What is a subject access request?
Subject access involves providing access to a data subject to personal data that relates to them within a timescale set down in law.
Personal data is information that is personal to an individual who can be identified. Data subjects are entitled to –
- only their own personal data and
- information that is personal data relating to a third party only with that party’s consent
- information about objects in some cases for example information about a car or house that belongs to the data subject and which can be linked to them by information in possession of the data controller or their processors and which is being used to inform a decision about them as individuals and
- specific information about how the data is being used which is set down in law.
Personal data that is processed on behalf of the organisation but where the processing is actually carried out by a data processor service provider should be included in the response to the SAR as the data is under the control of the organisation. The contract terms (set down by GDPR) specify that data processors must assist controllers in responding to the exercise of subject rights.
Note that subject access requirements set out the minimum required by law. We can agree to provide more information as a matter of course or in individual cases on an ad hoc basis.
What are the formalities of subject access?
Subject access requests no longer need to be made in writing but it is recommended that they be documented for audit purposes, especially around confirming the identity of the requester. It is no longer lawful to charge a fee for exercising any subject rights but in special circumstances a fee may be charged for responding to a manifestly unfounded or excessive request. The fact that a fee is being charged must be communicated to the person making the SAR. It is advisable to check the Information Commissioner’s Office’s view on what is unfounded and excessive in the circumstances before relying on this provision.
A fee can also be charged if a person making a SAR asks for additional copies of the personal data. The fee must reflect the cost of providing the information.
If there is any doubt as to the identity of the person making the SAR, organisations need to confirm identity before providing any personal data. Setting out exactly what information and proof is required to confirm identity is essential for staff and it is a good idea to explain this to people making SARs early in the process. Confirmation of identity should not be used as a barrier to stop people accessing their personal data if their identity is not in doubt.
While the law does not allow organisations to force people making SARs to use standard forms, it may be helpful to provide these in an easily accessible way (on the website or in print by post) including the information about what constitutes proof of identity, such as driving licences, passports, etc and whether a copy is sufficient or if staff need to see original documents and keep copies. Make it clear that using the form to support a SAR is not compulsory.
Organisations should act on the subject access request without undue delay and at the latest within one month of receipt. Time starts to run from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
The time limit may be extended by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
However, the ICO’s view (on the website) is that it is unlikely to be reasonable to extend the time limit if:
- it is manifestly unfounded or excessive;
- an exemption applies; or
- you are requesting proof of identity before considering the request.
Children and subject access
Children have a right to request access to their personal data and the response should be made to the child if the organisation is confident that the child understands their rights. In Scotland there is a presumption that children aged 12 and over will have the necessary capacity and this provides a guide for the rest of the UK.
If the child is too young to understand, then a request may be made by a parent or guardian on behalf of the child.
Requests for subject access made on behalf of a child should be treated with care. Ensure that the request is not being made by an adult to gain access to personal data relating to the child’s carer, for example personal data will reveal the location of a household and not just the child. Other family members may need to be protected from the person making the SAR, in a situation involving domestic violence for example.
Organisations can ask for clarification of a SAR and it is worth noting that communication between the organisation and the person making the request is encouraged by the regulator. This can help to narrow down the amount of personal data to be provided. However, data subjects are entitled to all of their personal data in the organisation’s control if they are unwilling or unable to target their request.
It is accepted that a SAR will not include CCTV images and recorded telephone calls unless the person making the SAR specifically requests that information. Again this is where a standard form for making requests can be useful by listing the types of personal data the organisation holds.
Identifying the relevant CCTV footage requires additional information about the time of the data capture and the appearance and behavior of the subject. Similarly finding an audio recording of a telephone conversation will require information about the time and date of the call. So it would be good practice to include a note about CCTV and audio recordings in communication with the person making the SAR and provide notes on the additional information required for individuals who might want access to that kind of personal data.
What data must be provided?
Data subjects are entitled to more than just a copy of their personal data. Other information must also be supplied by law: confirmation that the organisation is processing their personal data, the types of information held and why it is being processed. Also details of any disclosures and sources of this type of personal data.
Organisations can meet this requirement easily by including a copy of the relevant Privacy Notice either at the time the response to the Subject Access Request is sent out or, earlier, when the SAR is acknowledged. All the relevant information should feature in the Privacy Notice.
Exemptions work to exclude specific pieces of information rather than to invalidate the request. The only entire exemption is where we cannot confirm the identity of the requester.
Managing expectations is an indicator of good practice. So keep in contact with the person making the SAR and explain what information will not be provided and explain why. If this information is included in the acknowledgement letter it can be positioned as general rules rather than specific to their personal circumstances. It will help to prepare the way if you have to report that some information is withheld.
What data can be excluded?
Vexatious or repeated requests
Generally we do not have to comply with identical requests if they are made at unreasonable intervals. What is reasonable depends on
- The nature of the data – if it is particularly sensitive
- The nature of the processing – if it is causing the subject distress
- Whether there is any new or altered information to disclose.
