Skip to main content

Subject Access Request Privacy Notice

 

Accessing Your Information – What You Need to Know

 

This notice explains how Rhondda Cynon Taf County Borough Council uses your personal information when you make a Subject Access Request (SAR). A SAR is when you ask to see the personal data the Council holds about you, or about someone you are legally authorised to represent.

We are required by law to respond to SARs under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The purpose of this notice is to explain what information we use, why we use it, and how we handle it when responding to your request.

If you are requesting access to your social care records, please read our Social Care Subject Access Request Privacy Notice, which explains how those requests are handled in more detail.

For more information about how the Council handles personal data, you can also read our main data protection information on our website:

Data Protection – Rhondda Cynon Taf County Borough Council

 

Who’s responsible for your information?

 

Rhondda Cynon Taf County Borough Council is responsible for looking after your personal information when you make a Subject Access request. In legal terms, we’re known as the “data controller.”

We’re registered with the Information Commissioner’s Office (ICO), the UK’s independent body for data protection under reference number Z4870100.

 

Got questions or need help?

 

If you have any questions about this privacy notice or how your personal information is used when you make a Subject Access Request, you can contact the Council’s Information Management Team:


  information.management@rctcbc.gov.uk
 01443 562289

 

The team can provide advice, explain any part of the process, and help you understand how your request will be handled.

 

What is a Subject Access Request (SAR)?

 

A Subject Access Request (SAR) is a request you make to see the personal information that Rhondda Cynon Taf County Borough Council holds about you, or about someone you are legally authorised to represent.

 

You can make a SAR in the following situations:

 

  1. You are requesting your own personal information.

 

  1. You are helping someone else make a request, with their permission.

 

  1. You are legally authorised to act for another person, for example through parental responsibility, power of attorney, or a court order.

 

In all cases, we must confirm your identity before responding. If you are acting for someone else, we will also need to see evidence of your authority to do so.

 

Whose personal information do we use when handling a Subject Access Request?

 

When we handle a Subject Access Request, we process personal data relating to two main groups of people:

 

1. The person making the request

 

This may include:

  • You, if you’re requesting your own personal data
  • Someone acting with your permission, such as a friend or family member helping you make the request
  • Someone with legal authority to act on your behalf, such as a solicitor, parent, or person with power of attorney

 

2. People whose information is included in the records being requested

 

The information you ask for may contain personal data about other individuals. Depending on the nature of the records involved, this could include:

  • Family members or other people connected to the information you have requested
  • Council staff or professionals involved in delivering services
  • Individuals who were part of the same correspondence, meeting, or interaction
  • Third parties mentioned within the records

We check the information carefully so we only share what we are allowed to.

 

 

What kind of information do we use when you make a SAR?

 

When you make a Subject Access Request, we need some basic information to help us confirm who you are and to locate the records you’ve asked for. This may include:

 

  • Your name and contact details (such as your address, phone number, or email)
  • Proof of your identity, for example a passport, driving licence, or other official document
  • If you are acting for someone else, evidence that you have their permission or legal authority to do so, such as:
    • A signed letter of authorisation, or
    • Proof of legal authority (e.g., parental responsibility, power of attorney, or a court order)
  • Any additional details that help us find the correct information, such as the name and date of birth of the person the request relates to

We use this information to confirm your identity, understand your request, and make sure we handle it safely and lawfully.

 

Once we’ve confirmed who you are, we search for the records you’ve asked for. The information we locate will depend on the nature of your contact, interactions, or involvement with the Council. This could include:

  • Notes or records created by Council officers
  • Letters, emails, forms or documents you have sent to the Council
  • Records of meetings, communications, or decisions
  • Information about services or support you have received
  • Details relevant to your circumstances or the matter you contacted us about

Some records may also contain personal information about other people. We check this carefully, and we may need to remove or hide information about others if we are not allowed to share it.

 

Why do we use your personal information?

 

We use your personal information so we can respond to your SAR safely, accurately, and in a way that supports you. This includes:

  • Keeping a record of your request
  • Checking who you are (and whether you have legal authority or permission to act for someone else, if needed)
  • Asking for more details if we need help finding the right records, for example, about dates, events, or people involved
  • Searching for the records you’ve asked for
  • Reviewing the information to make sure it’s appropriate to share
  • In some cases, contacting people named in the records to ask for their permission before sharing their information
  • Sending your response securely

What gives us the legal right to use your information?

