GDPR data portability procedure
Contents
- Scope
1. Scope
1.1 This procedure applies where a data subject exercises their right to data portability and applies to Uttlesford District Council as the data controller, to receive their data in order to re-use or transfer it to other data controllers.
1.2 Data subjects are entitled to ask for:
- a copy of the personal data they have provided to Uttlesford District Council
- Uttlesford District Council to transmit the data to another data controller.
1.3 Within the scope of this procedure is any personal data concerning the data subject that:
- he/ she has provided to the data controller knowingly and actively, or through observations of his/ her activities by virtue of the service of the council and
- has been processed through automated means; and
- has been processed on the basis of the data subject's consent or a contract to which the data subject is a party.
This procedure will most commonly be used when transmitting data directly to another data controller.
1.4 This procedure also applies to circumstances when Uttlesford District Council is the "receiving data controller". That is, when personal data from another data controller is received due to the data subject exercising their right to data portability.
2. Responsibilities
2.1 Uttlesford District Council in its role as data controller is responsible for transmitting the data without hindrance and to ensure that it is transmitted with the appropriate level of security (with encryption). The council will assess the specific risks linked with data portability and take all appropriate risk mitigation measures.
2.2 The Data Protection Officer is responsible for the application and effective working of this procedure.
3. Procedure
3.1 Uttlesford District Council will inform data subjects of the existence of the new right to portability at the time where personal data is obtained.
3.2 Any request for data portability is immediately forwarded to the Data Protection Officer to ensure that the requested data is provided and transmitted within the timeframe noted in 3.10 below.
3.3 The council chooses whether to request that the data subject provide evidence of their identity in the form of a current passport, driving licence or other photographic record showing identity.
3.4 Where the data requested concerns a third party, the Data Protection Officer reviews whether or not transmitting data to another data controller would cause harm to the rights and freedoms of other data subjects.
3.5 The data subject identifies the personal data that is to be transmitted or provided for their own use.
3.6 The Data Protection Officer maintains a record of requests for data and of its receipt, including dates of transmission and receipt.
3.7 The council has established safeguards which ensure that the personal data transmitted are only those that the data subject has requested to be transmitted.
3.8 The requested information is provided to the data subject in structured, commonly used and machine readable format that allows for the effective re-use of the data. The council retains a register of all such data portability requests.
3.9 When transmitting data to another data controller, the council will forward the data in an interoperable format. In the event that technical impediments prohibit direct transmission, the council will explain these impediments to the data subject(s).
3.10 The council provides the requested information within one month from the request date. If the request is complex, the council can extended this time frame to (maximum) three months. The council will inform the data subject of the reasons for the delay via email or phone within one month of the original request.
3.11 The request does not affect the original retention period that applies to the data that has been transmitted.
4. Receiving personal data
4.1 Uttlesford District Council does not by default accept and process personal data received from another data controller following a personal data request nor does it retain all the data received.
4.2 The council only accepts and retains data that is necessary and relevant to the service being provided.
4.3 If data received contains third party data, the council will keep the data under the sole control of the requested user. This data is only managed for their needs and not for other purposes of Uttlesford District Council.
4.4 The council will provide the data subject(s) with information about the personal data relevant for the performance of their services, limiting risks posed to third parties and unnecessary duplication of personal data.
Document owner
The Data Protection Officer is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the requirements of the GDPR.
Change history record
New document: (1st publication)
Approval: Simon Pugh (Assistant Director Governance & Legal)
Date of issue: 23 May 2018
Biennial review by DPO to ensure currency and compliance with Data Protection Legislation
Approval: Simon Pugh (Assistant Director Governance & Legal)
Date of issue: June 2020