Data Subject Access Request
Right of access
You have the right to find out if the RNN Group is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data that the Group holds about you, which is commonly known as making a ‘data subject access request’.
How to access your data
Staff, learners (and other users of the RNN Group) have the right to access personal data relating to themselves that is held by the Group in electronic and/or manual records that form part of a ‘relevant filing system’.
You can make a subject access request to find out what data is held by the RNN Group and how it is used. You may make a data subject access request before exercising your other information rights, should you wish to. You can make a data subject access request verbally or in writing. If you make your request verbally, we recommend you follow it up in writing to provide a clear trail of correspondence. This will also provide clear evidence of your actions.
The RNN Group needs to be assured of an applicant’s identity prior to any information being released. To protect the data that has been trusted to us, due diligence is made on any request and this will be performed after acknowledgement but before any content release.
To make the request process easier for yourself the RNN Group has developed an online request which can be accessed by click the button below:
Data requested will be supplied, where possible, in PDF format.
The RNN Group may refuse your data subject access request if your data includes information about another individual, except where: the other individual has agreed to the disclosure, or it is reasonable to provide you with this information without the other individual’s consent.
In deciding this, the Group will have to balance your right to access your data against the other individual’s rights regarding their own information.
The RNN Group can also refuse your request if it is ‘manifestly unfounded or excessive’. Details of the full process of your request can be found in our Information request process document.
Additional information relating to your right of access can be found on the Information Commissioners Office website.
If you are unhappy with how the RNN Group handles your request for the data it holds about yourself, you should first make a complaint following the Group’s complaints process.
Having done so, if you remain dissatisfied you can make a complaint to the ICO.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise that you seek independent legal advice first.
Third party data releases
The RNN Group will pass data to other parties within its various contractual obligations.
It is noted that these parties are controllers in their own right and will be processing this data for their own purposes.
Details of other parties’ data processing activities would need to be gained from the data controller themselves.
Data Disclosure Decision Log
The RNN Group is committed to making as much information as possible about its activities generally available to the public, either through published documents on the Group’s website, or on request.
The Group makes decisions in sharing personal data with others, protections are normally in place using such things as contract agreements, contract clauses or sharing agreements. However, there are certain circumstances that decisions are made to share personal data without the need for formal data sharing agreements or contract clauses, this is called the Group’s Data Disclosure Decision Log.
Decisions are made through negotiations between the third party, RNN Group’s DPO and the Governing body of the Group and a balanced risk based approach is taken with each decision made.
For further information please email IG@rnngroup.co.uk alternatively you can write to:
More information will be published to this section soon, including:
- Decision log process flowchart
- Updated decision log
Under the Data Protection Act 2018 (incorporating the General Data Protection Regulations (GDPR)), data controllers (i.e. anyone determining the collection of personal data) should not retain personal data for any longer than necessary.
Furthermore, the DPA2018 gives data subject’s additional rights in relation to the collection, maintenance and destruction of their personal data, which the RNN Group is mandated to uphold.
There are additional benefits to just meeting the legislative requirements in regards to effective records management and these are promoted for use throughout the Group to:
- protect our business critical records and improving business resilience
- ensure our information can be found and retrieved quickly and efficiently
- comply with legal and regulatory requirements
- reduce the risk of data breach or litigation and potentially audit or government investigations
- minimise storage requirements therefore reducing costs
Minimising data retention and having clear procedures in place to determine how and when to dispose of personal data is therefore key to complying with the DPA2018. Not only that, but a well-managed data retention plan can help to avoid the information overload and high storage costs resulting from the retention of unnecessary (and often redundant) data.
The RNN Group’s Data Retention Policy is designed primarily to set out the limits that apply to the various types of personal data held by the RNN Group, to establish the criteria by which those limits are set, and to outline how personal data should be deleted or disposed of.
The RNN Group’s Data Retention Policy and schedule can be found on our Policies, Procedures and Processes page.