Data Protection Toolkit - Dealing with a Subject Access Request

Subject Access Requests are made by a person whose data you process to a request a copy of their own information. You need to have procedures in place to be able to identify and respond to these requests within one month.
right of access subject access request

A person whose data you process has the right to receive a copy of their personal information from you, known as the 'right of access'.

A Subject Access Request (SAR) is shorthand for referring to requests for copies of personal data made under this right.

The right of access is a key right, in that is often an entry point for data subjects to exercise their other data protection rights. Someone might make a request a copy of their information so that they can decide if they will make a follow up request that for the information to be deleted ('right to be forgotten').

It's not a new right, as it also existed under the Data Protection Act 1998. You might never have received one before, and this might continue to be the case if you hold only a limited amount of basic personal data.

You musn't rule out ever receiving a SAR, however. It's more likely to happen now than before—the GDPR requires that no data holder can charge a fee, so a barrier for many people has been removed.

The level of media coverage of GDPR and data breaches, alongside efforts to educate the public, means that more people are now aware that they have these rights and are perhaps more willing to make use of them (this is a good thing!)

Not responding to a valid request is a serious omission and could leave you open to action from the Information Commissioner's Office—including the risk of a fine if you have failed to protect your data subjects' rights.

While there are some exemptions covering the contents of the data to be disclosed, it is only in exceptional circumstances that these can be applied. In any case, data subjects will always have the right to request the information and you have to deal with these requests.

If it's likely that you will receive requests at some point, you should write some of these procedures down for others to follow and to make the process more efficient. It also demonstrates your accountability as a controller and relates to your policies for protecting people's information and rights. You can also establish some principles to guide how you will treat and respond to requests.

You should at the very least consider how you would deal with a request and train your staff to be able to recognise one.

Our example flowchart explains the steps and decisions that may be made in handling Subject Access Requests. You need to understand what each of these decisions mean before applying it to your own process.

More detail on dealing with these requests is below. We've tried to keep this to the detail needed for the most common cases, but more information is available from the Information Commissioner's Office guidance.

It's also useful to know that the same rules and procedures also apply to how the other rights, such as the right to erasure, should be handled (e.g. deadlines to respond, identity verification, request through third parties).

The controller's and processor's obligations

If you are the controller for someone's personal data it is your responsibility that requests for access are responded to and that the required information is provided to the requestor.

If you have a data processor (who processes personal data on your behalf) then they have a duty to assist you in responding, as with any other right. There should be a contract clause in place to ensure that this will be the case (Article 28(3)(e) of the GDPR).

You can't charge a fee to facilitate the request, though you can charge a reasonable fee for further copies of the information, based only on costs (e.g. for time, printing and posting).

You shoudl record all requests and any decisions made about the response. This is especially important if you decide to restrict or refuse a request. Your decision-making needs to be clear, as it is possible–likely even–that the data subject will make a complaint to the ICO about your refusal.

It's a good idea to maintain an SAR log so that requests can be recorded and you can demonstrate how you have been complying with them. You may still need to record more detail elsewhere and you should keep copies of all communication with the data subject.

Suggested information to record for each Subject Access Request you receive
Heading Content
Date request made Date
Response deadline Date
Status In progress / Awaiting more info / Completed / Refused (note reason why)
Data subject name Person's name
Data subject type Description of person
Method of contact Email / Post etc
Contact details Email address etc
Proof of identity needed Yes / No
Identity verified Date identifying information received
Confirmation of processing Date sent
Scope of request Data to be included, noting any exemptions or restrictions
Format of response Date

 

Do people have to make a formal request?

No. There is no particular way in which a data subject has to make a request, in respect of the exercise of any of their data protection rights. It doesn't have to be made in writing, and they don't have to specifically refer to a 'subject access request', the 'right of access' or the GDPR, to put you under a legal obligation to treat it as a valid request.

A valid request could be made to your primary email address, or to a member of staff or even a volunteer who deals directly with the people you work with.

It would be helpful—both for you and the data subject—to explain how a person would go about making a request in your privacy notice. Many organisations use a 'dataprotection@.....' email address for this purpose.

You can create a standard form (which can also help to verify the person's identity and specify what information they are looking for) but it's not necessary to have one, and you can't require that it be used.

Verifying the person's identity

You should make sure that the person making the request for their data is who they say they are, to avoid disclosing someone's information to an impersonator.

You need only ask the person to prove their identity when you have doubts that they aren't who they purport to be. If the person making the request is well known to your organisation, you aren't required to get formal proof of identification.

  • Use only reasonable methods to determine the person's identity. Don't restrict it to only one method of identification, such as a passport.
  • If someone makes their request from an email address that you recognise from your own records, that could be relied upon as proof of identity.
  • If you have information about them on record, a reasonable way to confirm their identity is to ask them a question that only they would know the answer to (e.g. their date of birth and postcode).
  • Try to avoid asking the person to send you sensitive personal information to prove their identity. This might involve you processing more sensitive data than you have bargained for, and present a risk of losing sensitive information.

If you need to ask for confirmation of identity, do so as soon as possible. The deadline for making the full response then starts from when the person provides the necessary information.

Requests made via a third party

People are able to be make requests via a third party, such as a solicitor or family member. This may be the case where legal action is involved or the person doesn't feel capable of dealing with the request on their own.

In such circumstances you should make sure that the person acting on their behalf either has the legal authority to do so or has the permission of the data subject. You still have a responsibility to be sure of the data subject's identity.

