< Back

Share |

An introduction to subject access rights

November 2013

The right for individuals to gain access to personal information that organisations hold about them is a core requirement of most data protection laws. By exercising this right, individuals are able to check if data held about themselves is correct and whether it is being handled in accordance with the wider data protection rules. This then opens the door for people to exercise further rights, such as getting inaccurate data about them corrected or erased.  

EU flagSubject access rights in Europe are defined by the EC Data Protection Directive (95/46/EC) and are ratified into the laws of the different EU member countries.  While the basic access right is broadly consistent, the detail around the formalities of responding can vary from country to country.  In the UK, the Data Protection Act 1998 (DPA) gives effect to the Directive and this overview considers the approach to subject access requests from a UK law perspective.

What is a data subject access request?

Individuals (usually referred to as "data subjects") have a right to be informed by an organisation whether or not it is processing personal data that relates to them and, if so, to be told:

  • what data it is processing;
  • what it is using the data for;
  • who it is disclosing the data to; and
  • the extent to which it is using the data for the purpose of making automated decisions relating to the data subject and, if so, what logic is being used for that purpose.

There is also a requirement to provide, in an intelligible form, copies of the data and any information held about the sources of the data.  In most cases, this is likely to involve providing hard copies of all relevant data.

Formalities

The request has to be made in writing (which includes a request made by email and by fax).  It does not have to refer to the DPA, nor does it have to be labelled as a 'subject access request'.  It would be sufficient for the requestor to demand to be told what information is held about them by the organisation.  In the UK it is permitted to charge a fee of up to £10 for complying with the request although different fee limits apply where the personal data that is requested relates to health or educational records or credit files.

When a person makes a subject access request, the request has to provide the organisation with such information as it may reasonably require to enable it to:

  • confirm the identity of the data subject, (this is also very important in avoiding claims from the real data subject in the case of requests that are not bona fide); and
  • locate the information to which he or she is seeking access.

There is a time limit of 40 calendar days to respond to the request.  The 40 day period starts to run from the point at which the organisation receives the fee and the necessary information referred to above.  If not all of this information is provided then the organisation is permitted to request it and the time for responding to the request does not start to run until the information concerned is provided.

FilesWhether or not sufficient information is provided depends on the circumstances.  For example, if a limited amount of data is held about an individual, it may well be reasonable for the individual simply to ask for all of the personal data held relating to him or her.  Conversely, if a significant amount or a wide variety of data is held so as to make it difficult to locate all of the data relating to a particular individual, it may be reasonable to require the individual to be more specific about the data he or she is seeking. 

Some organisations use a subject access form to help collect the information they need to process a subject access request.  However, it is important to be careful about asking an individual to narrow down the scope of his or her request.  This should only be done when it would be unreasonably difficult to locate the data covered by the request without some additional information.  It is also not possible to insist that a person complete a chosen subject access model form if they choose not to.

Note that if there are any parts of the request that can be complied with without further information, then those parts should be handled without delay and only those parts of the request in relation to which further information is required should be held up in order to locate the relevant data.

What data in particular is covered by the request?

The request covers personal data that relates to the data subject and that is being processed by the data controller or someone else on its behalf.

"Data" for these purposes means any data that:

  • is processed automatically (i.e. is stored or processed in electronic form);
  • is held with the intention of processing automatically (i.e. is presently in hard copy form with the intention that it be transferred to electronic form at some point);
  • is held in a "relevant filing system", which is a hard-copy filing system that is structured by reference to individuals or criteria relating to individuals and so that information relating to a specific individual is readily accessible; or
  • falls into a few special categories, such as medical records.

EmailSo, a subject access request can relate to any personal data held on computer (for example e-mails to or from the data subject or between other individuals) including backups, any data  held in hard copy where it is intended to transfer that data to computer and any data held in hard copy in such a way that it is very easy to locate data relevant to a particular individual (for example, a personnel file).

Key issues to consider are whether "personal data" is held about the data subject and, to the extent that hard copy records are held that include information about individuals, the extent to which those records can be considered to be "relevant filing".

Exclusions from data subject access

There are a number of specific circumstances in which, even if data is held relating to an individual, it may not be necessary to have to provide access to it (or part of it).  There are quite a few of these but the ones that are most frequently relevant are:

  • data that is subject to legal professional privilege (for example, that is contained in letters or e-mails between the data controller and its lawyers for the purpose of asking for or getting legal advice);
  • data that is held with other data relating to different individuals so that it is impossible to disclose the data without also disclosing the data relating to the other individuals.

The second exclusion is not a true exemption as such.  The DPA sets out some rules to follow in the situation where, in order to comply with a particular subject access request, an organisation would have to disclose data that relates to someone other than the person making the request.  An example would be where the data shows the other person as being the source of the information, such as in an e-mail or a note on a personnel file.  In that case, it can be possible to refuse to provide this data in responding to the request unless:

  • the other person has consented to the disclosure of the data;
  • it is reasonable in all the circumstances to comply with the request without the consent of the other person; or
  • it is possible to disclose some of the data sought without identifying the other person, such as by blocking out names (in which case only the data that has been successfully anonymised need be supplied).

