What is a subject access request?
‘A subject should have the right of access to personal data which are collected concerning him or her, and to exercise that right easily and at reasonable intervals’ – GDPR Official Guidelines (Article 63)
A subject access request is how an individual asserts their right of access. While subject access requests are available under current data protection law, updates to what is considered ‘personal data’ mean that we are potentially responsible for providing new information, such as medical records.
The procedure for making and responding to a subject access request remains similar to most data protection laws, however there are some key updates and changes which we need to be aware of.
What counts as a valid Subject Access Request?
The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to us verbally or in writing. It can also be made to any part of our organisation (including by social media) and does not have to be to a specific person or contact point.
Therefore, although we may invite individuals to use a form and we can point them to our SAR template on our website, we must make it clear that it is not compulsory and cannot use this as a way of extending the one month time limit for responding.
All subject access requests should be logged.
- Under the GDPR it is possible for an individual to make a subject access request on social channels, such as Twitter or Facebook or via email. We must treat these applications as valid and respond to the individual within the 30 day timescale.
- A request sent via fax is considered to be a valid hard copy.
- If a request fails to mention that it is a subject access request, but it is clear that the individual is asking for their own personal data, it is still valid and should be treated as such.
- Similarly, a Subject Access Request is considered valid, even when it has not been sent to the relevant person who processes the request.
- A verbal request is now considered valid
As with any request of this nature, there are always exemptions to what is considered valid. For example, if a disabled person is unable to make a subject request in writing, we must make adjustments for them under the Equality Act 2010 (Disability Discrimination Act 1995- Northern Ireland). We may also have to make a similar provision to the format: Braille, audio transcribed, large print etc. Failure to make provision may not put us at risk of GDPR non-compliance, but will certainly put us at risk of a claim under the Equality Act.
What information should a subject access request contain?
At first glance, it may appear that we have to include everything we hold on an individual. And while, in many cases, this may be true, there are some important exceptions. Below is what should be included;
It is important that a subject access request details:
- How and to what purpose personal data is processed
- The period we intend to process it for
- Anyone who has access to the personal data
- The logic involved in any automatic personal data processing
However we have the right to withhold information that would compromise or reveal:
- The personal data of another individuals
- Intellectual property
- Trade secrets.
There may be times when responding to a Subject Access Request would mean we have to disclose the personal information of another person. In most cases, as mentioned above, we do not need to include this information except where:
- The other individual has consented to the disclosure or
- It is reasonable in all the circumstances to comply with the request without that individual’s consent.
The GDPR regulations recognises that while Right of Access is fundamental, we should not be expected to provide information simply because an individual is interested in it. Unless they are acting on behalf of another person, an individual is only entitled to see their own personal data.
We must establish whether the information requested falls under the definition of ‘personal data’. If it does not, we are not obligated to respond to the subject access request. We must also keep in mind that this does not exempt us from providing any information to the individual making a subject access request. We are obligated to provide as much information as possible when an individual makes a subject access request.
How long do I have to respond?
We have 30 days to respond. The time limit runs from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, we have until the next working day to respond.
This means that the exact number of days we have to comply with a request varies, depending on the month in which the request was made.
It is technically possible to gain an extension to this timescale if the request is deemed complex, or numerous. However the official GDPR guidelines state that ‘The controller should be prepared to make extensive efforts to find and retrieve requested information,’ which means that we cannot refuse to grant access to personal information simply because it might be hard to find. To gain a time extension only applies when we processes a large quantity of information on the individual.
What format do I need to respond in?
We will respond in the most appropriate format for the request. This may include an invitation to come into the organisation and view the files if appropriate.
Can we charge a fee?
We can also charge a reasonable fee if an individual requests further copies of their data following a request, or if the request is manifestly unfounded or excessive. The fee must be based on the administrative costs of providing further copies. If we decide to charge a fee we should contact the individual promptly and inform them. We do not need to comply with the request until we have received the fee.
Can we ask an individual for ID?
If we have doubts about the identity of the person making the request we can ask for more information. However, it is important that we only request information that is necessary to confirm who they are.
We need to let the individual know as soon as possible that we need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when we receive the additional information.
What should we do if we refuse to comply with a request?
We must inform the individual without undue delay and within one month of receipt of the request.
We should inform the individual about:
- the reasons we are not taking action;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through a judicial remedy
What is the Subject Access Request (SAR) procedure?
- The data subject requests on their SAR a specific set of data held by/from *PLT. The data subject can request all data held on them. Requests may come in a variety of formats.
- Once received, the SAR application is immediately forwarded to the DPO (Corinne Walker firstname.lastname@example.org ), who will ensure that the requested data is collected within the specified time frame in point 7 below.
- DPO must verify the identity of the person making the request, using ‘reasonable means’.
- DPO records the date that the identification checks were conducted and the specification of the data sought.
- DPO responds immediately with 1st letter, confirming receipt of SAR and that the request is being dealt with.
- If collating the information is taking longer than expected, DPO to follow up with interim 2nd letter confirming that work is ongoing to meet the request, within the specified time frame.
- DPO provides the requested information without delay and at the latest within one month of receipt, along with 3rd letter. (We can extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, DPO must inform the individual within one month of the receipt of the request and explain why the extension is necessary.)
- The DPO will respond in the most appropriate format for the request. This may include an invitation to come into the organisation and view the files if appropriate.
- The DPO maintains a record of requests for data and of its receipt, including dates and which site requested from.
- SAR requests for Hathershaw (parent, staff, child etc.) will be forwarded to Mark Giles, Vice Principal, and will be dealt with along with the DPO.
- SAR requests for Werneth (parent, staff, child etc.) will be forwarded to Conrad North, Principal, and will be dealt with along with the DPO.
- The DPO reviews SAR requests from a child and forwards to relevant person for further information. Before responding to a SAR of the child data subject, the DPO considers their ability to making the request by (adequately explaining any implications of sharing their personal data etc.)
- The DPO reviews all documents that have been provided, to identify whether any third parties are present in it, and either removes the identifying information from the documentation, or obtains written consent from the third party for their identity to be revealed.
- Collecting the data specified by the data subject – or –
- Searching all databases and all relevant filing systems (manual files) in *PLT, including all back up and archived fields (computerised & manual) and all email folders and archives. The DPO (Corinne Walker, email@example.com ) maintains a data map that identifies where all data in *PLT is stored.
*PLT = OSFC, Hathershaw, Werneth & Pinnacle Learning Trust
Please Note: Paper copies of this document can be obtained by contacting us via our ‘Contact Us’ form, or by calling 0161 287 8000