Individuals have the right to access their personal data and organisations are legally obligated to enable this right if they are the controller of that information. Would you know how to handle a subject access request? In this article, we cover the right to access and the correct procedure for processing such requests.

Under the EU’s General Data Protection Regulation (GDPR), your data subjects have individual rights over how you use their personal information.

The second right individuals have is “the right of access” which very simply means individuals have the right to access their personal data. There is a lot of legalese out there about this, but the right is simple and clearly explainable.

What is the right of access?

This gives individuals the right to access the personal data you hold on them and obtain a copy of it. The right exists to provide transparency to the individual, and to help individuals understand how and why you are using their data.

What is an individual entitled to?

The individual is entitled to access ALL of the personal data you hold on them.

Individuals have the right to obtain the following information:

  • Confirmation you are processing or in control of their personal data
  • A copy of the personal data you hold; and
  • Other supplementary informational about the processing of their personal data. This will usually be provided by way of a copy of your privacy policy.

Are there any limitations?

There is one limitation – individuals do not have the right to access information relating to other people. Where other people are named on the same documentation, then this data must be redacted before it is sent to the data subject.  The exception is if the information is also about them, in which case they are entitled to it, or if the other individual has agreed to disclosure.

How must an individual exercise their right of access?

Individuals can make a subject access request verbally or in writing. If a request is made verbally, it is the responsibility of the organisation to comply. This means if the individual “says” they wish to access their data, you must follow up.

Who is responsible for dealing with the request, the controller or processor?

It is the sole responsibility of the controller to comply with a subject access request, and as the controller, you have a legal obligation to ensure there are sufficient mechanisms in place to guarantee subject access requests are dealt with. In this case, it is wise to create a Subject Access Request Policy, which details all elements of this process for the business.

You must also ensure there is sufficient communication in place so that subject access requests incorrectly made with the processor reach you the controller.

What is the procedure for dealing with an access request?

When an individual makes an access request, they make what is known internally as a “subject access request”. Your organisation is legally obliged to enable this request, but it does need a certain amount of information to process it.

This information includes (of the subject):

  • Their name and contact details;
  • Information that will enable your organisation to identify them such as photographic ID and proof of address and;
  • Details surrounding the personal information in question.

Only when your organisation has the information it needs to identify the individual making the request, can you legally oblige their request.

When you receive the information, you need to deal with the access request, your organisation must process the request, by law, within one calendar month. This time limitation applies to all access requests, irrespective of data type. If you need more time to ‘find’ the data you must notify the individual of this. The maximum extra time you can take is two months, bringing the total to three months. This, however, is at the discretion of the Information Commissioners’ Office, who will only consider if the request is deemed to be excessive.

Responding to an access request

When you respond to the access request, you must provide the individual with all the information they have requested.  It may be that you need to request copies of data held by specific suppliers if parts of your business are outsourced – it is important to make sure your supply chain are able to deliver on such requests within the allotted time.

You must transmit this information in the preferred format of the individual, or in the absence of this information, you can send it electronically or physically. When sending or transmitting the information, you must do this securely and it is good practice to follow up with the individual.

Charging a fee

Under the Data Protection Act 2018, you cannot charge a fee to provide a copy of the individual’s personal data. However, you may charge a reasonable fee for additional copies and if you believe the subject access request to be manifestly unfounded or excessive. The fee must be based on the administrative costs of complying with the request and must not be excessive.

Saying no to a subject access request

You are not always required to say yes to a subject access request. You can say no if the request is manifestly unfounded or excessive. In either case, you must be able to justify the decision and provide the individual with:

  • The reasons you are not complying with their request
  • Their right to appeal the decision and make a complaint with the ICO
  • Their right to seek enforcement of right of access through the judicial system.

You can also say no if the individual is being investigated for a relevant crime or in relation to taxes and access to the information would be prejudicial to the investigation.

It’s important to point out the vast majority of subject access requests are not unfounded or excessive, and it’s important to remember that individuals have the right to access information relating to themselves. Therefore, if you cannot justify saying no to a subject’s request, you cannot. The Information Commissioner’s Office makes this clear.

Summing up

There are six key points to takeaway:

  1. Individuals have the right to access their personal data and it is the responsibility of the controller to enable that right.
  2. Subjects can make a subject access request verbally or in writing, and in either case it is the responsibility of the controller to act.
  3. Organisations have one calendar month to respond to a subject access request but may extend the time limit by two months if the request is complex – however this is at the discretion of the ICO.
  4. Organisations cannot charge a fee to provide a copy of the individual’s personal data but can charge a fee for additional copies.
  5. If the information requested contains personal data on another individual, the data on the other individual must be redacted prior to delivery of the request. Failure to do so would result in a data breach, which will have far wider consequences.
  6. The ICO has published further guidance for organisations regarding the information provided in this article. We recommend you read this guidance to ensure proper procedure.