We are noticing an increase in subject access requests where our clients are contacted by individuals requesting copies of personal information held about them. Such requests are common in connection with disputes or litigation and can also be received from employees. We expect to see further increases in such requests and have prepared this note as a reminder of what is involved in dealing with them.
Subject access requests are commonplace because it is very easy for the individual to send them and, in the vast majority of cases, entirely without cost to the sender. The request does not have to be in any particular form or to set out the purpose of the request or even to be in writing. Unfortunately, from the perspective of the business or organisation receiving the request, responding can be burdensome, expensive and generally challenging, particularly if they are unprepared for dealing with such a request.
There is generally a time limit of one month for responding to a request. This can be extended by up to two months if the request is complex provided that the individual is advised of the need for the extension within the first month.
In cases where the business has reasonable concerns about the identity of the person making a request, it may ask for more information to confirm the person’s identity, but it must be reasonable and proportionate about what evidence is requested. A request for information to confirm identity pauses the start of the timescale for response until the business receives the information, but the business is not allowed to delay sending a request for more information as a device for extending the timescale.
If the business handles a large amount of data concerning the individual it can also ask them to specify what information is required. The individual is not obliged to narrow the scope of the request and can ask for copies of all data held but, again, the timescale for responding to the request is paused until the individual replies.
If the request for information sent by the individual is “manifestly unfounded or excessive” the business may request a reasonable fee for dealing with the request or refuse to deal with it. The test for what constitutes “manifestly unfounded or excessive” sets quite a high bar so cases where a fee can be charged are very much the exception rather than the rule.
When it comes to responding substantively to a request the business will need to gather all the “personal data” or information it holds about the subject of the request. Personal data for this purpose includes “any information relating to an identified or identifiable natural person”. This has a wide application and businesses will need to understand what is covered which is not always clear-cut. Generally, any relevant information held by the business in any of its records, devices, logs or systems will need to be provided so the business will need also to be conscious of what types of information it holds and where and able to locate and extract the information.
Once all of the relevant information has been gathered, the business then needs to go through a further exercise to establish whether any of the information may or should be withheld. Generally, all information relating to the individual should be provided, but there are a limited number of exceptions to this, for example, matters covered by legal professional privilege. Caution is also required where a document which includes relevant personal information also includes personal information of other individuals. In such cases, the business may ask the other individuals affected if they consent to the information being provided or redact the document so that their information is obscured.
When the information has been collated and checked it needs to be sent to the individual. The information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Unless the data subject has requested the response in another format, the response should be in writing or in electronic form where the data subject has made an electronic request.
In order to be prepared for dealing with a subject access request, we recommend as a minimum that businesses:
- identify individuals or a team in the organisation who are to be responsible for dealing with subject access requests;
- ensure that all other relevant staff are trained to recognise a subject access request when one is received and to send it to those responsible without delay;
- carefully consider what personal information is held by the organisation and where the personal information is or may be located in its records, systems and devices;
- put in place policies and procedures for responding to a request; and
- be aware that determining the information to be provided in response to a request may be a time consuming and not straightforward process.
If your business receives a request and you need any advice about how to respond, please contact our corporate team on 08081668827.
 |
 |
 |
 |
 |
 |
|
