SARs must be made in writing by letter, email, fax or social media.

It might be reasonable to respond to a request made verbally, depending on the circumstances, so long as we are sure of identity of the individual making the request.

If a disabled person finds it impossible or unreasonably difficult to make a SAR in writing, we must make a reasonable adjustment for them. This could include treating a verbal request for information as though it were a valid subject access request. We might also have to respond in a format which is accessible to the disabled person, such as Braille, large print, email or audio formats.

If a request does not mention data protection specifically, it is nevertheless a valid request and should be treated as such.

In most circumstances, we will have to provide individuals with a copy of the information they request free of charge. However, we are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive. The fee must be based on the administrative cost of providing the information.

  1. All SARs are forwarded to the Data Protection Lead
  2. Data Protection Lead – Contact the individual making the SAR in writing to confirm receipt of the request, and if appropriate
    • Request proof of ID
    • Ask for any information needed to find the personal data requested

At this point, having received the SAR in writing, any additional information needed to find the data and proof of identity, the Data Protection Lead now has 30 days to provide the personal data.

  1. Contact the relevant data processors to collate the personal data requested (this could be both electronic or paper based personal data)
  2. Check to see if the personal data includes any 3rd party personal data or references to 3rd parties
  3. Redact any 3rd party personal data or seek consent to disclose
  4. Explain any complex codes or terms within the personal data
  5. Provide the data to the requester, ensuring that it is transferred in a secure manner
  6. Contact the individual making the request to confirm receipt of the personal data

We may ask an individual making a request to use our Subject Access Request form but this is not compulsory.  Any request made in writing must be considered as a valid request, whatever the format e.g. by email, letter or fax.

the General Data Protection Regulations (GDPR) requires that the information provided to the requester is in an intelligible form.  This means that the information provided should be capable of being understood by the average person.

GDPR allows us to confirm two things before being obliged to respond to a request.

We can ask for enough information to judge whether the individual is who they are claiming to be. This is to avoid personal data about one individual being sent to another, accidentally or because of deception.

We can also ask for any information that we reasonably need to find the personal data covered by the request. We need not comply with the SAR until this information has been provided.  However, we cannot ignore a request simply because more information is needed. There must be no delay in asking for the additional information.

An individual can make a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, we must be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
If you think an individual may not understand what information would be disclosed to a third party who has made a subject access request on their behalf, we may send the response directly to the individual rather than to the third party. The individual may then choose to share the information with the third party after having had a chance to review it.

Even if a child is too young to understand the implications of subject access rights, data about them is still their personal data and does not belong, for example, to a parent or guardian. So, it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.

Before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights. If you are confident that the child can understand their rights, then you should respond to the child rather than a parent. What matters is that the child can understand (in broad terms) what it means to make a SAR and how to interpret the information they receive because of doing so. When considering borderline cases, the following should be considered:

  • the child’s level of maturity and their ability to make decisions;
  • the nature of the personal data;
  • any court orders relating to parental access or responsibility that may apply;
  • any duty of confidence owed to the child or young person;
  • any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
  • any detriment to the child or young person if individuals with parental responsibility cannot access this information; and

any views the child or young person has on whether their parents should have access to information about them.

Responding to a SAR may involve providing information that relates both to the requester and to another individual. GDPR says you do not have to comply with the request if to do so would mean disclosing information about another individual who can be identified from that information, except where:

  • the other individual has consented to the disclosure; or
  • it is reasonable in all the circumstances to comply with the request without that individual’s consent.

So, although we may sometimes be able to disclose information relating to a third party, we need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights in respect of their own personal data. If the other person consents to the disclosure of the information about them, then it would be unreasonable not to do so. However, if there is no such consent, we must decide whether to disclose the information anyway.

We cannot refuse to provide subject access to personal data about an individual simply because that data was obtained from a third party. The rules about third party data apply only to personal data which includes both information about the individual who is the subject of the request and information about someone else.

For further information on disclosing third party personal data, please read the Information Commissioner’s Office more detailed guidance.

Responsibility for complying with a SAR lies with the data controller. GDPR does not allow any extension to the 30-day time limit in cases where a data processor is required to provide the information that is needed to respond. We must contact a data processor immediately if they are holding the personal data that the requester has asked for. Our data processor agreement states that the data processor must respond to a SAR within a timeframe set by us.

Dealing with a SAR can be an onerous task. This might be because of the nature of the request, because of the amount of personal data involved, or because of the way in which certain information is held.

It is not necessary to supply a copy of the information in permanent form if it would involve disproportionate effort to do so.  It is possible to provide the information requested in electronic format rather than hard copy. This provision should be relied upon only in the most very exceptional of cases

An alternative solution for excessive, unfounded or repetitive requests is to refuse to comply. Organisations that do this must explain to the individual why they’re refusing to comply and let them know of their right to appeal to the organisation’s supervisory authority.

Various exemptions from the right of subject access apply in certain circumstances or to certain types of personal data; please see the Information Commissioner’s Office guidance for more details on exeptions.

If you require more information on dealing with subject access requests please refer to the Information Commissioner’s Office contained in the Code of Practice