Subject Access Requests are a component of data management introduced in The GDPR and DPA 18.
This blog will go into more detail on what SARs are, how they can be requested and how you should respond to them.
Subject Access Requests (SARs), give individuals the lawful right to be granted permission to obtain and review a copy of their personal data held by an organisation. This allows individuals to fully understand what data is held about them and what it is being used for.
This was brought into force by the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018.
The GDPR does not specify how to make a valid request. Therefore, an individual can make a Subject Access Request verbally or in writing. It can also be made to any part of an organisation (including by social media) and does not have to be to a specific person or contact point.
What is the individual entitled to?
Once a request has been made, the individual is entitled to the following information:
- Confirmation that you have received and are processing their personal data request.
- A copy of their personal data that you hold.
- Other supplementary information – this largely corresponds to the information that you should provide in a privacy notice.
An individual is only entitled to his/her own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is important that you establish whether the information requested falls within the definition of personal data.
For further information about the definition of personal data the ICO has strong guidance on what is personal data.
How much time do you have to respond?
There are strict and clear guidelines over the timeframe and allowances for responding to an access request properly and in full.
Firstly, there is a strict time limit within which you should respond to the individual with their access request. This has been set as 1 month from receipt of the request. This is the very latest that you should provide the individual with their access request. There are certain occasions where you may be able to extend this time frame by a further 2 months, including:
- If the request is complex
- You have received a large number of requests from the individual.
However, if you are to extend the time in which it’ll take you to respond, you must inform the individual within one month of receipt of the request to explain why this extension is necessary.
Can you charge an access request fee?
Under both the GDPR and DPA 2018, you are not allowed to charge any sort of fee to provide the individual with their access request. However, this may change if the access request is “manifestly unfounded or excessive’ and therefore you are entitled to charge a “reasonable fee” to cover the costs of administration. The only other time where a fee may be charged is if an individual requests further copies of their data after a request. Again, this fee has to be reasonable and in line with the administrative charges of handling this further request.
How should a response be made?
In most cases, the request will usually originally be made electronically, via email or a contact form. If this is the case and no express request for reply method is made, then you are expected to reply via a common electronic format.
However, the GDPR has expressed that a best practice method would be via a provision of a remote access to a self-secure portal where the individual has personal access to their information.
This will not be appropriate for all organisations, but there are some sectors where this may work well.