Requesting a Subject Access Request
This privacy notice is to be read in conjunction with the full privacy notice.
This privacy notice sets out how the London Borough of Sutton will use and process your information.
What type of information is collected about you?
contact details; including name, address, email address, telephone number
date of birth
proof of identity
We may also process other personal data if you volunteer it.
In responding to subject access requests we may process any data on you held by the department.
The legal basis for processing your information
In relation to responding to subject access requests, the legal basis for processing your personal data is that it is necessary to comply with a legal obligation placed on us as the data controller.
The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Although we do not collect any sensitive personal data, we may process this in responding to a subject access request. We may also process data about criminal convictions in responding to a subject access request.
The legal basis for processing your sensitive personal data, or data about criminal convictions, is that processing is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department (paragraph 6, schedule 1, Data Protection Act 2018). The function is meeting our legal obligations to answer subject access requests.
How long will we keep your information
Personal data held in relation to subject access requests will be kept by the department for up to three years from the date the case has been closed on our system, unless the case has escalated to the Information Commissioner’s Office (ICO). In the event of the latter, we shall retain your data for three years from the date the ICO case has been closed on our system in order to maintain an appropriate record in case of further appeals.
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: