Privacy Notice for Freedom of Information requests and Subject Access Requests
Published on: Wednesday 20th October 2021
This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the General Data Protection Regulation (GDPR).
YOUR DATA
Purpose
The purposes for which we are processing your personal data are:
To record and respond to freedom of information requests and data subject access requests received by the Registrar and their Office.
The data
We will process the following personal data: your name, address, email address, and your request. We may also process other personal data if you volunteer it.
In responding to subject access requests we may process any data on you held by the Registrar and their Office.
Legal basis of processing
To respond to freedom of information and data subject requests, the legal basis for processing your personal data is that it is necessary to comply with a legal obligation placed on us as the data controller.
Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Although we do not collect any sensitive personal data, we may process this in responding to a subject access request. We may also process data about criminal convictions in responding to a subject access request.
The legal basis for processing your sensitive personal data, or data about criminal convictions, is that processing is necessary for reasons of substantial public interest for the exercise of our functions. The function is meeting our legal obligations to answer subject access requests.
Recipients
As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email, and document management and storage services.
Retention
Your personal data will be kept by us for up to three years since your last contact with us.
Copies of identity verification documents will be destroyed after we have verified your identity.
YOUR RIGHTS
You have the right to request information about how your personal data are processed, and to request a copy of that personal data.
You have the right to request that any inaccuracies in your personal data are rectified without delay.
You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.
You have the right to object to the processing of your personal data.
INTERNATIONAL TRANSFERS
As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through the use of Model Contract Clauses.
COMPLAINTS
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or casework@ico.org.uk. Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
CONTACT DETAILS
The data controller for your personal data is the Office of the Registrar of Consultant Lobbyists, 1 Horse Guards Road (Room 3.26), London, SW1A 2HQ, or 020 7271 8827, or office@orcl.gov.uk .
The contact details for the data controller’s Data Protection Officer are: Stephen Jones, Data Protection Officer, Cabinet Office dpo@cabinetoffice.gov.uk.
The Data Protection Officer provides independent advice and monitoring of the use of personal information by the Registrar and their Office.