The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:
- No human verification has been conducted of the converted content.
- While we strive for accuracy errors or omissions may exist.
- This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
- For the official and verified version of the publication, refer to the original PDF document.
If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].
Individual Rights (Data Privacy) Policy
January 2021
1. Introduction
1.1UK data protection law gives individuals whose personal information is collected and/or used rights in respect of such information.
1.2Any individual (including an employee, contractor, director, investor or financial professional) whose personal information is collected and/or used by the Financial Reporting Council Limited (“FRC”, “we”, “us” or “our”) will benefit from these rights in accordance with the provisions of this Data Protection Rights Policy (“Policy”).
2. Objectives
2.1To ensure that we handle personal information in accordance with the law.
2.2To explain how we deal with a request from an individual to exercise their data protection rights ("Request").
3. Individual's Data Protection Rights
3.1We must assist individuals to exercise their following data protection rights, consistent with the requirements of applicable UK data protection law, including the Data Protection Act 2018 and the GDPR. The UK GDPR provides the following rights for individuals:
3.1.1The right to be informed: Individuals have the right to be informed about the collection and use of their personal data. We do this through our privacy notices;
3.1.2The right of access: This is a right for an individual to obtain confirmation whether a controller processes personal information about them and, if so, to be provided with details of that personal information and access to it;
3.1.3The right to rectification: This is a right for an individual to obtain rectification without undue delay of inaccurate personal data a controller may process about them;
3.1.4The right to erasure: This is a right for an individual to require a controller to erase personal information about them on certain grounds – for example, where the personal information is no longer necessary to fulfil the purposes for which it was collected;
3.1.5The right to restrict processing This is a right for an individual to require a controller to restrict processing of personal information about them on certain grounds;
3.1.6The right to data portability: This is a right for an individual to receive personal information concerning them from a controller in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply.
3.1.7The right to object: This is a right for an individual to object, on grounds relating to their particular situation, to a controller's processing of personal data about them, if certain grounds apply;
3.1.8Rights in relation to automated decision making and profiling.
3.2If any Request is received in relation to a data subject's rights (including the right to rectification, erasure, restriction, object or data portability) the Request must be referred to the Privacy Team at [email protected].
4. Right of Access
4.1An individual making a valid Request is entitled to:
4.1.1Be informed whether we hold and are processing personal information about them;
4.1.2Be given a description of the personal information, the purposes for which they are being held and processed and the recipients or classes of recipient to whom the personal information is, or may be, disclosed by us; and
4.1.3Communication of their personal information held by us in a form that is understandable, without compromising the privacy of other individuals.
4.2An individual can make a SAR verbally or in writing, including on social media. A request is valid if it is clear that the individual is asking for their own personal data. An individual does not need to use a specific form of words, refer to legislation or direct the request to a specific contact. An individual may ask a third party (eg a relative, friend or solicitor) to make a SAR on their behalf but before responding, we need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party's responsibility to provide evidence of their authority.
4.3We will not usually apply a fee for requests. Where the Request is manifestly unfounded or excessive (e.g. it is repetitive in nature), we may either:
4.3.1Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
4.3.2Refuse to act on the Request.
4.4Requests made by individuals are handled by the General Counsel Team who may consult with the HR Team as appropriate.
4.5We are not obliged to comply with a Request unless it is supplied with such information which it may reasonably require in order to confirm the identity of the individual making the Request and to locate the information which that individual seeks.
4.6We will respond to a Request promptly and within one month of receipt of the request and after all the necessary information (enabling us to identify the individual and locate the requested information) and any relevant fee have been received. We may extend the time limit by a further two months if the request is complex or if we receive a number of requests from the individual.
4.7In some cases personal information may be withheld if an exemption applies. Decisions about the appropriate use of exemptions should always be made by the Privacy Team.
5. Policy
5.1 Receipt of a Subject Access Request
5.1.1If an individual makes a Request for their personal information, the Request must be passed to the Privacy Team via [email protected].
5.1.2The date on which the Request was received together with any other relevant information should be recorded.
5.2 Initial steps
5.2.1The Privacy Team will make an initial assessment of the Request to decide whether it is valid and whether confirmation of identity, or any further information, is required.
5.2.2The Privacy Team will then contact the individual in writing to confirm receipt of the Request and seek confirmation of identity or further information.
5.3 Exemptions to subject access
5.3.1A valid request may be refused in accordance with the relevant exemptions set out in UK data protection law. The exemptions are set out in Schedules 2 and 3 of the DPA 2018 and they are as follows:
- Crime and taxation: general
- Crime and taxation: risk assessment
- Legal professional privilege
- Functions designed to protect the public
- Regulatory functions relating to legal services, the health service and children's services
- Other regulatory functions
- Judicial appointments, independence and proceedings
- Journalism, academia, art and literature
- Research and statistics
- Archiving in the public interest
- Health, education and social work data
- Child abuse data
- Management information
- Negotiations with the requester
- Confidential references
- Exam scripts and exam marks
- Other exemptions
5.3.2Where an exemption applies, we may refuse to provide all or some of the requested information, depending on the circumstances. We may also refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive.
5.3.3Decisions about the use of exemptions should only ever be made by the Privacy Team. The Privacy Team will assess each request individually to determine whether any of the above-mentioned exemptions may apply and/or whether it can redact information and disclose the remaining personal information.
5.4 Appropriate methods for locating and disclosing personal information
5.4.1The Privacy Team will arrange a search of all relevant electronic and structured paper filing systems, with the assistance of other departments such as the HR Department as appropriate.
5.4.2Particular care must be taken where the Request concerns information whose disclosure would reveal personal information about other individuals. The FRC has a responsibility to protect all personal information it processes and must not disclose other individuals' personal information in response to a Request if doing so is contrary to applicable privacy law or the lawful rights and freedoms of those individuals.
5.4.3The personal information requested will be collated by the Privacy Team, with the assistance of other departments as appropriate, into a readily understandable format (e.g. internal codes or identification numbers used at the FRC that correspond to personal information should be explained). A covering letter will be prepared by the Privacy Team which includes information required to be provided in response to the Request.
5.4.4Where the provision of the personal information in permanent form is not possible or would involve disproportionate effort there may be no obligation to provide a permanent copy of the requested information. In such circumstances the individual may be offered the opportunity to have access to the information by inspection or to receive the information in another form.
5.5 Requests for erasure, amendment or cessation of processing of information
5.5.1If a Request is received for the deletion or correction or any other right relating to an individual's personal information, the Request must be referred to the Privacy for advice.
5.6All queries relating to this Policy are to be addressed to the Privacy Team at [email protected].