Under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) individuals can make data protection requests from businesses and other organisations in relation to any personal data held by the organisation about them.
What is personal data?
Personal data is information (held electronically or physically) relating to individuals only who can be personally identified from that data. Personal data includes:
- addresses (including email addresses)
- telephone numbers
- dates of birth
- job titles
- online identifiers (eg IP addresses)
There is a further ‘special category’ of ‘sensitive data’ which is awarded higher protection than non-sensitive data and includes information on:
- racial or ethnic origin
- political opinions
- religious or similar beliefs
- trade union membership
- physical or mental health or condition
- sexual life
- biometrics (eg fingerprint data/facial images)
Find out more about personal data and data protection.
What rights do individuals have?
Individuals have a number of rights relating to the personal data held about them, including:
- the right to access their data and be informed about how their data is being processed by making a subject access request (SAR)
- the right to have their data rectified if it’s inaccurate or incomplete
- the right to object to the processing of their personal data, and
- the right to have their data erased in certain circumstances
For more information, read Data protection requests.
What is a subject access request?
A subject access request (also known as a ‘data subject access request’, ‘SAR’ or ‘DSAR’) is a written request to a business or organisation asking for access to the personal information it holds on the individual making the SAR. SARs can be made to find out a variety of things, including:
- details of the personal data that is being processed (ie a copy of the data)
- the reasons why this data is being processed
- how this data was sourced (if available)
- which other organisations or individuals have access to the data
SARs do not need to be made using a standard form but it is recommended that they are made in writing (rather than verbally) to have a record of the request.
A written request can be sent to the organisation in several ways, including by post, email or over social media (eg to the organisation’s dedicated Facebook page or Twitter account). An organisation is not required to respond to a verbal request unless it is satisfied of the individual’s identity (eg the organisation believes that the person making the request is the person to whom the personal data belongs).
If an individual wishes to access the personal information held on them, they can make a Data subject access request.
Read Making data subject access requests for more information on SARs.
What happens after a SAR is made?
When an organisation receives an SRA they typically have one month to respond. This period may be extended in certain circumstances, for example, where proof of ID is required by the organisation.
When an organisation responds to an SRA, they will typically set out whether the personal data is being processed and, if it is, copies of the personal data will be provided. The organisation should also state:
- what the information is being used for
- who the information is shared with
- how long they’ll store the information for and how this was decided
- where the information was obtained from
- if the information is used for profiling or automated decision-making and, if so, how this is done
- details on the right to challenge the accuracy of the information, to have it deleted, or to object to its use
- details on the right to complain to Information Commissioner’s Office (ICO)
- what security measures have been taken, if the information has been transferred to a third country or an international organisation
Individuals will not always receive all the information they’ve requested. Depending on the specific situation, an individual may only receive part of the information they requested or the organisation may not provide them with any personal information. This may be the case where the type of information requested is not covered by a SAR (eg information about a deceased relative’s medical records) or certain exemptions apply (eg it could threaten freedom of expression in journalism, art and literature). See Data protection requests for more information.
Can organisations charge a fee?
In most cases, organisations should comply with SARs free of charge. However, a fee may be charged in certain circumstances, for example, if the request was made solely to harass or disrupt the organisation or where the individual asks for additional copies of the information after a request.
Any fee charged by an organisation should be reasonable and proportionate and organisations should ensure that any fees are charged in a consistent manner, relying on an unbiased set of criteria. Such criteria should be clear and easily accessible, setting out:
- when fees are charged
- the standard charges (including a costs breakdown where possible, eg cost per photocopy)
- how fees are calculated (explaining the costs taken into account including the costs of staff time)
What if an organisation doesn’t respond to a SAR?
If an organisation fails to respond to a SAR within the required timeframe, the individual making the request should follow up with the organisation. Where possible, this should be done in writing.
If the organisation does not respond to such a follow-up complaint or does not respond in a satisfactory manner, a complaint can be made to the ICO. This should generally be done within three months of the last contact with the organisation.
Individuals can also consider enforcing such a data request through the courts. Due to the complexity and cost of court proceedings, legal advice should be sought.
If you have any questions about data protection and subject access requests, Ask a lawyer.