Download our Subject Access Request (SAR) Factsheet here
Download Now
Alternatively, you can see the factsheet below:
Although it has always been a fundamental right for an individual to know what data is being held about them, it is almost 3 years since the Data Protection Act 2018 brought the EU’s General Data Protection Regulation (GDPR) into UK law, and it governs personal data rights, including the way data is handled and the misuse of data.
Right of access
Parts 3 and 4 of the Data Protection Act 2018 cover the ‘right of access’, commonly referred to as subject access request (SAR), but in October 2020, the Information Commissioner’s Office (ICO) updated its right of access guidance, which was aimed at data protection officers (DPOs) and those with specific data protection responsibilities in larger organisations. However, it is important, as a data controller, for you to be aware of your data protection responsibilities.
In its guidance, the ICO provide clarity on 3 common questions:
- Can the clock be stopped for clarification? In certain circumstances, the process can be paused whilst you wait for the requester to clarify their request
- What is a manifestly excessive request? This now has a broader definition
- What can be included when charging a fee for excessive, unfounded or repeat requests? There is guidance on what you can take into account if you are considering charging an admin fee
Key points about right of access
- Individuals have the right to access and receive a copy of their personal data and other supplementary information. They can make a SAR verbally or in writing, including via email, in a meeting or even on social media. A third party can also make a SAR on behalf of another person
- In most circumstances, you cannot charge a fee to deal with a request
- You should respond without delay and within one calendar month of receipt of the request, e.g. if you receive a request on Saturday 6 March, you should respond by Tuesday 6 April. You may extend the time limit by a further two months if the request is complex or if you receive several requests from the individual, but you must let the requester know there will be a delay before the end of the first calendar month
- You should perform a reasonable search for the requested information and you should provide the information in an accessible, concise and intelligible format. The information should be disclosed securely
- You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
Checklists
The ICO has produced useful checklists for preparing for SARs and complying with SARs, and there is a section about health data which includes information about charging a fee, exemptions, disclosure restrictions and requests for health data from a third party.
Reminders about handling SARs
- Before responding to a third-party SAR, you must be satisfied that the person or company making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority to do so. You can ask for ID to be satisfied that you know the identity of the requester, or the person the request is made on behalf of
- If you are responding to a SAR for information held about a child, you must consider whether the child is mature enough to understand their rights
- If the individual makes a request electronically, you should provide the information in a commonly used electronic format, unless they request otherwise, and consider whether they can access the data you provide in that format, i.e. in an accessible standard. It is good practice to establish the individual’s preferred format prior to fulfilling their request. However, where appropriate and if possible, you may allow them to access their data remotely and download a copy in an appropriate format
- You can ask the individual to specify the data they want to access, although they can request further data at a later date if it has not already been provided
- If the data requested has already been deleted, there is nothing to disclose, but it is illegal to delete or alter data following a SAR
- You don’t need to disclose an entire document if you can extract the required data from it, and you must redact personal data which would identify another person, unless you have their consent
- The standard to refuse a SAR is high, so you will most likely have to comply. However, there are exemptions where you can refuse to comply with a request to protect the rights of others, including confidential references you have received. Therefore, an employee would need to submit the SAR to the person or organisation who created the confidential reference
6 important actions you should take are:
- Carry out a data audit – review the data you hold, why you hold it, anonymise it if necessary and delete it if it is no longer required
- Review staff data – it isn’t just about patient or service user data, so check personnel files, minutes of meetings, performance reviews, emails, etc.
- Check your retention periods – only keep data for as long as it is needed, but long enough for you to defend a claim made against you
- Ensure you and your staff understand what ‘deleted’ means:
- Data deletion is when data is removed and is no longer available in plain sight or can easily be recovered, e.g. from your email recycle bin
- Data destruction is when data is removed from your device and can never be restored, even by professional data recovery experts
- Review your ‘archived’ data – it is not exempt, even if it is more difficult to retrieve
- Keep on top of data housekeeping – this will make it easier for you to manage any SARs
Finally, if you have done everything that you are supposed to do in response to a SAR, it is unlikely to be challenged by the ICO.
