Table of Contents
- What is the right of access?
- How do we recognize a subject access request (SAR)?
- What about requests for information about children?
- What should we consider when responding to a request?
- Can we ask for ID?
- Can we charge a fee?
- How do we find and retrieve the relevant information?
- How should we supply information to the requester?
- When can we refuse to comply with a request?
- What should we do if the request involves information about other individuals?
- What other exemptions are there?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data, as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
An individual can make a SAR verbally or in writing, including on social media. A request is valid if it is clear that the individual is asking for their own personal data. Although Complianz offers the possibility to use a data request form, an individual does not need to use a specific form of words, refer to legislation or direct the request to a specific contact.
An individual may ask a third party (eg a relative, friend or solicitor) to make a SAR on their behalf. You may also receive a SAR made on behalf of an individual through a data request form. Before responding, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority.
Before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights. If the request is from a child and you are confident they can understand their rights, you should usually respond directly to the child. You may, however, allow the parent or guardian to exercise the child’s rights on their behalf if the child authorizes this, or if it is evident that this is in the best interests of the child. If a child is competent, they may authorize someone else, other than a parent or guardian, to make a SAR on their behalf.
You must comply with a SAR without undue delay and in most jurisdictions at the latest within one month of receiving the request. You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual, eg other types of requests relating to individuals’ rights.
If you process a large amount of information about an individual, you may be able to ask them to specify the information or processing activities their request relates to, if it is not clear. The time limit for responding to the request is paused until you receive clarification, although you should supply any of the supplementary information you can do within one month.
Yes, if necessary. You need to be satisfied that you know the identity of the requester (or the person the request is made on behalf of). If you are unsure, you can ask for information to verify an individual’s identity. The timescale for responding to a SAR does not begin until you have received the requested information. However, you should request ID documents promptly.
Not usually. In most cases, you cannot charge a fee to comply with a SAR. However, you can charge a ’reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data.
You should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.
An individual is entitled to a copy of their personal data and to other supplementary information (which largely corresponds with the information that you should provide in your privacy statement). If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
When deciding what format to use, you should consider both the circumstances of the particular request and whether the individual has the ability to access the data you provide in that format. It is good practice to establish the individual’s preferred format prior to fulfilling their request. Alternatives can also include allowing the individual to access their data remotely and download a copy in an appropriate format.
If an individual asks, you can provide a verbal response to their SAR, provided that you have confirmed their identity by other means. You should keep a record of the date they made the request, the date you responded, details of who provided the information and what information you provided.
As the controller of the information, you are responsible for taking all reasonable steps to ensure its security.
Where an exemption applies, you may refuse to provide all or some of the requested information, depending on the circumstances. You can also refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive.
If you refuse to comply with a request, you must inform the individual of:
- the reasons why;
- their right to make a complaint to a supervisory Data Protection authority; and
- their ability to seek to enforce this right through the courts.
Where possible, you should consider whether it is possible to comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request except where the other individual consents to the disclosure or it is reasonable to comply with the request without that individual’s consent.
You need to respond to the requester whether or not you decide to disclose information about a third party. You must be able to justify your decision to disclose or withhold information about a third party, so you should keep a record of what you decide and why.
Exemptions only apply on a very few case-by-case bases. The GDPR mentions in article 14.5 the following possibilities:
- the data subject already has the information;
- the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
- obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
- where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
You should consult a lawyer before you use these exemptions.
This page contains public sector information licensed under the Open Government Licence v3.0 from the UK Information Commissioner’s Office website.