UK General Data Protection Regulation (UK GDPR)
Dealing with subject access requests under the UK GDPR
Subject access is a fundamental right of individuals under the UK General Data Protection Regulation (UK GDPR). Whatever business you're in, if you hold or process personal data, you may have to respond to a request at some point.
What is a subject access request (SAR)?
A subject access request is the right of an individual to request a copy of any personal information you may hold on them.
- can be verbal or in writing
- can be submitted by any means, eg via web form, email, letter, phone call, etc
- can be made to any part of your business, not just a specific department
- doesn't have to explicitly state the phrase 'subject access request', but has to be clear that the individual is requesting their own personal data
The UK GDPR doesn't stipulate what makes a request valid. It also doesn't require you to have a standardised form for SARs, although it recommends that individuals should be able to make requests to you electronically.
Who can request personal information?
Individuals will only be able to request access to their own personal data, unless:
- they are authorised to act on behalf of someone
- the data that relates to another person also happens to relate to them
Under the GDPR, you can ask individuals to provide proof of identity before you comply with their request. This helps avoid third parties gaining unlawful access to personal data. You should only ask for minimum information necessary to confirm who they are.
You may not have to comply with certain rights of data subjects if you cannot identify which data in your possession relates to the relevant data subject.
What should be provided as part of subject access request?
Data subjects are entitled to receive:
- confirmation of whether you are processing their data
- a copy of their personal data
- other supplementary information (including mandatory privacy information)
Before responding to any request, you should establish if the information requested falls within the definition of personal data.
How to respond to a subject access request?
To comply with subject access requests, you have to:
- respond to a request without undue delay and within one month of receipt
- give information in a concise, transparent, intelligible and easily accessible form
- use clear and plain language, especially if you are disclosing information to a child
- respond electronically, if the request was made by same means - unless asked otherwise
You could consider providing data subjects remote access to a secure self-service system, which would give them direct access to their information - eg allow employees to access their own personal data held on a secure HR system.
How long do I have to comply with SAR?
In most cases, you have one calendar month from receiving the request to comply with a subject access request. If you fail to meet this deadline, the individual who made the request may complain to the Information Commissioner's Office.
You can extend the timescale to respond by a further two months, if the request is complex or you have received a number of requests from the individual.
Seeking more information
If you process a large amount of information about an individual, you can ask them to clarify their request. Let them know as soon as possible if you need more information. In this case, the one month mark for responding to the request begins when you receive the additional information.
If you request information to verify an individual's identity, the timescale for responding to a subject access request does not begin until you have received the requested information.
Can you charge for subject access requests?
In most cases, you cannot charge a fee to comply with a subject access request. However, you may charge a 'reasonable fee' for the administrative costs of complying with the request:
- if the request is manifestly unfounded or excessive
- if an individual requests further copies of their data following a request
Can I refuse subject access request?
In some cases, you may be able to refuse to grant an access request. For example, if you receive a request for information containing personal data of more than one individual.
Where possible, you should comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request unless the other individual consents to the disclosure, or it is reasonable to comply with the request without that individual's consent.
You may also be able to refuse to grant an access request if you deem it manifestly unfounded or excessive. However, you will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.
Find further information on subject access requests.
This guide does not constitute legal advice and is provided for general information purposes only.
ICO Helpline0303 123 1113