If an Agency is processing the personal data of an individual, the ICO says they have Right of access to this:
“Individuals have the right to access their personal data and supplementary information.
also
…….Information must be provided without delay and at the latest within one month of receipt.”
This is facilitated in Adapt by emailing a link to an external GDPR portal for Individuals.
Use the Subject Access Request workflow from the GDPR shortcut icon or GDPR & Checks page on a person record:
This workflow allows users to:
Record the request.
Send access to the Portal. This will generate an email straight to the Individual with a link to the portal. Note: No email preview is available through Outlook and the Agency will NOT have access to the portal. It is for Individuals only.
(Note: Users will need the 'GDPR Compliance Admin' permission to send the Subject Access Request workflow. This is set in the Employee record of the User - use the Adapt Manager Profile to set this or ask your Erecruit Representative.
A message will be displayed if the user does not have this permission when running Subject Access Request:
“You do not have permission to run this action”.)
Both these actions will be recorded on the GDPR & Checks page and Journal record of the Individual.
Once received, the Individual will click on the link to launch the portal. From here they will create their own password. Users of the portal will have 5 days to activate their login and 10 days of access to the portal. Note: If their password is forgotten, the Adapt user will need to generate access again.
On initial access, the Home page will display. This will show a snapshot of their portal access:
When they requested access.
When their access was approved.
When their request was activated.
How many days of access remains.
When they last logged in.
How many times they logged in.
They will also have visibility of:
Documentation - All documentation held on them e.g. CVs, references etc.
Notes - All journal activity relating to their record.
Data - All personal data.
It will look something like this:
The individual could download their CV, proof of identity etc. from here and exercise their right to data portability (see section on Right to Data Portability).
Data not available in the Portal
There is new Document Category in a person record in Adapt called Confidential. Anything in here is not visible in the portal. There is no advice on what should be in here, however all data should be made available to the individual including, in theory, references. If, however, the reference contains contact details of the person who gave the reference, the rights of this ‘other’ individual should be protected. It is up to the Agency to decide if anything and what goes in here.
Users can ‘redact’ comments in journal notes (see the Right to Rectification section) which will not be visible in the portal. Note, however that the Individual will see that ‘something’ has been redacted when they are viewing the portal. The reasons for this may then need to be explained to the Individual.