If the request has been made by a family member who you recognise and who usually deals with you on behalf of their relative, you wouldn't be legally obliged to respond—but you can still opt to treat it as a valid request (voluntary disclosure). You can send the response directly to the data subject if you think that is more appropriate. See more about the exercise of rights through third parties in our FAQs.

When to respond by

As with all of the data protection rights, controllers must respond 'without undue delay and within one month' (Article 12(3) GDPR). Under the Data Protection Act 1998 the deadline was 40 days, so beware of this change.

So if a request is received on 15 March your absolute deadline to take action and respond is by or on 16 April. But "without undue delay" also means that you should respond earlier where possible.

If you're asked on the last day of the month you could actually have a shorter amount of time to respond—if a request were made on 29 or 30 January you would actually have only until the 28 February (unless it were a leap year!)

If the last day for response were on a weekend or working holiday, you would be expected to respond by the next working day.

If you require the person to confirm their identity, the response deadline starts from when they provided the required information.

The response time can be extended in some cases. If the request is complex (e.g. because you hold a lot of information that's difficult to locate) or the person has made a number of requests you can extend the response period by a further two months. You should let the requestor know that this is the case as soon as possible and within the original one month timeframe.

Information to be included in the response

Article 15 of the GDPR specifies what you must provide to the data subject in response to their Subject Access Request.

These can be put into three groups:

  • Confirmation of processing
  • A copy of the relevant personal data, and explanatory information
  • Additional information related to the processing

In the first case you should confirm that you process information relating to the person. You can do this at the earliest point at which you have verified the request and determined that you do have process some information about the person.

You then need to search for the information that you hold. If the person has specified what information they're looking for, you know that you can limit your search. In other cases, you'll have to find everything that you have that is relevant to that person.

Finally, there is some other information that you need to provide at the same time as your response:

  • The purposes of the processing
  • The types of personal data concerned
  • Information about the source(s) of the data, if not the person themselves
  • Who the data has been shared with, or will be shared with
  • How long the data will be stored for, or criteria used to determine this period
  • The existence of the data subject’s right to request that the data be corrected, deleted, restricted, and to object to the processing (see data protection rights).
  • The existence of the data subject's right to lodge a complaint with the ICO (or another European regulator if relevant). Include a link to https://ico.org.uk/make-a-complaint/
  • The existence of any automated decision-making, including profiling, if relevant.
  • The safeguards provided if any of the data is transferred to a country outside the EU or to an international organisation

This does seem like a lot of additional information to include. However, if you have a well-written Privacy Notice, then most if not all of this should already be covered, so include it.

How to find and provide the information

The GDPR suggests that the information be provided by a 'remote access to a secure system' to give the person direct access to their own information where possible (e.g. to their user profile on your website). Unless you're particularly technical or are invested in providing services online, its unlikely that it will be easy to use this solution. But if you are designing a new online system, keep in mind that it is a beneficial practice to give users access to see and control their information (see Data protection by design and by default).

For the average charity, it's much more likely that the required information will be gathered and directly communicated to the individual in a more manual way. This is especially true if information is stored on paper records and filing cabinets.

Don't neglect emails either—if personally identifiable information has been included in emails (even internal emails) this should be included in the response.

Under the GDPR, you should be maintaining a Data Processing Register. Refer to your own register to help you to cover all of the places where personal data about the person might be kept.

Do not omit relevant information from a response because it might be inconvenient or awkward for you to share with them. Remember that this is information about them—it is essentially their data. If you fail to honour their right in this regard then you are breaking the law and could be subject to action from the regulator.

Some of the data you provide will be self-explanatory. However, in some cases it will make sense only to you. If you think that the recipient would benefit from an explanation of what the data means or how it should be interpreted, do provide it.

Information about other people

Only the personal data about the requestor themselves is relevant, and this doesn't extend to information about another person. Information about other people is not covered by the right of access, and so you should take care not to disclose information that identifies someone else in your response.

Accidentally disclosing someone's else identifiable information in a response will probably be a breach, so take care to review the response before it is sent.

You can redact information that has to be included in the response but isn't relevant to the person.

In some cases, it may not be possible to truly untangle information about the data subject where it also relates to another person. Such information should be included in the response if it does relate to the person making the request, but only where:

  • you have the consent of the other person to include the information, or
  • it would be reasonable to include the information without the consent of the other person

The simple fact that there might be identiable information about a third party can't be used to avoid including information in a response—you do need to consider both of these options in each case.

In considering if it would be reasonable to share the information without the consent of the other person (i.e. even if they would say no), you will need to balance the right of the requestor to access their own information against the rights of the other person.

Note that references given in confidence (e.g. as part of a job application) are not covered by the right of access. See more in our FAQs.

Some principles

You may wish to establish some principles that will guide how you respond to Subject Access Requests, which can be applied to any other request made by a person exercising their data protection rights.

Below are some suggestions that NICVA applies in documenting our own SAR procedure:

  • We have a positive approach to responding to Subject Access Requests.
  • We make it easy for people to make Subject Access Requests and don’t put barriers in place to stop valid requests.
  • We will seek to respond to requests efficiently and transparently.
  • We will help data subjects who want or need help in making their request. We will help recipients understand what is in the information provided to them.
  • Where an exemption can be applied, we will treat each case on its merits and seek to disclose the information unless there is a legally-binding or overriding reason not to.

More information

Every effort is made to ensure that the contents of this document are accurate, but the advice given should not be relied on as a definitive legal statement.