARs from children. Before responding to a SAR of the child data subject the Data Protection Officer / GDPR Owner considers their ability to make the request by adequately explaining any implications of sharing their personal data, etc.

3.10  The Data Protection Officer / GDPR Owner reviews all documents that have been provided to identify whether any third parties are present in it, and either removes the identifying third-party information from the documentation or obtains written consent from the third party for their identity to be revealed.

3.11  If any of the requested data is being held or processed under one of the following exemptions, it does not have to be provided:

  • National security
  • Crime and taxation
  • Health
  • Education
  • Social Work
  • Regulatory activity
  • Journalism, literature and art
  • Research history, and statistics
  • Publicly available information
  • Corporate finance
  • Examination marks
  • Examinations scripts
  • Domestic processing
  • Confidential references
  • Judicial appointments, honours and dignities
  • Crown of ministerial appointments
  • Management forecasts
  • Negotiations
  • Legal advice and proceedings
  • Self-incrimination
  • Human fertilization and embryology
  • Adoption records
  • Special educational needs
  • Parental records and reports

3.12   In the event that a data subject requests ICNARC to provide them with the personal data stored by the controller/processor, then ICNARC will provide the data subject with the requested information in electronic format, unless otherwise specified. All of the items provided to the data subject are listed on the Confluence System that shows the data subject’s name and the date on which the information is delivered to and received by the data subject.

3.13   In the event that a data subject requests what personal data is being processed, ICNARC provides the data subject with the following information:

3.13.1  Purpose of the processing.

3.13.2  Categories of personal data.

3.13.3  Recipient(s) of the information, including recipients in third countries or international organisations.

3.13.4  How long the personal data will be stored.

3.13.5  The data subject’s right to request rectification or erasure, restriction or objection, relative to their personal data being processed.  ICNARC removes personal data from systems and processing operations as soon as a request for erasure has been submitted by the data subject.  ICNARC contacts and communicates with other organisations where the personal data of the data subject is being processed, to cease processing information at the request of the data subject.  ICNARC takes appropriate measures without undue delay in the event that the data subject withdraws consent or  objects to the processing of their personal data in whole or part, or is no longer under legal obligation and/or the data has been unlawfully processed.

3.13.6  The data subject’s right to lodge a complaint with the supervisory authority and a method to do so via

3.13.7  Information on the source of the personal data if it has not been collected from the data subject.

3.13.8  Inform the data subject of any automated decision-making.

3.13.9  If and where personal data has been transferred and information on any safeguards in place.

3.14   ICNARC uses the following electronic formats to respond to SARs.

Document owner and approval

The Information Security Manager is the owner of this page and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the DSP Toolkit.

A current version of this document is available to all members of staff on the Huddle and is published Confluence /

This procedure was approved by the Managing Director.

Please find the SAR Form on the right side of this page.

Copyright © 2023 ICNARC