Subject Access Requests
Posted on 7th May 2019 at 15:48
At the moment, 46% of complaints that the ICO receive are in relation to Subject Access Requests or SARs. So it is important to get this right. So what is it and what do you have to do?
An individual (or data subject) has the right to find out if an organisation is using or storing their personal data. This is called the right of access. They exercise this right by asking for a copy of the data, which is commonly known as making a ‘subject access request’.
They can make a subject access request to find out what data is held and how it is used. A request can be made verbally or in writing. If they make their request verbally, we recommend you follow it up in writing to provide a clear trail of correspondence. It will also provide clear evidence of your actions. It is also a good idea at this stage to confirm the identity of the data subject.
What organisations should do
If an organisation reasonably needs more information to help it find data, you have to ask them for the information it needs. It can then wait until it has all the necessary information before dealing with the request.
An organisation should provide you with a copy of the data. It may do this electronically. If the individual needs the data in another format, then you must comply where possible.
An individual is also entitled to be told the following things:
• What their data is used for.
• Who you are sharing their data with.
• How long their data will be stored, and how you made this decision.
• Information on the individuals right to challenge the accuracy of their data, to have it deleted, or to object to its use.
• The data subjects right to complain to the ICO.
• Information on where their data came from.
• Whether their data is used for profiling or automated decision making and how it is doing this.
• If you have transferred their data to a third country or an international organisation, what security measures you took.
Typically these things will all be in your privacy notice or data protection policy, so include a copy of that.
When can an organisation say no?
You may refuse a subject access request if the data includes information about another individual, except where:
• the other individual has agreed to the disclosure, or
• it is reasonable to provide this information without the other individual’s consent.
In deciding this, you will have to balance the subject access request against the other individual’s rights regarding their own information.
You can also refuse a request if it is ‘manifestly unfounded or excessive’.
How long should the organisation take?
An organisation has one month to respond to a request. In certain circumstances it may need extra time to consider a request and can take up to an extra two months. If you are going to do this, you should let an individual know within one month that you need more time and why.
How much is the fee?
A copy of personal data should be provided free. An organisation may charge for additional copies. It can only charge a fee if it thinks the request is ‘manifestly unfounded or excessive’. If so, it may ask for a reasonable fee for administrative costs associated with the request.
Share this post: