More and more companies are discovering the difficulty of dealing with requests for information from data subjects under section 7 of the Data Protection Act 1998.

Under the DPA a person is entitled to know

  • If an organisation is processing personal data about them
  • What personal data is being processed
  • The purposes for which the data is being processed
  • Recipients or classes of recipients of the data.

Personal data is data which relates to a living human being which would allow that person to be identified whether from the data itself or from other data held by the data keeper.

Often the company is receiving a request in its capacity as an employer from an employee or a former employee, but requests could also be made by customers or suppliers or any category of person who has reason to believe the company holds data about them.

Typically employees in dispute with employers are beginning to issue such requests; do you know if you have to comply in such circumstances?

Importantly the processing of data covers a multitude of activities including merely possessing the data. The request also covers data which is being processed for you by your third party suppliers, for example by payroll agencies and pension advisers. Have you checked to see if your contracts with such advisors require them to co-operate with you if you receive a Subject Access Request (SAR) in connection with which that supplier holds data?

The SAR is simply a written request by an individual, or someone on behalf of an individual, for details or copies of personal data held about them as mentioned above. You are not required to give copies of documents but it is usually easier to do this than it is to provide details.

Once the request is received it has to be dealt with within 40 days, or the data subject may lodge a complaint with the Information Commissioner's Office or apply to the courts for a compliance order.

However it is vital to be able to identify the fact that a SAR has been received. There is no specified format for the SAR, it need not refer to the DPA, it just has to be a written request, but it can be in any form including, probably, by text message. 

So how do your managers know if a SAR has been received?  Have they had any training?  What data do you keep, do you have a document retention policy?

How do you decide what information has to be released and what can be lawfully withheld? What if the information about the data subject identifies other individuals?

If you received a SAR would you have the manpower to do everything that was necessary in the timescale? Recently a client of ours collected no less than 8 GB of documents and emails (more or less 28,000)  in connection with a SAR from a single individual.

You need to have plans in place to deal with these eventualities.

Here at Sydney Mitchell we can help you in a number of ways:

  • We can train your managers to be able to identify a SAR and understand how to go about responding to it
  • We can train your managers or HR team in what constitutes personal data and what does not
  • We can review the data for you and help you decide what needs to be disclosed and what does not
  • We can advise you if you can rely on any of the limited exemptions which are available

For further information, call Roy Colaba on 0121 698 2200 or fill in our online enquiry form.


UK Top Tier Firm 2021 Lexcel Practice Management Standard Birmingham Law Firm of the Year for 2011 Resolution Collaborative Family Lawyer
The Law Society Accredited in Family Law Conveyancing Quality Scheme