How to Respond to a Subject Access Request
13th February 2018
With the fast approach of the new General Data Protection Regulations (GDPR), you are most likely overwhelmed by the information you are having to work through to make your business GDPR compliant. You’re probably wondering; what is a subject access request, how do I address it and how does it affect me as a small business? Let’s answer these questions!
Any individual has the right to ask an organisation to see a copy of any and all information held about them. This is known as a subject access request. An individual’s right to access does not end there though. Any person who submits a request in writing (and where applicable, pays a fee) is entitled to be informed of any personal data being processed, provided with a description of such data, the reason/s for it being processed and whether the information will be passed on to third party companies or organisations. They also reserve the right to be supplied with a copy of any such data, including the source of the data where this is available.
Data subjects are also entitled to request information regarding the reason/s behind any automated decisions, except where this information is strictly confidential.
You can read more about automated decisions in data processing here: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/automated-decision-taking/
Find out how to deal with a subject access request for information by using the Information Commissioner’s Office’s Subject Access Request Checklist:
Before you can do anything with a new subject access request, you must ensure that you have everything required to process the request.
- Has the data subject provided the relevant information you require to locate the data they are after?
- Have they provided sufficient information to verify their identity?
- If applicable, has the data subject included the appropriate fee?
There may be a possibility that you will have to contact the data subject on receipt of the subject access request, as they may not provide all the relevant information required to continue.
It should go without saying that when you are dealing with people’s personal data, confidentiality is key. That is why ensuring you are satisfied that the person requesting the information is who they say they are before you make any form of disclosure is of the utmost importance.
You should take reasonable measures to obtain verification of the data subject’s identify without seeming obstructive. You will find that most people will be happy to answer simple security questions or provide a form of identification in return for knowing that their personal information is protected.
Proving identity is usually fairly circumstantial. In a lot of cases, you will find that proof of address via photo ID or a signature would be sufficient verification.
In some instances, you may have to request further verification of the data subject’s identity. In this situation, you will have two options. Contact the data subject via telephone or in writing.
- Telephone – call the data subject and ask them two security questions based on the information you hold on them.
- In writing – contact the data subject requesting they send a photocopy of a form of photo identification (passport or driving licence). However, keep in mind that this will prolong the process, and there will be a chance that the data subject will not hold forms of ID.
Generally, you should aim to respond to a subject access request as promptly as possible; and always within 40 days of receiving a valid subject access request. This time scale includes weekends and public holidays. You should calculate the date on which the data subject should expect the information by, and inform them of this straight away.
Once you are happy that the subject access request is valid, and the data subject is genuine, you will need to find the information that has been requested and ensure that you follow the correct procedure.
To begin, you will need to search your company’s records in order to locate the information required about the person who has made the request. This could involve searching a range of locations, including files, emails and computer drives.
Not all personal information is liable to be disclosed. Rigorous screening is required to ensure that no unsuitable data is being released.
Screening of information should be performed on a case-by-case basis for each individual piece of information that has been requested by the data subject. There may be certain circumstances where you will only be able to release parts of a particular document. See ‘Exemptions’ for more information.
It is important that you check that the record is actually related to the person who is requesting this information. There will be many occasions where you have a list of data subjects who all have the same name. You might also come across documents that mention the person by name but are not actually about that person, so accuracy is of the utmost importance here.
Some types of personal data are exempt from the right to be requested for subject access, so cannot be obtained by data subjects. If an exemption applies, you will not be required to disclose the information it relates to. If the exemption only covers part of the information, you should follow this instructions below.
Read more about exemptions here: https://ico.org.uk/for-organisations/guide-to-data-protection/exemptions/
If you happen across information that reflects negatively on the company (for example, documents that display incorrect procedures being carried out), you must disclose the data as requested.
You may not destroy or withhold information that you deem unfavourable to your company. This is a criminal offence if enacted after receipt of a subject access request.
Under no circumstances should any information that would prejudice the prevention or detection of a crime be disclosed. This information can be disclosed if the case has been closed.
Any records that contain advice from lawyers, requests for legal advice or were written as part of obtaining legal advice should not be disclosed at any time.
- Print document, or photocopy if it is a paper record.
- Blank out any exempt information using a black marker pen.
- Photocopy the blanked out document and send the copy to the data subject requesting the information.
- Highlight any exempt information in black and save this as a separate copy.
- It is possible that the highlighted sections can be removed electronically, so print the document and to send to the data subject.
Where there are duplicate records (i.e. emails which include previous correspondence), make sure that you only print out the most recent document.
You should never disclose information about third parties. Any information that relates to more than one individual, including the data subject requesting the subject access, should be screened accordingly. Where blanking out information is not possible, the third party’s consent should be sought. If this is not possible to obtain then the information should be withheld.
Once you are satisfied that you have correctly completed these steps, and have compiled all relevant data requested by the data subject with any exempt information screened and blanked out, you should write to the applicant with all data eligible for disclosure. In the event that any information cannot be disclosed, an explanation of this should be provided.
Paper trails are a must when you’re running a business. Keeping a step-by-step record of any process or transaction allows anyone to recreate the action taken from beginning to end, which can protect you against any wrong doing, and provides you with undeniable proof that you followed laws and procedures.
Procedures will vary between organisations, but the standard process for recording subject access requests is to create a file per request and assemble:
- Copies of all correspondence between you, the data subject and any third parties.
- A record of any telephone or written communication between you and the data subject used to obtain identification verification.
- A record of your decisions and how you came to them.
- Copies of all the information sent to the data subject.
If you require further in depth information in relation to subject access requests, the ICO website is always being updated in accordance with changes to the law.
Data Subject – An individual who has personal information or data held about them which is being processed or otherwise used by a company or organisation.
Automated Decision – Deciding solely by automated means, without any human involvement. For example: a website uses algorithms and auto credit searching to provide and immediate yes/no decision on an application.
Processing – The term ‘processing’ is very broad, and covers an extensive list of operations that could be performed on, to or with information or data. This could include, but is not limited to the organisation, retrieval and disclosure of the information or data. This clarifies that Data Protection law applies wherever an organisation does anything that involves or effects information or data. ‘Automated processing’ – anything on a computer.
Right to Access – Data subjects hold the right to request and obtain confirmation from the data controller as to whether personal data concerning them is being processed, and for what purpose. Data subjects also have the right to request an electronic copy of the personal data, free of charge.