A subject access request is a request by an individual to access their personal information held by any data controller. This can be an employer or a company that holds their personal information because they provide a service to them. Someone has the right to be told whether or not personal data is being processed about them and, if it is, there’s a long list of information they should be told.
The process a business should follow if someone makes a subject access request is as follows…
Firstly, the business should always check the identity of the person making the request to make sure that it isn’t someone trying to commit fraud. If it’s an employee or someone the business knows personally you can speak to them to check the request came from them. Otherwise, you can ask for ID, such as a passport, driver’s licence or copy of a bill, to check that the request is legitimate.
Secondly, businesses should make sure to diarise the key dates. Since the introduction of the GDPR you have one month to process the request. This can be extended by a further two months if the request is particularly large or complex.
Thirdly, always check that the subject access request makes sense and that you understand what they’re asking for. If not, you can go back to clarify the request and ask for more information. The clock stops while you’re waiting to hear back from the person, which can be helpful when the request is very big.
Once the business knows what is being asked for, the business must make reasonable efforts to find the information that was requested. They don’t have to conduct searches which would be unreasonable or disproportionate but will need to explain what searches they have done and why. It might involve searching servers, databases, email folders and paper filing systems.
Normally a business can’t charge someone if they make a subject access request. The only time a business can charge is if the request is manifestly unfounded or excessive. In which case a reasonable fee can be charged or the company can refuse to process the request.
The business doesn’t have to send everything to the individual that they find. Once the company has found all the documents containing the personal information requested, someone needs to go through it and identify any documents which don’t need to be disclosed. There is a long list but some of the most common ones are documents which also identify other people, documents which are covered by legal professional privilege, references, documents for the purposes of management forecasting or business planning which would prejudice the business if the information got out (ie a planned redundancy programme) and documents about negotiations between the parties which could cause problems in the negotiations if they were shared.
Finally, the letter to the person is an important part of the process. The GDPR sets out what has to be in the letter and a copy of the documents have to be sent with it. The letter should tell the person why the personal data is being processed, what’s being processed, how long the data is being kept for and whether it’s being passed to any third parties.
If the person doesn’t think the company has complied with the process properly they can complain to the ICO. This could lead to an investigation and if there are any potential issues with data protection in the company or the right documents aren’t in place this could lead to a wider review and fines.
Andrew Willshire is an employment law expert at Paris Smith solicitors