We advise small, medium and large private and public bodies and advise on all aspects of data protection compliance and information governance.
- compliance with the Data Protection Act including DPA audits
- information and records management
- policies for the collection and processing of personal data
- information access requests: subject access requests, freedom of information
- data security including handling breaches of the Data Protection Act
- liaising with the Information Commissioner in relation to complaints made by individuals
- the information governance and data protection implications of outsourcing and commercial contracts
- privacy impact assessments
- data processing contract agreements
- marketing privacy including direct marketing, telemarketing and sharing data with third parties
- online privacy including cloud computing, cookie compliance, social media and mobile devices
- employment and data protection
Who we help
We assist clients with a wide variety of Data Protection issues, such as Freedom of Information requests, Subject Access Requests, Safeguarding problems and general data protection queries.
Manufacturing; Marketing Agencies; Advertising Agencies; Estate Agents; Local SMEs; Call Centres; Charities.
Most recently we have advised Private Care Homes on how to manage staff in terms of Data Protection, alongside the CQC.
Equine; Dressage; Football; Rugby; Archery.
We have helped local rugby teams with event management and keeping data secure. Most recently we have assisted an Equine company with Safeguarding issues.
Housing Associations; Care Homes; Schools; Health Authorities; Dentists.
Most recently our clients have included Caldicott Guardians, Teachers, Governors and Bursars.
Hotels; Pubs; Restaurants; Travel Agents; Night Clubs.We have many clients who we give general Data Protection advice to.
What is a Subject Access Request?
The Data Protection Act 1998 gives people six rights and one of these rights is to request a copy of their personal data that a data controller possesses. As long as the person satisfies certain requirements, this is called a Subject Access Request (SAR).
There are various reasons why individuals submit SARs, for example, a disgruntled member of staff wanting to be a nuisance, an employee considering issuing Employment Tribunal proceedings, or someone with the belief that derogatory comments have been made about them. It could even be because a customer has not received a good service or experience, or they believe you had shared or received information about them which is causing them some distress or damage.
The concept is simple enough, however the effect on the organisation can be profound.
Depending on how long ago the data controller obtained their data, how they have processed it, and how long it has been retained for, there could be thousands of documents for you to trawl through. This significantly impacts on your normal day-to-day job and therefore causes an expense to the organisation. Data Controllers forget to account for the resources needed to collate, assess, redact, copy and release the data. All they receive is a £10 fee (if they have applied this in their procedure).
The member of staff processing the request needs to be trained and understand the law and exemptions regarding disclosures. They need to be confident to compare the data they have collated for assessment against any previous, upcoming and prospective proceedings or defence against claims. Finally they need to be confident they know how to protect third parties right to confidentiality.
What is the Subject Access Request Bureau?
As part of our Data Protection and Privacy offerings, we provide clients with the Subject Access Request Bureau. This gives clients the ability to provide us in a secure manner all of the personal data held, received or shared in relation to the individual (data subject)
We do the rest…
- We support you with advice on how and what to search to meet the legal requirements. We then receive, start collating, and reviewing and reading each of the documents. We then apply the necessary exemptions and redact the data.
- You know that we will have the individual (the data subject), be that your current or former employee, contractor, consultant, customer or member at the heart of what we are doing and ensure you comply with the law and are protected from the risks which may arise due the request.
- The individual will receive only the information they are entitled to under the law. For example, we redact third party data to protect third parties who have a right to confidentiality. We also contact other data controllers for permission to share the data they have supplied you and you have on file, for example the Police, DWP, HMRC, Health and Education authorities.
- We review past, current, prospective proceedings and any other likely claims against the organisation as a data controller when carrying out our exemption assessments.
- At the end of the process, the data controller (You our Client) can feel safe in the knowledge the individuals’ (data subjects) rights have been fully adhered to and they receive the information they are entitled to receive. They will be provided with a copy of the data either by you (as we will provide you with a copy of the electronic / hard copy bundle) or by us, as we can send the disclosure pack to the person who made the request.
We aim to take the stress and anxiety out of the process, and leave you to continue with your own job and delivering services while we do the hard work for you.
What work have you done so far?
We have undertaken a number of SARs on behalf of our clients; some have been very small and others have contained many thousands of documents. We have supported the housing, health, education, equine and legal sector carry out the disclosure obligations.
Sometimes the person requesting their personal data remains unhappy and can complain to the ICO. You can’t stop a person from doing this even if there are no grounds for it. However, clients can be rest-assured that the documents provided to the person who made the SAR have been rigorously vetted and are the only documents the person is entitled to.
Why use the Wright Hassall LLP Subject Access Request Bureau?
- The information and advice between us and our client is legally privileged which means communication between us cannot be disclosed.
- We are fully qualified to carry out the assessment which therefore reduces time, resources on your organisation’s man- power, finances and the risk to the organisation of failing to meet the 40 calendar day time scale.
- We are also here to support you when we identify information which is inaccurate, out of date and/or where comments have been made about the data subject which may cause them to be upset. These are all areas we can guide, support and help you communicate with the individual.
- Your organisation will know how much this will cost at the start and decide if this works for you. We offer tier and fixed pricing options to our case management service which meets the client’s needs every time.
- We also offer as part of this service a one-on-one or team SAR training workshop, as a half day or full day. This is a great way to carry out the assessment long term and then we support by validating the disclosure to the assessment file.
We deliver bespoke information governance training in-house with workshops tailored to each organisation's governance framework.
Each seminar can be applied to specific departments (e.g. marketing) or across departments and are priced to be extremely competitive.
We design and deliver data protection and information governance workshops to social housing organisations of all sizes and across the UK. Whether you want to train one person or a whole team, we can offer public courses and bespoke workshops. Each seminar is interactive and dynamic with lots of useful information and guidance to take away.
Find out more
- "By working with Paula and her team we have exceeded all our expected outcomes in data protection. Paula has developed, mentored and trained a member of our team to be our Group-wide data protection officer, as well as training our entire employee base. The support we receive enables Isos Housing to continue to put data management and protection at the heart of everything we do. We remain close to Paula and the Wright Hassall team, as they react to our needs professionally and with passion every time”. Mark Reid - Executive Director Finance, Isos Housing
- “Taking on data protection was a daunting task. But through the training, coaching and mentoring from Paula and her team I have found a passion for privacy and data protection. I enjoy using the knowledge and experience I have gained to help Isos to meet our needs and obligations as a data controller; I also know this has helped me and Isos to continue to ensure we put our customers at the fore front of our decisions when using their information.” Annie Bromwich-Alexandra - Governance Support Manager, Isos Housing
If you handle personal information about individuals, you have a number of legal obligations to protect that information under the Data Protection Act 1998. Please read our data protection guide for full details on what data protection is.
Organisations must register with the Information Commissioner's Office, also called the ICO, if they process personal data.
What do we mean by 'personal data'?
According to the ICO, personal data means data which relate to a living individual who can be identified –
- from those data, or
- from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
For example, a manager’s assessment or opinion of an employee’s performance during their initial probationary period will, if held as data, be personal data about that individual.
The Data Protection Act 1998 (DPA) governs how corporate bodies use personal data and failure to comply with it can result in hefty fines and considerable reputational damage.Read more
An appeal was brought by TalkTalk Telecom Group PLC (“TalkTalk”) because of a monetary penalty notice issued by the Information Commissioner’s Office (“ICO”) for failure to notify it of a personal breach. The appeal has been rejected.Read more
In the recent case of McWilliams v Citibank NA the Tribunal looked at the failure of Citibank to provide Ms McWilliams’ data following a Subject Access Request (SAR), and whether this contributed to an unfair dismissal.Read more