What is a subject access request?
Guidance for both individuals and companies on how a data request should be processed
With seemingly everything and everyone collecting data through all manner of means, companies and online services now have a lot of information on individuals, whether it's detailed data or aggregate information.
For many businesses, this is the trade-off for providing free services, as is the case with social media companies and search tools like Google. However, regardless of how you collect data, or how much of it you store, you may have to deal with a subject access request (SAR) from time to time, particularly at a time when subjects are highly conscious of their data rights.
What is a subject access request (SAR)?
Every data subject has the 'right of access', which forms a fundamental part of data protection law across the world, and is a core tenant of the European Union's Charter of Fundamental Rights. This gives each data subject the right to known whether an organisation is storing or processing their personal data, a right that is usually exercised through a subject access request.
Using an SAR, an individual can request to see a copy of their data, as well as details on why that data is being processed, what type of data it is, the recipients of that data, how long it's stored, how the data was collected, and evidence to show that the data is being appropriately safeguarded.
Unlike the Data Protection Act 1998, which allowed companies to charge up to 10 per SAR request, the General Data Protection Regulation requires all organisations to accommodate SARs for free, however, if the request is considered to be 'manifestly unfounded or excessive', they can charge reasonable admin fees.
It's therefore advisable for individuals to be specific in the data they are requesting. For example, a reasonable request might be to see a copy of CCTV footage from X location on Y date, during the hours of 13:00 and 16:00 - rather than asking for a month's worth of footage.
As such, companies should ensure that the data they collect is stored safely and in an easily manageable format, thereby ensuring they are GDPR compliant and can facilitate subject access requests with relative ease. Having these processes in place will prevent an organisation coming under fire from public complaints, as the Information Commissioner's Office's official statistics show that the mishandling of subject access requests was the most complained about data protection issues by the public in 2016.
If a company or organisation is unable to fulfil a request, an individual has the right to make a complaint to the ICO.
How to make a subject access request
Making a subject access request is a fairly straightforward process but requires a few steps to be followed.
In the absence of specific criteria under GDPR, access requests can currently be made either in writing, through a letter or an email, or verbally (We'd recommend email because most businesses taking GDPR seriously will have policies in place that will want to record all SARs). These can simply instruct an organisation to provide all the information it holds on you that it's required to disclose under the Data Protection Act 2018 and GDPR.
GDPR does recommend that companies have a standardised form in place to make it easier for data subjects to submit a request, however, even if this exists, an individual's submission will still be valid if made through another means.
Any employee of an organisation may receive a valid subject access request, although it's the responsibility of the company to ensure any such requests are processed. This may require additional staff training for those that are regularly in contact with data subjects. Most individuals will likely contact the marketing or data department specifically to ensure a quicker response.
For an individual submitting a subject access request, the first step is to find out the most relevant department or person in an organisation to submit a request to. After that, it's worth making sure you have a clear idea of all the information you wish to receive through the request.
When submitting the request, ensure you have all your relevant details in the letter or email, such as full name, contact number, and address, as well as any information that will help a company match up your request with your data.
It's also worth noting that under GDPR, an organisation has a month to comply with the request, so do provide a reference date to ensure that happens.
As some companies are still getting used to the switch to GDPR, it's also worth highlighting to the company that you have the right to make the request for free, to prevent any confusion further down the line. A SAR template is provided on the ICO's website.
For companies and individuals handling subject access requests, it's worth being aware of these steps to ensure the requests are fulfilled in a timely manner in order to avoid any action from the ICO. In terms of time limits, the ICO guidance states: "In most cases, you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it."
How requests should be fulfilled
Organisations have one month to respond to a SAR without notice. However, if an organisation needs extra time to consider a request, this can be extended to three months from the date of the initial request, although it is required to inform the subject as to the reasoning for this delay.
Organisations must ensure that any data provided to a subject is in a commonly used electronic format, unless the individual requests otherwise. GDPR recommends that companies set up a self-service system that grants individuals remote access to a copy of the data, although this isn't compulsory.
All data should be in a concise, transparent, and easily accessible form that's written in plain English and that's capable of being understood by the average person.
If the individual requests a large volume of data then the company may ask for more information in order to narrow its scope. In this instance, the period for fulfilling the request will start from the date more information is provided.
In This Article
- 1What is GDPR?
- 2GDPR fines explained
- 3Who benefits from GDPR fines?
- 4What GDPR means for small businesses
- 5What Brexit means for GDPR
- 6What GDPR means for financial services
- 7How to perform a data protection impact assessment
- 8What is a subject access request? - currently reading
- 9What is the 'right to be forgotten'?