Data Protection and Access Requests
07 Apr, 2020
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 regulate the processing of personal data of a living person (known as a ‘data subject’). This legislation is designed to strengthen the protection of your rights and freedoms.
As part of the Mental Health Commission, the Decision Support Service is fully committed to the protection of the rights and freedoms of individuals whose personal data it holds. For further information on how the Mental Health Commission (which includes the Decision Support Service) collects, stores and uses your personal data, please click here to see its Data Protection Statement.
What are my data protection rights?
The Mental Health Commission is a Data Controller for all personal data collected for the purpose of its activities.
Under data protection legislation, you have a set of rights. You can exercise these rights in relation to your personal data that is processed by the Mental Health Commission (including the Decision Support Service). You have a right
- to be informed about the processing of your personal data
- to access your personal data
- to the rectification of your personal data
- to the erasure of your personal data
- to data portability
- to object to the processing of your personal data
- to restrict the processing of your personal data
You also have rights in relation to automated decision making (including profiling).
Are there any restrictions on these rights?
Yes. The GDPR allows that all of these rights may be restricted by national law in certain circumstances (for example, the prevention and detection of crime). You may find further information on these restrictions by accessing the website of the Data Protection Commission.
How may I access my personal data (Data Subject Access Request)?
To access your personal data, you may make a Data Subject Access Request. You must make this request in writing and send it by email or by post to the Data Protection Officer at the Mental Health Commission (contact details are provided below).
In your email or letter, you should include the following information:
- say that you are making your request under the GDPR and the Data Protection Act 2018
- provide as much information as possible about the information you are asking for
You may send this information by email or by post. Alternatively, you may prefer to complete and send this form.
Where do I send my request?
You may send your request by post or by email. Here are the addresses:
Data Protection Officer,
Mental Health Commission,
Do I need to provide identification?
Yes. Before you are given access to your personal information, you will be asked to provide proof of identify. You are asked to send:
- a copy of your identification which has your full name and photograph (for example, your passport, driver’s licence, etc.)
- proof of address to which the materials will be sent (for example, the top of a utility bill bearing both your name and address). This must be less than 6 months old.
Why do you need me to provide identification?
We need identification to ensure that the requested personal information is sent to the correct person at the correct email or postal address.
How long does it take to receive a response?
You can expect to receive a response within one calendar month from the day your request is received by the Mental Health Commission. A calendar month starts on the day the organisation receives the request, even if that day is a weekend or public holiday. It ends on the corresponding calendar date of the next month. If, however, that date falls on a weekend or public holiday, you can expect to receive your information by the next working day.
How will you send this information to me?
In making your request, you should say if you would like to receive the information by post or by email.
How much does it cost to make a Data Subject Access Request?
There is no charge for making a Data Subject Access Request.
Are there any other charges?
Fees may be charged for the search, retrieval and copying of information you ask for. A charge will happen where the request is complex or requires considerable work to locate the information requested. The Data Protection Officer will let you know if there is a charge as soon as possible after your request is received.
Can someone else ask for my personal information on my behalf?
Yes. When making a Data Subject Access Request, you may ask that your personal information is sent to a third party. This is someone you choose (for example, a solicitor, doctor, health professional, family member, etc.). If you would like to do this, you must complete this form and attach it to your letter, email or Data Subject Access Request form.
Do I have the right to appeal the decision?
Yes. If you are not happy with the decision of the Data Protection Officer, you may appeal to the Data Protection Commission. The Data Protection Commission will carry out a full and independent review of the decision.
How do I contact the Data Protection Commission?
The Data Protection Commission may be contacted by post or by using one of the forms on its website. Its contact details are as follows:
Data Protection Commission,
21 Fitzwilliam Square South,
(0761) 104 800 or (057) 868 4800