Personal data relating to third parties
Personal data that identifies a third party must not be disclosed to a person making a SAR unless the third party consents to the disclosure. It is a good idea to identify the circumstances where personal data relating to the organisation’s data subjects is provided by third parties and engineer the processes to include either a promise of confidentiality or consent to the disclosure of data they provide and their identity where appropriate. Only in unusual circumstances would you then need to follow up for specific consent in circumstances where it is clear the parties might not have anticipated data disclosure or it is evident that the disclosure will raise significant issues.
If a specific request for disclosure of third party data is made and refused or the third party is not contactable, the organisation must still consider the relative rights of the parties in the circumstances and make a judgment about whether or not to disclose the information. Factors to take into account include any duty of confidentiality to the third party, the relative impact of the information and its release on both parties and consideration of what the parties would have expected.
Guidance on the Information Commissioner’s website states:
In determining whether it is reasonable to disclose the information, you must take into account all of the relevant circumstances, including:
- the type of information that you would disclose;
- any duty of confidentiality you owe to the other individual;
- any steps you have taken to seek consent from the other individual;
- whether the other individual is capable of giving consent; and
- any express refusal of consent by the other individual.
So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.
For the avoidance of doubt, you cannot refuse to provide access to personal data about an individual simply because you obtained that data from a third party. The rules about third party data apply only to personal data which includes both information about the individual who is the subject of the request and information about someone else.
Information relating to health sourced from a health professional
Information relating to health may be withheld from a SAR response in some circumstances. Check with the data subject’s health professional if it is permitted to share medical information or if it would be detrimental to the data subject. The Subject Access Request Code of Practice (based on the 1998 Data Protection Act but still relevant in some cases pending further clarification by the Information Commissioner’s Office) explains that there is no need to redact the names of medical staff whose details are on letters or reports that the organisation has authority to disclose.
Price sensitive information and management forecasts
Information that could be considered “price sensitive” in relation to listed securities does not need to be disclosed ahead of any public announcement.
In practical terms most organisations will find the exemption for management forecasts more applicable. Information that is processed for the purpose of management planning can be excluded from a response to a SAR to the extent that its inclusion is likely to prejudice the conduct of the business. For example an investigation into the costs of relocating a business would be exempt from disclosure in a response to a SAR made by an employee who would be affected by the move. This helps organisations to keep information about business plans confidential until such time as they are announced formally.
Negotiations with the data subject
SARs are sometimes made in the course of a dispute between the data subject and the organisation and can be used to access information which may make or break the dispute. Records relating to negotiations with the data subject may be withheld to the extent that the disclosure would be likely to prejudice the negotiations. For example information about an individual who has a legal claim against the organisation under an insurance claim would include a potential liability figure (known as the “reserve”). The organisation would want to exclude that figure from the response to the SAR as it would prejudice the negotiations with the data subject to know what reserve figure the insurer has allocated to the claim.
References in draft or issued in relation to the following are exempt from SAR responses under the Data Protection Act 2018:
- education, training or employment (or prospective education, training or employment) of the data subject,
- the placement (or prospective placement) of the data subject as a volunteer,
- the appointment (or prospective appointment) of the data subject to any office, or
- the provision (or prospective provision) by the data subject of any service).
Exam scripts and exam marks
These are subject to a specific exemption from the response to a SAR until
There are other exemptions in the Data Protection Act 2019 but these are the most commonly applicable ones.
Date of request determines date of information we provide
Data processing is an ongoing activity and so it is important to determine the date when the SAR applies.
The Information Commissioner’s website provides guidance on responding to subject access requests and says:
It is our view that a subject access request relates to the data held at the time the request was received. However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it would be reasonable for you to supply information you hold when you send out a response, even if this is different to that held when you received the request.
So long as the data is not altered to frustrate a SAR (now an offence under the Data Protection Act 2018) then information covered by the SAR may be routinely updated or further processing restricted from the date of the SAR as is most convenient for the controller.
Making the response
The response should be made by electronic means if that was how the SAR was received unless the organisation can agree differently with the person making the SAR.
Make sure that communication with the person making the SAR is secure.
|Can we confirm the identity of the person making the SAR?|
|Does the person making the SAR have authority from the data subject if it is not a direct request?|
|Do we need more information to find out what the person making the SAR wants?|
|Do we have the information requested?|
|Will the information be subject to routine processing before it is provided? If so, is it reasonable to allow the routine processing to continue?|
|Does the information include personal data which identifies a third party? If so, do we have consent to disclose the data?|
|Do any exemptions apply to the personal data?|
|Have we explained any codes or industry terminology in the data?|
|Have we provided the additional information required, as set out in the Privacy Notice?|
The Information Commissioner’s website contains the most up to date information about managing the exercise of subject rights in the UK. The SARS Code of Practice, made under the 1998 Data Protection Act, is still relevant insofar as it sets the tone of how to manage SARS but don’t rely on it for guidance on the logistics: timing for responses, how to respond, whether to charge a fee, all these areas changed with GDPR.
At Data Protection Consulting we have years of experience in dealing with SARS on behalf of clients and would be happy to help.