Full Council
Dan Gwalter
WES-POL-0015
1.0
- 1. Purpose
- 2. Scope
- 3. Definitions
- 4. Policy Statement
- 5. Roles and Responsibilities
- 6. Policy Detail and Procedures
- 6.1 Submitting a SAR
- 6.2 Acknowledgement and Verification
- 6.3 Response Time
- 6.4 Data Collection and Review
- 6.5 Third-Party References and Redaction
- 6.6 Format of Response
- 6.7 Limitations and Exclusions
- 6.8 Logging and Retention
- 7. Related Policies and References
- 8. Compliance and Breach Handling
- 9. Review and Version Control
- 10. Approval Record
1. Purpose
This procedure sets out how the Western Equestrian Society (WES) will respond to Subject Access Requests (SARs) under the UK General Data Protection Regulation (UK GDPR). It ensures that individuals can access their personal data held by WES in a timely, fair, and lawful manner, and that the Society meets its legal obligations without risk to other individuals' privacy.
2. Scope
This procedure applies to any individual making a Subject Access Request to WES, all personal data held by WES in electronic or paper form, and all Officers, Council members, or volunteers involved in the collection or processing of personal data.
It covers: how SARs are received and verified; what data is included or excluded; timescales, redactions, and communication; and logging and review.
3. Definitions
- Subject Access Request (SAR): A written request from an individual to access the personal data WES holds about them
- Data Subject: The person making the request
- Personal Data: Any information relating to an identifiable living person
- Third-Party Data: Information that includes or relates to someone other than the requester
- Data Controller: The organisation responsible for managing personal data (WES)
4. Policy Statement
WES recognises every individual's legal right to access their personal data. The Society will respond to all legitimate SARs promptly, securely, and without charge unless the request is manifestly unfounded or excessive.
WES will balance transparency with the need to protect third-party privacy and ensure that sensitive discussions are handled fairly and lawfully.
5. Roles and Responsibilities
Role | Responsibility |
Secretary | Acts as Data Lead; receives and processes all SARs; coordinates redaction and response |
Chairperson | Reviews any concerns over response content or third-party impact |
Council Members | Support provision of records or email content as required |
Data Subject | Provides proof of identity and clarifies scope of request if needed |
6. Policy Detail and Procedures
6.1 Submitting a SAR
- Requests must be submitted in writing (email or post) to the Secretary
- The requester should provide: their full name and contact details; a clear description of the data or records they wish to access; and any relevant dates or context
- WES may request proof of identity where uncertainty exists
6.2 Acknowledgement and Verification
- The Secretary will acknowledge the SAR within 5 working days
- The request will be logged in the SAR Register
- If further clarification is needed to locate the data, WES will pause the response window until it is provided
6.3 Response Time
- WES will respond within 30 calendar days of receiving a valid request
- Extensions of up to 2 months are allowed in complex cases - if used, the Secretary will notify the requester in writing with reasons
6.4 Data Collection and Review
- The Secretary will gather relevant data from WES systems and Officers (e.g. email, documents, spreadsheets, Member Mojo)
- Information will be filtered to include only the requester's personal data
- Any data relating to other individuals will be reviewed and redacted unless consent has been given or disclosure is clearly reasonable and lawful
6.5 Third-Party References and Redaction
- WES will redact names, opinions, or correspondence involving third parties unless the information is already publicly available, or redaction would render the data unintelligible and there is a lawful reason to include it
- Redactions will be made using standard tools and noted in the SAR log
6.6 Format of Response
- The response will include: a cover letter explaining the scope and method of the search; a copy of all requested personal data (redacted where needed); and a summary of data sources used
- The data will be provided securely via email, secure link, or physical copy if requested
6.7 Limitations and Exclusions
WES is not required to include: opinions expressed about the requester where this would breach another's privacy; internal Council deliberations not constituting personal data; records already provided or publicly available; or communications unrelated to the requester.
6.8 Logging and Retention
- The SAR will be logged in the SAR Register with: date received and responded; source systems used; whether redactions or exclusions applied; and whether legal advice or Chair review was required
- Records of the SAR will be retained for 6 years in line with the WES data protection policy
7. Related Policies and References
- Data Protection (GDPR) Policy (WES-POL-0014)
- Disciplinary Procedure
- SAR Register (Templates and Tools folder)
- ICO Guidance on Rights of Access
8. Compliance and Breach Handling
Failure to respond to a SAR, provide inaccurate information, or mishandle third-party data may constitute a breach of GDPR and expose WES to risk. All SARs must be handled through the Secretary and logged. Any concern about inappropriate disclosure must be escalated to the Chair immediately.
9. Review and Version Control
Version | Date | Author | Changes Made |
0.1 | 18/07/2025 | DG | Initial policy draft |
0.5 | 08/10/2025 | DG | Changes following Chairman's review |
1.0 | 04/11/2025 | DG | Published |
10. Approval Record
Approved By | Date | Notes |
Full Council | 04/11/2025 | Approved for immediate use |