June 27, 2020

How to access your data

Individuals' personal data rights

Subject Access Requests (SAR): 

Individuals have the right to make a Subject Access Request. If an individual makes a subject access request, then Kent Medical Secretarial Services Ltd will respond to the request within Thirty (30) days and will produce the request in line with the Information Commissioners Office (ICO) guidelines. The data subject will need to prove themselves by a form of identification which will be deemed adequate by the DPO.  An SAR should be submitted to: 

Email: The Data Protection Officer (DPO)  at DPO@medicalsecserv.co.uk 

If a Subject Access Request is manifestly unfounded or excessive, the organisation is not obliged to comply with the request. Alternatively, the organisation can agree to respond but, the data subject may be charged a fee if extra costs are incurred to retrieve data, which will be based on the administrative cost of responding to the request. A Subject Access Request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, the organisation will notify him/her that this is the case and whether or not it will respond to it. Furthermore, if the organisation cannot facilitate a request based on limitations with its IT functionality the organisation will notify the individual accordingly stating what aspect of the request they can respond to. We will respond to the request within the Thirty (30) day period however, if this request takes longer than the regulation timeline, then the data subject will be notified and will be updated, and the request provided at the earliest opportunity. It should be noted that due to the business practices and the pure nature of the business model of Kent Medical Secretarial Services Ltd, some data may not be requested under a Subject Access Request for legal and medical reasons. If it is felt that a request may not be granted or fulfilled, then the data subject will be informed, and a representing consultant will be sought for guidance relating to such a request.  

The organisation will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless he/she agrees otherwise. A data subject has the right to the following regarding the processing of their data: 

  • Whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual; 
  • To whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers; 
  • For how long his/her personal data is stored (or how that period is decided); 
  • His/her rights to rectification or erasure of data, or to restrict or object to processing; 
  • His/her right to complain to the Information Commissioner if he/she thinks the organisation has failed to comply with his/her data protection rights; and 
  • Whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making.