A data subjects access to their data is a fundamental right of individuals under the Data Protection Act (2018). Whatever business you are in, if you hold personal data, you will probably receive a Subject Access Request (SAR) at some point. Thanks to improved data protection awareness there could be a large increase in the number of requests made so organisations need to have a procedure.
A data subject will exercise this right if they want to see a copy of the information an organisation holds about them.
An individual has the right to:
- Be told whether any personal data is being held or processed.
- Obtain a description of the personal information.
- Know the purpose and lawful basis for the processing.
- Be told whether the data has been, or will be, passed to any other organisations or people.
- Know the period for which the data will be retained.
- Be made aware of their rights, like rectification and erasure and to lodge a complaint with the regulator.
- Be told the origin of the personal data, where known.
- The requester may also ask for an explanation of any automated decisions taken about him or her, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work. There is only a need to provide this additional information if it has been specifically requested.
The applicant has the right only to their own personal data, and not to data regarding other people, unless they are acting on behalf of that individual or consent has been received from them.
The Subject Access Request (SAR) must be responded to promptly and, at worst, within 30 calendar days of receipt.
Receiving a SAR
It is important to verify the identity of the individual, to ensure you eliminate the risk of sending information to the wrong person. The information requested from the person to identify themselves should be reasonable and will depend on the relationship with the individual.
These are some possible methods of identifying a requester:
- If the request is made online within your portal or website, then the person’s usual login ID and password should be sufficient.
- If made by fax, post, paper form or email, then a copy of a photo ID and a recent document including the individual’s address (for example bank statement or utility bill etc.).
The following should be also considered:
- SARs can arrive at any point in the organisation and at any time, by post, email, fax etc, as well as through social media accounts and other channels.
- All requests should be logged, identity verified, reviewed for validity, managed and monitored throughout the processing of the SAR. The ProvePrivacy data subject rights module manages this process for you.
- Verbal requests might not to be responded to if it is not possible to obtain proof of identity or undertake a security process to identify the individual. Good practice is to explain to people how to make a valid request, should they make a verbal request.
Responding to a SAR
All employees should be trained to recognise a SAR, or potential SAR. Once identified it should be passed to specific individual or team in the organisation who should manage the SAR process. If you use ProvePrivacy this will be done via the integrated incident management process.
Where possible, and especially if a request is vague or very wide, attempts should be made to obtain more specific information from the applicant regarding what information they are seeking and for what purpose. This will enable you to focus the search and response on a more specific data set, and tailor your response to the data subject’s needs. It may be necessary to ask for further information to answer the request, but this should be requested quickly and should not delay the response beyond the 30 days.
If a request is large and complex, then there may be a need to inform the individual (within the 30 days) of a potential delay beyond 30 days.
When responding, it is not acceptable to amend or delete the data if you would not otherwise have done so. For some organisations, this could be an offence under the Freedom of Information Act.
In most cases, information should be communicated to the applicant by supplying them with a copy of it in permanent form, such as an electronic copy, photocopy or print out. It is good practice to check their preference.
The information provided to the individual should be understandable for the average person, but not specifically to the person making the SAR. For example if information about an individual is coded, the meaning of the coded information should be provided.
There is no requirement to to provide an interpretation of poorly written handwritten notes or to provide an interpretation of the information.
No fees can charged for responding to SARs, with some exceptions such as medical records or where excessive or repeated requests are made. Any fee levied in these circumstances should reflect the cost of meeting the request(s).
Archived, backed up and deleted data
There should be procedures in place to find and retrieve personal data that is archived or backed up. There may be strong evidence that the archived or backed up data is not different to the live data, in which case the live data could be used in the response.
The organisation should prohibit or restrict the storage of personal data on personal devices as part of good data security, but also because such data would need to be included in a SAR response and it is difficult to trace.
The regulator takes a view that deleted data is very unlikely to be used to make decisions impacting individuals and the cost and time involved in retrieving it may mean it is not reasonable to expect deleted data to be included in a SAR response. However, easily recovered data such as data in a user’s “deleted items” folder are not considered to be too difficult to retrieve.
Difficult, repeated or unreasonable requests
An organisation does not need to supply the information if it would involve “disproportionate effort” to do so, including difficulties in finding the requested information.
In deciding on if you should use this exclusion you must balance any challenges against the benefits the information might bring to the individual, remembering the fundamental right of subject access. The burden of proof is on the Controller to demonstrate they have taken reasonable steps to respond to the SAR, and that it would be “disproportionate” to take further steps. If you are using ProvePrivacy, you would record this on the SAR incident.
Data relating to multiple persons
In certain circumstances, a response to a SAR may involve providing data that relates both to the individual and another identifiable person, or people. The organisation should not include this information in the SAR response in such cases, unless:
- You have consent from the other individual(s).
- It is reasonable to complete the request without the individual’s consent.
SARs made on behalf of other people
Where someone makes a SAR on behalf of another person, you should ensure that the person making the request has the authority to act on behalf of the subject of the request by asking for evidence to that effect from the requestor, for example, through a power of attorney.
You should also consider confidentiality in responding, for example you may send the information to the subject of the request. This person can then share the information if they choose to do so.
In the UK’s Data Protection Act (2018) definitions a child is anyone below 13 years of age. A child’s personal data belongs to the child and he or she has the right of access to personal data held about them. Parents (or those with parental authority) are likely to exercise the right of access in the case of young children. When responding to a SAR in relation to a child, the organisation should assess the child’s level of maturity. If you are suitably confident that the child will understand their rights, and can interpret the information they receive, then the response should go to the child. If there is a doubt, you should consider:
- The level of maturity of the child and his or her ability to make decisions.
- The possible consequences of giving a parent access to the child’s information.
- The possible negative consequences to the child if the parents cannot access the information.
- The nature of the personal information.
- Court orders relating to parental responsibility.
- The opinion of the child on whether the parent should have access.
Responsibilities of Data Controllers and Processors
Responsibility for responding to a SAR lies with the Controller of the data. The Controller should have a contract with the Processor that specifies the requirement to support the Controller in responding to SARs and other citizens’ rights. Whether there is a Processor or not in the chain who needs to retrieve data for the Controller, the SAR must be responded to within 30 days.