In deciding whether it is reasonable in all the circumstances to comply with the request without the consent of the other person, account should be taken of:

  • any duty of confidentiality owed to the other person (for example, if they gave a confidential reference relating to the data subject);
  • any steps that the organisation has taken to try and get the consent of the other person;
  • whether the other person is capable of giving consent; and
  • any express refusal of consent by the other person.

CourtThe provisions relating to each of these exemptions are quite detailed and generally need specific consideration of their application to particular circumstances.  There are also other exemptions that may be relevant, for example:

  • if the data relates to the investigation of an actual or alleged criminal offence;
  • if the same individual has made a recent identical or similar subject access request;
  • if the data is held for the purposes of journalism; or
  • if the data is held for the purpose of "management forecasts".

There is also no obligation to provide personal data which amounts to a confidential reference an organisation has given for the purposes of education, employment or appointment of the data subject. It is worth noting however that this exemption applies only to references that are given, by the organisation, not to those that are received from third parties.

Again, the application of these exemptions needs to be carefully looked at before they can be relied upon.

What practical steps should you take in response to a request?

To summarise, the key steps are as follows:

  • Check that the request is in writing.  You should not comply with an oral request but should ask instead for it to be put in writing.
  • Check that you have the correct fee.  If no fee is paid, you are entitled to request it before you proceed (although you can waive the requirement for a fee if you wish).  Of course you may not always wish to charge a fee.
  • Check that the request provides enough information for you to be able to verify the identity of the person making it.  If insufficient information is provided, you should ask for more.  As explained this is important to protect yourself from liability to the true data subject in the case of requests made by impostors. 
  • Check that the request provides as much information as is reasonably required to enable you to locate the data relating to the data subject.  If, for a good reason, you need some more information in order to locate the data that is being sought, then you can go back and ask for it.  If you can find some data easily but need more information to find other data, deal with the parts of the request that you can easily deal with and ask for further information in relation to the rest.
  • Send an initial response to confirm receipt of the request and to indicate the time within which you will be responding fully.  This is not obligatory, but is good practice and can help prevent disputes later.
  • Locate the relevant data.  One step will be to locate all data relating to the individual that is held on computer.  So, for example, you will need to look for all e-mails and documents that relate to that individual.  Another necessary step is to locate all hard-copy files that are structured by reference to individuals or criteria relating to individuals.  Consider also personal data held in the form of voice recordings, photographs or cctv images.
  • Backup data. This is also covered and you need to check it in the same way as data stored on live systems unless it would involve disproportionate effort to do so.  This is not usually going to be the case but it depends on the nature of your backup arrangements and how easy (or otherwise) it is to locate and access specific files on backups. 
  • Data processors.  Do not forget to check with any person processing data on your behalf (for example, an external payroll bureau or recruitment agency) if this is relevant.  You are treated as if you were processing such data yourself for the purposes of complying with a subject access request.
  • Check to see whether or not the exemptions apply to any of the data.  For example:
    • Is any of the data correspondence between you and your lawyers for the purposes of getting or being given legal advice?
    • Is any of the data inextricably mixed up with data relating to other individuals?  If so, would it be reasonable to disclose the data concerned?
    • Does any of the data relate to management planning and, if it does, would disclosing it cause a serious problem with that planning?

HandshakeYou need to consider this aspect carefully and, where appropriate, get some advice to make sure that any exemptions you wish to rely on are validly claimed.  If you are relying on the "third party data" exemption, then before doing so you may need to check with all of the relevant individuals to see if they will consent to the data being disclosed anyway.

  • Respond to the request.  You should answer the questions referred to earlier  in this summary and provide copies of the relevant data.  Where you are relying on exemptions you should explain clearly what these are, why they apply and (in general terms) what data they apply to.
  • Be seen to act reasonably.  It is important, in order to protect yourself in the event of the Information Commissioner becoming involved (see below), to be able to show that you acted reasonably in dealing with the request.  Keep records of all correspondence with the individual concerned and, where relevant, any other documents relevant to your handling of the request and the response you provided to the individual.

What happens if you do not comply properly with a request?

MalletThe data subject is likely to make a complaint to the Office of the Information Commissioner (ICO) if he or she believes that an organisation has not properly complied with a subject access request.  In that case, the ICO will investigate and, may require that steps are taken to remedy any breach. Ultimately the ICO could seek formal undertakings of future compliance, serve an enforcement notice requiring certain steps to effect compliance or issue a monetary penalty of up to £500,000. 

In addition, if data subjects suffer any damage (or, in some cases, distress) as a result of any failure to comply, then they are entitled to seek damages through the courts to compensate them. They can also challenge a decision by an organisation not to provide access to their data through the courts.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Lock and wires
Sally Annereau

Sally Annereau      


Sally provides an overview of subject access rights and the formalities of responding to a subject access request.

"It is important to be careful about asking an individual to narrow down the scope of his or her subject access request."

"The right for individuals to gain access to personal information that organisations hold about them is a core requirement of most data protection laws… This then opens the door for people to exercise further rights."

"It is important in order to protect yourself… to be able to show you acted reasonably in dealing with the request."

"The data subject is likely to make a complaint to the Office of the Information Commissioner (ICO) if he or she believes that an organisation has not properly complied with a subject access request."