Page 72 - EQA Employee Handbook Feb 2020 v1
P. 72
Where a data access request is understood to be made, the data subject shall be provided with a
copy of the ‘Personal Data Access Request Form’. The data subject is required to complete Sections
1-3 with return to EQA (Ireland) at the provided contacts.
Upon receipt of a fully completed ‘Personal Data Access Request Form’, the data access request is
given a unique identifier ‘DAR ID #’.
As per the ‘Personal Data Access Request Form’, the identity of the data subject should be confirmed
prior to the granting of access to the personal data concerned. A form of State photographic
identification (e.g. driver’s licence, passport) and a proof of place of residence (e.g. bank statement,
amenities bill) is sought from the data subject. If the identity of the data subject can be confirmed, the
appropriate field within the ‘Personal Data Access Request Form’ is signed.
Based on the submitted data access request, a decision shall be made by a director of EQA (Ireland)
as to whether or not the data access request is granted. The relevant section of the ‘Personal Data
Access Request Form’ (“For EQA use only”) shall be completed.
If the data access request has been granted, the responsibility in compiling the relevant
personal data is delegated to a member of the Scheme Administration staff. With reference
to the ‘EQA Personal Data Inventory’, s/he shall agree an appropriate format for the provision
of this information (i.e. hardcopy, electronic). The delegated Scheme Administrator shall:
• Retrieve the personal data in question;
• Ensure that no personal data or sensitive information is shared with the data
subject beyond the scope of the request (for example, through redaction of
personal data belonging to third parties), subject to identifiable consent for the
sharing of said data and information;
• Provide the information in the agreed format.
This information shall be provided no later than 30 days after receipt of the completed
‘Personal Data Access Request Form’.
If EQA (Ireland), based on the aforementioned criteria, deems the request to be manifestly
unfounded or excessive, a decision is made as to whether the request is refused or whether it is
subject to a chargeable fee to account for the administrative costs in providing the information or
communication or taking the action requested.
In determining whether a data access request is manifestly unfounded or excessive, EQA (Ireland)
shall consider the following factors, circumstances or situations:
• NB: Refusal policy is to be clarified at Annual Risk Assessment Audit
Where a request is refused, the data subject is sent a communication advising them of the
refusal, including a detailed explanation of the reason(s) for this refusal. The data subject is
advised of their right of complaint to the Data Protection Commissioner with regards to this
refusal of data access.
Where it is deemed that a request may be completed upon receipt of a chargeable fee, EQA
(Ireland) will calculate and justify the fee chargeable specific to each data request, based on
(but not limited to) the following factors:
• Administrative costs in retrieving the personal data in question;
• Administrative costs in ensuring that no personal data or sensitive information is
shared with the data subject beyond the scope of the request (for example,
through redaction of personal data belonging to third parties), subject to
identifiable consent for the sharing of said data and information;
• Administrative costs in providing the information in a format appropriate to the
nature of the data, in consideration of the aforementioned redactions, and
suitable for receipt by the data subject.
Page 71 of 85
