Subject Access Request Procedure
Updated: 24th January 2019
Procedure for Subject Access Request
This right is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this, and an individual who makes a written request and pays a fee is entitled to be:
- told whether any personal data is being processed;
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- given a copy of the information comprising the data; and given details of the source of the data (where this is available).
In most cases, we will respond to a subject access request promptly and in any event within 40 calendar days of receiving it.
Most organisations that process personal data must notify the ICO of certain details about that processing. Some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request. The Act provides exemptions from notification for:
organisations that process personal data only for:
- staff administration (including payroll);
- advertising, marketing and public relations (in connection with their own business activity); and
- accounts and records;
- some not-for-profit organisations;
- organisations that process personal data only for maintaining a public register;
- organisations that do not process personal information on computer.
Various exemptions from the right of subject access apply in certain circumstances or to certain types of personal data (see https://ico.org.uk/for-organisations/guide-to-data-protection/exemptions).
Valid subject access requests?
For a subject access request to be valid, it should be made in writing, by email, fax, hard copy or on social media. If a disabled person finds it impossible or unreasonably difficult to make a subject access request in writing, we will make a reasonable adjustment for them under the Equality Act 2010 (in Northern Ireland this falls under the Disability Discrimination Act 1995).
If a request does not mention the Act specifically or even say that it is a subject access request, it is nevertheless valid and should be treated as such if it is clear that the individual is asking for their own personal data.
Fee for dealing with a subject access request?
The Brazelton Centre UK will not charge a fee for subject access requests.
Can we ask for more information before responding to a subject access request?
First, we will ask for enough information to judge whether the person making the request is the individual to whom the personal data relates.
The second thing we will ask for is information that we need to find the personal data covered by the request.
What about requests for information about children?
Even if a child is too young to understand the implications of subject access rights, data about them is still their personal data and does not belong, for example, to a parent or guardian.
So it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.
What should I do if the data includes information about other people?
Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual. The Act says we do not have to comply with the request if to do so would mean disclosing information about another individual who can be identified from that information, except where:
- the other individual has consented to the disclosure; or
- it is reasonable in all the circumstances to comply with the request without that individual’s consent.
So, although we may sometimes be able to disclose information relating to a third party, we will decide whether it is appropriate to do so in each case.
The Procedure for Handling Subject Access Requests
Is this a subject access request?
Any written enquiry that asks for information you hold about the person making the request can be construed as a subject access request, but in many cases there will be no need to treat it as such.
- Would you usually deal with the request in the normal course of business? If so, do so – promptly.
- If you are in any doubt how to respond, go back to the individual or their representative and clarify the situation.
- Do you have enough information to be sure of the requester’s identity? Key points to consider:
- Often you will have no reason to doubt a person’s identity.
- If a person with whom you have regular contact sends a letter from their known address it may be safe to assume that they are who they say they are.
- If you have good cause to doubt the requester’s identity you can ask them to provide any evidence you reasonably need to confirm it.
- Do you need any other information to find the records they want?
- You will need to ask the individual promptly for any other information you reasonably need to find the records they want.
- You might want to ask them to narrow down their request. For example, if you keep all your patients’ information on one computer system and your suppliers’ information on another, you could ask what relationship they had with you. Or, you could ask when they had dealings with you.
- You have 40 calendar days to respond to a subject access request after receiving any further information you need and any fee you decide to charge. Our procedure is to respond within one month.
Are you going to charge a fee?
- We will not charge a fee for subject access requests
- Do you hold any information about the person?
- If you hold no personal information at all about the individual you must tell them this.
- Remember, if you outsource data processing, subject access requests may be sent to a third party. Make sure suppliers are fully aware of their obligations and are trained in handling requests.
- Will the information be changed between receiving the request and sending the response?
- You can still make routine amendments and deletions to personal information after receiving a request. However, you must not make any changes to the records as a result of receiving the request, even if you find inaccurate or embarrassing information on the record.
Does it include any information about other people?
- You will not have to supply the information unless the other people mentioned have given their consent, or it is reasonable to supply the information without their consent.
- Even when the other person’s information should not be disclosed, you should still supply as much as possible by editing the references to other people. Visit www.ico.gov.uk for more detailed guidance.
Are you obliged to supply the information?
- There may be circumstances in which you are not obliged to supply certain information. Visit www.ico.gov.uk for further information regarding exemptions.
- If all the information you hold about the requester is exempt, then you can reply stating that you do not hold any of their personal information that you are required to reveal.
Does it include any complex terms or codes?
- The information you hold may include abbreviations, codes or technical terms that the individual will not understand. You must make sure that these are explained so the information can be understood.
Prepare the response
- A copy of the information should be supplied in a permanent form except where the individual agrees or where it is impossible or would involve undue effort. This could include very significant cost or time taken to provide the information in hard copy form.
- An alternative would be to allow the individual to view the information on screen. For more detailed guidance on responding to subject access requests, visit www.ico.gov.uk or call the ICO helpline on 0303 123 1113. Subject access requests – a step by step guide through the process:
We must document all subject access requests in the Brazelton Centre UK Data Request Record Form