- Organisation knows how to recognise a subject access request and understand when the right of access applies.
- Organisation has a policy for how to record requests they receive verbally.
- Organisation understand when they can refuse a request and are aware of the information we need to provide to individuals when we do so.
- Organisation understand the nature of the supplementary information we need to provide in response to a subject access request.
- Organisation has processes in place to ensure that we respond to a subject access request without undue delay and within one month of receipt.
- Organisation are aware of the circumstances when they can extend the time limit to respond to a request.
- Organisation understand that there is a particular emphasis on using clear and plain language if we are disclosing information to a child.
- Organisation understand what they need to consider if a request includes information about others.
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why they are using their data, and check they are doing it lawfully.
Individuals have the right to obtain the following from the company/organisation:
An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is important that they establish whether the information requested falls within the definition of personal data. For further information about the definition of personal data please see the ICO website: key definitions guidance.
In addition to a copy of their personal data, they also have to provide individuals with the following information:
The organisation may be providing much of this information already in their privacy notice.
The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to them verbally or in writing. It can also be made to any part of their organisation (including by social media) and does not have to be to a specific person or contact point.
A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.
This presents a challenge as any of their employees could receive a valid request. However, they have a legal responsibility to identify that an individual has made a request to them and handle it accordingly. Therefore they may need to consider which of their staff who regularly interact with individuals may need specific training to identify a request.
Additionally, it is good practice to have a policy for recording details of the requests they receive, particularly those made by telephone or in person. They may wish to check with the requester that they have understood their request, as this can help avoid later disputes about how they have interpreted the request. We also recommend that they keep a log of verbal requests.
Standard forms can make it easier both for them to recognise a subject access request and for the individual to include all the details they might need to locate the information they want.
Recital 59 of the GDPR recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’. They should therefore consider designing a subject access form that individuals can complete and submit to them electronically.
However, even if they have a form, they should note that a subject access request is valid if it is submitted by any means, so they will still need to comply with any requests they receive in a letter, a standard email or verbally.
Therefore, although they may invite individuals to use a form, they must make it clear that it is not compulsory and do not try to use this as a way of extending the one month time limit for responding.
If an individual makes a request electronically, they should provide the information in a commonly used electronic format, unless the individual requests otherwise.
The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organisations, but there are some sectors where this may work well.
However, providing remote access should not adversely affect the rights and freedoms of others – including trade secrets or intellectual property.
It is our view that a subject access request relates to the data held at the time the request was received. However, in many cases, routine use of the data may result in it being amended or even deleted while they are dealing with the request. So it would be reasonable for 3 to supply information you hold when you send out a response, even if this is different to that held when you received the request.
However, it is not acceptable to amend or delete the data if you would not otherwise have done so. Under the DP Bill, it is an offence to make any amendment with the intention of preventing its disclosure.
The GDPR requires that the information you provide to an individual is in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This will be particularly important where the information is addressed to a child.
At its most basic, this means that the additional information you provide in response to a request (see the ‘Other information’ section above) should be capable of being understood by the average person (or child). However, you are not required to ensure that that the information is provided in a form that can be understood by the particular individual making the request.
For further information about requests made by a child please see the ‘What about requests for information about children?’ section below.
You receive a subject access request from someone whose English comprehension skills are quite poor. You send a response and they ask you to translate the information you sent them. You are not required to do this even if the person who receives it cannot understand all of it because it can be understood by the average person. However, it is good practice for you to help individuals understand the information you hold about them.
Organisations must act on the subject access request without undue delay and at the latest within one month of receipt.
They should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
For practical purposes, if a consistent number of days is required (eg for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
They can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
However, it is the ICO's view that it is unlikely to be reasonable to extend the time limit if:
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.
You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.
If you process a large amount of information about an individual you can ask them for more information to clarify their request. You should only ask for information that you reasonably need to find the personal data covered by the request.
You need to let the individual know as soon as possible that you need more information from them before responding to their request. The period for responding to the request begins when you receive the additional information. However, if an individual refuses to provide any additional information, you must still endeavour to comply with their request ie by making reasonable searches for the information covered by the request.
The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
If you think an individual may not understand what information would be disclosed to a third party who has made a subject access request on their behalf, you may send the response directly to the individual rather than to the third party. The individual may then choose to share the information with the third party after having had a chance to review it.
There are cases where an individual does not have the mental capacity to manage their own affairs. Although there are no specific provisions in the GDPR, the Mental Capacity Act 2005 or in the Adults with Incapacity (Scotland) Act 2000 enabling a third party to exercise subject access rights on behalf of such an individual, it is reasonable to assume that an attorney with authority to manage the property and affairs of an individual will have the appropriate authority. The same applies to a person appointed to make decisions about such matters:
Responsibility for complying with a subject access request lies with the controller. You need to ensure that you have contractual arrangements in place to guarantee that subject access requests are dealt with properly, irrespective of whether they are sent to you or to the processor. More information about contracts and liabilities between controllers and processors can be found here.
You are not able to extend the one month time limit on the basis that you have to rely on a processor to provide the information that you need to respond. As mentioned above, you can only extend the time limit by two months if the request is complex or you have received a number of requests from the individual.
The organisation can refuse to comply with a subject access request if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If you consider that a request is manifestly unfounded or excessive you can:
In either case the organisation needs to justify their decision.
They should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.
They must inform the individual without undue delay and within one month of receipt of the request.
They should inform the individual about:
They should also provide this information if you request a reasonable fee or need additional information to identify the individual.