Subject Access Request Summary
By Stuart Janicki • 28 Jan 2011
The Data Protection Act 1998 gives certain rights to individuals and the public. Principle 6 of the act contains the right for an individual to access a copy of their personal data held by an organisation. This is known as a Subject Access Request. But what is a Subject Access Request, why is it important and what do organisations need to do?
Introduction to Subject Access Requests
Data Protection Act Principle 6 ensures that individuals have the right to the data that organisations hold about them. This information may reside in the form of a company’s computer records and some manual records. It may include medical records, financial information and files held by public bodies.
For an organisation that handles personal data, and especially data controllers, it is imperative that an individual’s rights are understood. It is the Information Commissioner’s Office role to ensure compliance with the Data Protection Act. They promote good information handling, conduct assessments of compliance and report directly to government.
Individuals’ Rights to Data
A Subject Access Request enables an individual to access only their personal data. This means they are not permitted to request access to information when it relates to a third party. They are also not entitled to information for the sole purpose of being interested in the contents.
A Subject Access Request does not enable the right to access the whole document containing the information, only information relevant to the individual.
This is different to a Freedom of Information Request which enables any member of the public to access all data held by a public organisation.
Valid Subject Access Requests
A valid Subject Access Request can be submitted by email, fax or post. An individual is not required to make the request explicit regarding the Data Protection Act, or even state it is a Subject Access Request. If it is apparent that the person wishes to access their own data, then the claim should be considered valid.
If a request is made verbally, there is no need to respond but to maintain a relationship with the individual, it is best to explain to them how they can make a valid request.
An organisation must be prepared to handle such requests. All areas of the organisation should understand these requests, and be able to pass it on to the relevant member of staff. There should also be systems in place to extract the information as required.
Format of requests
You do not have to design a specific request form, and you cannot force individuals into using a specific form. You can provide a specific form, making it easier to recognise a Subject Access Request and improving your ability to get the information required.
Any request in writing should be considered a valid request.
Ideally, you should be backing up different versions of data. This will enable you to retrieve and keep data from when the request was made. Given the changing nature of business data, it would be reasonable to use the latest version of information. It is still in the best interest of the individual to receive data from the time of the request.
You should not be deleting or modifying data if it would not be normal company policy to do so.
Understanding the Data
The ICO interpretation of the act is that information should be intelligible. This means that the average person should be able to understand the information you have disclosed.
You do not need to make it legible to that particular individual, but again, it is advisable to work with that individual to understand the issue.
Subject Access Request Costs
The maximum you can charge an individual is £10, unless it is a health and education record where £50 is permitted.
You cannot just refuse a request because no fee has been paid.
In other words, it is financially beneficial to have a system in place to organise data.
Asking for more information
You can ask for two pieces of information:
- Verify the individual’s identity: This is to avoid data exposure, and to ensure compliance with the Data Protection Act Principle Seven. The level of identity you request is parallel to the level of information required.
- To ask for information to reasonable identify the personal data covered by the request.
Share this post