Page 67 - EQA Employee Handbook
P. 67
7.6.4. Where a data access request is understood to be made, the data subject shall be provided with
a copy of the ‘Personal Data Access Request Form’. The data subject is required to complete Sections
1-3 with return to EQA (Ireland) at the provided contacts.
7.6.5. Upon receipt of a fully completed ‘Personal Data Access Request Form’, the data access request
is given a unique identifier ‘DAR ID #’.
7.6.6. As per the ‘Personal Data Access Request Form’, the identity of the data subject should be
confirmed prior to the granting of access to the personal data concerned. A form of State photographic
identification (e.g. driver’s licence, passport) and a proof of place of residence (e.g. bank statement,
amenities bill) is sought from the data subject. If the identity of the data subject can be confirmed, the
appropriate field within the ‘Personal Data Access Request Form’ is signed.
7.6.7. Based on the submitted data access request, a decision shall be made by a director of EQA
(Ireland) as to whether or not the data access request is granted. The relevant section of the ‘Personal
Data Access Request Form’ (“For EQA use only”) shall be completed.
7.6.7.1. If the data access request has been granted, the responsibility in compiling the
relevant personal data is delegated to a member of the Scheme Administration staff. With
reference to the ‘EQA Personal Data Inventory’, s/he shall agree an appropriate format for the
provision of this information (i.e. hardcopy, electronic). The delegated Scheme Administrator
shall:
• Retrieve the personal data in question;
• Ensure that no personal data or sensitive information is shared with the data
subject beyond the scope of the request (for example, through redaction of
personal data belonging to third parties), subject to identifiable consent for the
sharing of said data and information;
• Provide the information in the agreed format.
This information shall be provided no later than 30 days after receipt of the completed
‘Personal Data Access Request Form’.
7.6.8. If EQA (Ireland), based on the aforementioned criteria, deems the request to be manifestly
unfounded or excessive, a decision is made as to whether the request is refused or whether it is
subject to a chargeable fee to account for the administrative costs in providing the information or
communication or taking the action requested.
7.6.8.1. In determining whether a data access request is manifestly unfounded or excessive,
EQA (Ireland) shall consider the following factors, circumstances or situations:
• NB: Refusal policy is to be clarified at Annual Risk Assessment Audit
7.6.8.2. Where a request is refused, the data subject is sent a communication advising them
of the refusal, including a detailed explanation of the reason(s) for this refusal. The data
subject is advised of their right of complaint to the Data Protection Commissioner with regards
to this refusal of data access.
7.6.8.3. Where it is deemed that a request may be completed upon receipt of a chargeable
fee, EQA (Ireland) will calculate and justify the fee chargeable specific to each data request,
based on (but not limited to) the following factors:
• Administrative costs in retrieving the personal data in question;
• Administrative costs in ensuring that no personal data or sensitive information is
shared with the data subject beyond the scope of the request (for example,
through redaction of personal data belonging to third parties), subject to
identifiable consent for the sharing of said data and information;
• Administrative costs in providing the information in a format appropriate to the
nature of the data, in consideration of the aforementioned redactions, and
suitable for receipt by the data subject.
Upon calculation of the chargeable fee, the data subject is sent a communication - within 30
days of the initial request – advising them of the withholding of a response, subject to receipt
of this fee. The communication shall include a detailed explanation of the reason(s) for this
Page 66 of 79
