You have the right to request a copy of personal information that you believe an organisation is holding about you. This is known as a subject access request (SAR). It is important to ensure that the scope of your request is well considered, so that you receive the data you are looking for. There are also circumstances in which an organisation can refuse to comply with your SAR. Follow these tips to increase your chances of receiving a prompt response to your SAR and the information you are looking for.
Make sure your request is in the right form. It must be in writing, and you can be asked to provide identification and a £10 fee. Plan ahead and ensure that you have all the information you need to make the request. Some organisations require you to fill in a specific form – you do not have to do this, but it may slow the response down if you do not.
Be realistic about what you might receive in response. A SAR is a request for personal data, which means that it must relate to you and you must be identifiable from it. Remember that you are not entitled to other people’s personal data (except in certain circumstances) or even the full document that your personal data is contained in. Craft the scope of the SAR with this in mind.
Be helpful. Although the organisation cannot require you to narrow your request, it does not have to comply with the SAR until it has received the information that it reasonably requires in order to locate the information sought. If you can, give clear information to help the organisation locate the information you require. For example, where is the information likely to be located and are there any particular key words that you believe should be searched? This will make it more difficult for the organisation to delay the start of the 40 day deadline to respond to your SAR.
Be careful what you ask for. If you make a wide request, this should result in the organisation undertaking a thorough search. This could mean that you receive a large amount of data to review, which may or may not be desirable. Be prepared for the organisation to review all your personal data, including your emails.
Who is the relevant data controller? Make sure you are making the SAR to the right organisation. Who determines the purposes for which, and the manner in which, any personal data is processed? You may need to make more than one request. This is particularly the case with big groups of companies. If in doubt, say so and make SARs of all the potential data controllers.
Keep good records. Make sure to keep records of all correspondence and the 40 day deadline for them to comply with your request. This will be helpful should there be a dispute about the organisation’s compliance in the future.
You are entitled to more than just your personal data. You are entitled to a description of the data held about you and the purpose for which it is held. Organisations often forget the latter, but this can be a useful source of information.
What if they withhold information? If you believe the organisation has withheld information, it is recommended to contact them in the first instance and remind them of their obligations. If they have withheld information from you, then they should have told you which exemption (if any) they are relying upon.
Remember the Information Commissioner’s Office. If you do not receive a response to the above from the organisation, or if you believe the organisation is still withholding some of your personal information, then you can report your concern to the ICO.
Do not forget other options. SARs are often used when there is an on-going or potential dispute between the parties. If the SAR does not provide you with the information you require, other options, for example, pre-action disclosure, may do.
Important note - Since this blog was published, the General Data Protection Regulation (‘GDPR’) has come into force and the content of this blog has not been updated to reflect the new regime.