 

We’re allowed to use your personal information because the law says we have to. Under the UK General Data Protection Regulation (UK GDPR), our legal reason (or “lawful basis”) for doing this is:

 

Article 6(1)(c) – Legal obligation:
We’re legally required to respond to SARs under the Data Protection Act 2018 and UK GDPR.

 

Where does the information come from?

 

To respond to your Subject Access Request, we collect information directly from:

 

  • You, when you send us your reques 
  • Your representative, if someone is making the request on your behalf

The records we provide in response to your Subject Access Request come from information the Council already holds. These records are created as part of the services, support, or interactions you have had with the Council.

 

Who do we share your information with?

 

To process your SAR, we may need to share your information with other teams within the Council. Most SARs are handled directly by the service area the request relates to (for example, Council Tax or Planning), while Social Care SARs are managed by the Information Management team. Sharing your information internally helps us locate the correct records, review them, and remove any information we are not permitted to disclose (this is called redaction).

 

Outside of the Council, we only share your personal information with:

  • You – the person the SAR is about
  • Someone helping you - if you’ve asked a friend or family member to help with your request and you’ve given permission
  • Your authorised representative – such as a solicitor, parent, or someone with power of attorney, if they’ve shown us the right documents
  • The Information Commissioner’s Office (ICO) – but only if you’ve made a complaint about how we handled your SAR

In some cases, we may need to contact people named in your records to ask if they’re happy for us to share their information with you. If we do this, we’ll only tell them what they need to know to understand the request, nothing more.

 

Who helps us handle your information?

 

To help us respond to Subject Access Requests, we sometimes use trusted external companies. These organisations act as data processors, which means they can only use your information under our written instructions, must keep it secure, and are not allowed to use it for anything else.

 

We use different types of data processors to support this work, including:

  • Companies that provide secure IT systems, such as tools we use to receive, store, review, redact and send information safely (for example, Microsoft and Egress).
  • Specialist SAR support providers, who may assist us with tasks such as reviewing, preparing, or redacting information so that we can respond to your request accurately and lawfully.

The Council always remains responsible for your information, even when another organisation is helping us.

 

How long do we keep your information?

 

We only keep your personal information for as long as we need it to manage and respond to your SAR. After that, we securely delete it.

Here’s how long we keep different parts of the process:

  • Proof of identity and address – kept for 1 year, in case we need to confirm we gave the records to the right person
  • Completed SAR case files – kept for 3 years, in case you have any follow-up questions
  • SARs that weren’t completed – kept for 1 year, for audit and tracking purposes
  • SAR register entries – kept for 7 years, to help us monitor and report on how we handle requests

We regularly review our records and delete anything we no longer need.

 

What are your rights?

 

You have important rights under data protection law, including the right to see the personal information the Council holds about you. These rights are there to help you understand, access, and have some control over how your information is used.

You can find more details about your rights and how to use them on our website:
 Your Information Rights – Rhondda Cynon Taf County Borough Council

 

 

Your right to make a data protection complaint to the Council

 

If you’re concerned about how your Subject Access Request has been handled, for example, if you feel the response was delayed, incomplete, or not dealt with properly,  you have the right to raise a complaint.

We recommend contacting the Information Management team first, as they are best placed to help resolve any issues quickly and informally. Following that, if you’re still not satisfied, or you’d prefer to make a formal complaint, you can do so through the Council’s Customer Feedback Scheme:

 Make a comment, compliment or complaint online

 

Still not happy? You can contact the ICO

 

If you’re not satisfied with how we’ve handled your SAR or your personal data, you also have the right to contact the Information Commissioner’s Office (ICO).

 

The ICO is the UK’s independent body for data protection. They can look into how we’ve handled your request and help you understand your rights.

 

We do encourage you to speak to us first if you can - we’ll always try to put things right.

 

You can contact the ICO here:
 Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
 0303 123 1113
 www.ico.org.uk
Help Us Improve