At a glance
- Individuals have the right to access and receive a copy of their personal data, and other supplementary information.
- This is commonly referred to as a subject access request or ‘SAR’.
- Individuals can make SARs verbally or in writing, including via social media.
- A third party can also make a SAR on behalf of another person.
- In most circumstances, you cannot charge a fee to deal with a request.
- You should respond without delay and within one month of receipt of the request.
- You may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the individual.
- You should perform a reasonable search for the requested information.
- You should provide the information in an accessible, concise and intelligible format.
- The information should be disclosed securely.
- You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
Preparing for subject access requests
- We know how to recognise a subject access request and we understand when the right of access applies.
- We have a policy for how to record requests we receive verbally.
- We understand what steps we need to take to verify the identity of the requester, if necessary.
- We understand when we can pause the time limit for responding if we need to ask for clarification.
- We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
- We understand the nature of the supplementary information we need to provide in response to a subject access request.
- We have suitable information management systems in place to allow us to locate and retrieve information efficiently.
Complying with subject access requests
- We have processes in place to ensure that we respond to a subject access request without undue delay and within one month of receipt.
- We understand how to perform a reasonable search for the information.
- We understand what we need to consider if a third party makes a request on behalf of an individual.
- We are aware of the circumstances in which we can extend the time limit to respond to a request.
- We understand how to assess whether a child is mature enough to understand their rights.
- We understand that there is a particular emphasis on using clear and plain language if we are disclosing information to a child.
- We understand what we need to consider if a request includes information about others.
- We are able to deliver the information securely to an individual, and in the correct format.
What is the right of access?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
How do we recognise a subject access request (SAR)?
An individual can make a SAR verbally or in writing, including on social media. A request is valid if it is clear that the individual is asking for their own personal data. An individual does not need to use a specific form of words, refer to legislation or direct the request to a specific contact.
An individual may ask a third party (eg a relative, friend or solicitor) to make a SAR on their behalf. You may also receive a SAR made on behalf of an individual through an online portal. Before responding, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority.
What about requests for information about children?
Before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights. If the request is from a child and you are confident they can understand their rights, you should usually respond directly to the child. You may, however, allow the parent or guardian to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child. If a child is competent, they may authorise someone else, other than a parent or guardian, to make a SAR on their behalf.
What should we consider when responding to a request?
You must comply with a SAR without undue delay and at the latest within one month of receiving the request. You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual, eg other types of requests relating to individuals’ rights.
If you process a large amount of information about an individual, you may be able to ask them to specify the information or processing activities their request relates to, if it is not clear. The time limit for responding to the request is paused until you receive clarification, although you should supply any of the supplementary information you can do within one month.
Can we ask for ID?
Yes. You need to be satisfied that you know the identity of the requester (or the person the request is made on behalf of). If you are unsure, you can ask for information to verify an individual’s identity. The timescale for responding to a SAR does not begin until you have received the requested information. However, you should request ID documents promptly.
Can we charge a fee?
Not usually. In most cases you cannot charge a fee to comply with a SAR. However, you can charge a ’reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data.
How do we find and retrieve the relevant information?
You should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.
How should we supply information to the requester?
An individual is entitled to a copy of their personal data and to other supplementary information (which largely corresponds with the information that you should provide in a privacy notice). If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
When deciding what format to use, you should consider both the circumstances of the particular request and whether the individual has the ability to access the data you provide in that format. It is good practice to establish the individual’s preferred format prior to fulfilling their request. Alternatives can also include allowing the individual to access their data remotely and download a copy in an appropriate format.
If an individual asks, you can provide a verbal response to their SAR, provided that you have confirmed their identity by other means. You should keep a record of the date they made the request, the date you responded, details of who provided the information and what information you provided.
As the controller of the information you are responsible for taking all reasonable steps to ensure its security. Please see our detailed guidance ‘How do we provide the information securely?’ for more information.
Can we refuse to comply with a request?
Where an exemption applies, you may refuse to provide all or some of the requested information, depending on the circumstances. You can also refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive. Our detailed guidance explains the factors you should consider in determining whether a request is manifestly unfounded or excessive.
If you refuse to comply with a request, you must inform the individual of:
- the reasons why;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through the courts.
What should we do if the request involves information about other individuals?
Where possible, you should consider whether it is possible to comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request except where the other individual consents to the disclosure or it is reasonable to comply with the request without that individual’s consent.
Our detailed guidance provides further information on what you need to consider in these circumstances.
You need to respond to the requester whether or not you decide to disclose information about a third party. You must be able to justify your decision to disclose or withhold information about a third party, so you should keep a record of what you decide and why.
What other exemptions are there?
The exemptions are set out in Schedules 2 and 3 of the DPA 2018 and they are as follows:
- Crime and taxation: general
- Crime and taxation: risk assessment
- Legal professional privilege
- Functions designed to protect the public
- Regulatory functions relating to legal services, the health service and children’s services
- Other regulatory functions
- Judicial appointments, independence and proceedings
- Journalism, academia, art and literature
- Research and statistics
- Archiving in the public interest
- Health, education and social work data
- Child abuse data
- Management information
- Negotiations with the requester
- Confidential references
- Exam scripts and exam marks
- Other exemptions
Our detailed guidance explains how each of these exemptions work in practice. While the exemptions listed above are those most likely to apply in practice, the DPA 2018 contains additional exemptions that may be relevant when dealing with a SAR. For more information, please see our guidance about exemptions.
Are there any special cases?
Yes. There are special rules and provisions about SARs and some categories of personal data, including:
- unstructured manual records;
- credit files;
- health data;
- educational data; and
- social work data.
Our detailed guidance provides further details of these special rules and provisions.
Can the right of access be enforced?
Yes. In appropriate cases, the ICO may take action against a controller or processor if they fail to comply with data protection legislation. The ICO will exercise these enforcement powers in accordance with our Regulatory Action Policy.
If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply or to seek compensation. It is a matter for the court to decide, in each particular case, what action to take.
Can we force an individual to make a SAR?
No. An enforced SAR is when someone requires an individual to make a SAR to gain access to certain information about them (eg their convictions, cautions or health records). This information is then used, for example, as supporting evidence regarding a job application or before entering into a contract for insurance. Forcing an individual to make a SAR in such circumstances is a criminal offence.
You should consult our detailed guidance for further detail about the circumstances in which it is unlawful to require an individual to make a SAR.
Thank you for reading.