Subject access requests

The Information Commissioner has published a new Code of Practice for dealing with requests from individuals for personal information under the Data Protection Act 1998 (the Act).

Subject access requests are most often used by individuals who want to see a copy of the information an organisation holds about them.

The Code clarifies what data controllers must do in order to comply with their duties when subject access requests are made.

Employers should bear in mind the following when dealing with subject access requests:

  • Subject access requests must be made in writing. Standard forms can make it easier for you to recognise a subject access request.  However, there is no legally prescribed request form.  The Code of Practice states that individuals may be able to make subject access requests using social media pages such as Facebook.
  • Data controllers must comply with a subject access request promptly and in any event within 40 calendar days of the date on which the request is received  or (if later) the day on which you receive:
    • the requested £10 fee;
    • any requested location information (see chapter 6 of the Code of Practice for further details); and
    • any information requested to confirm the requester’s identity.

An individual is entitled to be:

  • told whether any personal data is being processed;
  • given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
  • given a copy of the personal data; and
  • given details of the source of the data (where this is available).

Some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request. Information may be exempt because of its nature or because of the effect its disclosure is likely to have. Further details in relation to exemptions can be found in the Code of Practice.

The Information Commissioner has the power to impose a financial penalty on an organisation if he is satisfied that the organisation has committed a serious breach of the Data Protection Act that is likely to cause substantial damage or distress. He may also serve an enforcement notice requiring a specific organisation to comply with its obligations.  Failure to comply with an enforcement notice is a criminal offence.

Our view:

It is important that all correspondence and company websites are monitored and checked regularly in order to ensure no subject access requests are missed.  This is particularly relevant during holiday season when members of staff may be away from the office and so unable to open their post for a number of weeks.