How to manage a subject access request – the absolute basics!
A subject access request, made under section 7 of the current Data Protection Act, is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this, and an individual who makes a written request and pays a fee of no more than £10.00 is entitled to be:
- told whether any personal data is being processed by the organisation;
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- given a copy of the information comprising the data; and given details of the source of the data (where this is available).
An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret).
What’s considered to be a valid request?
- It should be made in writing (see reasonable adjustment below);
- Requests sent by email, fax or social media are as valid as one sent in hard copy;
- You do not need to respond to a request made verbally but it is good practice to at least explain to the individual how to make a valid request, rather than ignoring them;
- If a disabled person finds it impossible or unreasonably difficult to make a subject access request in writing, you may have to make a reasonable adjustment for them under the Equality Act 2010. This could include treating a verbal request for information as though it were a valid subject access request. It is also best practice to respond in a particular format which is accessible to the disabled person;
- If a request does not mention the Act specifically or even say that it is a subject access request, it is nevertheless valid and should be treated as such if it is clear that the individual is asking for their own personal data;
- A request is valid even if the individual has not sent it directly to the person who normally deals with such requests – so it is important to ensure that you and your colleagues can recognise a subject access request and treat it appropriately;
- You cannot force the use of a proforma.
Current guidance says that in most cases you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it. New regulations coming in in May 2018 will change these timeframes.
The Act requires that the information you provide to the individual is in “intelligible form”. This means that the information you provide should be capable of being understood by the average person. However, the Data Protection Act does not require you to ensure that the information is provided in a form that is intelligible to the particular individual making the request.
The above highlights the importance of why you should never put in writing anything that you wouldn’t consider to be fair and factual about an employee. Personal views or opinions should never be documented or emailed if management aren’t happy to share this content with an employee. Making even fairly minor comments or remarks aren’t helpful when it comes to defending a grievance or a claim from an employee.
Should you receive a request please don’t hesitate to contact us on 01924 827869.Back to blog