Data Protection Animation Series: Subject Access Requests
The General Data Protection Regulation (GDPR) made many changes to the laws around data protection, not least around the rights of individuals. One of the cornerstone rights is the right of access, and you may have encountered the term Subject Access Request before.
Anyone whose personal data you process has the right to know that you have their information, how you have obtained and used it, and to receive a copy of that personal data. This allows them to see what data you hold, and if desired, they could ask for that data to be deleted or corrected.
This isn't a completely new right. Subject Access Requests have existed since the 1998 Data Protection Act. With the GDPR, it is now more likely that your organisation could receive one of these requests, even if you have never received one before.
Due to greater public awareness as a result of the enforcement of the GDPR from May 2018, as well as media coverage of the privacy practices of social media giants and other companies, more people now know that they have this right. More importantly, it is now unlawful to impose a fee to facilitate the request. Organisations used to be able to charge £10 for making the response, but under the GDPR the right is now "free" for people to exercise (a reasonable fee can be charged to make additional copies, but this should be only to cover administrative costs).
The GDPR has also reduced the time limit for responding—in full—to one month. This includes weekends and any holidays. If the request is particularly complex then the response can be extended by a further two months, but you will need to provide justification for why this is the case.
It is good practice to set out in a privacy notice how a subject access request can be made—but this isn't to limit the ways in which a request can be raised. It can be made informally, verbally, and to anyone who works for your organisation (even a volunteer). You should treat all such requests as binding under the right of access.
There are other important issues to think about so you can be sure you can handle the request appropriately.
You will need to be sure that the person making the request is genuinely who they say they are. If they are known to you personally and you are content that the request is not an attempt to impersonate someone else, then you shouldn't need to take any further steps. But if you have any doubts about the identity of the requestor then reasonable measures to verify the person's identity will be needed. This doesn't mean that you to have a strict process involving passports and proof of address—but how strict you are will depend on the sensitivity of the data that may be disclosed.
You will need to review the copy of the data before it is sent to the person to see if it includes information that may identify another person. A person only has the right to see data about themselves, and it would not be good data protection practice to disclose information about a third party. This doesn't necessarily mean that you can't supply the data, and you may be able to redact certain parts of it to comply with this requirement, and in some case you can in fact disclose information about a third party. Check out our full guidance (link below) if this is the case.
If the request is made by electronic means, you should supply the information electronically, unless the person states otherwise. You are permitted to ask them what format they want the copy in, but if they want their information by email, you will need to deal with that. You should supply the data you hold in an electronic format that the person would be able to use themselves, for example, in a spreadsheet. If all the data you hold is paper-based, you can scan printed documents to attach to your response.
There are few cases where you would not be required to respond to fully comply with a request.
One is if the request is "manifestly unfounded or excessive" (particularly where it is repetitive). If you decide that it is, you may have to deal with an official complaint to the Information Commissioner's Office, so be sure to seek further advice before deciding to go down this route.
Another is if the request is to see a copy of a reference that was given in confidence (e.g. for a job or volunteer placement).
The other common exception is if you think that to provide a person with a copy of their personal information would expose them—or another person—to potential harm (for example, in the case of their counselling notes). Such decisions need to be taken on a case-by-case basis, and you should seek further information about the exemption.
For additional advice and links to additional resources, please see Dealing with a Subject Access Request in NICVA's Data Protection Toolkit.