How to submit a Subject Access Request
Understanding Subject Access Requests: What to Expect
Introduction
As individuals, we have the right to know how our personal information is being processed and used by organizations. To exercise this right, we can submit a Subject Access Request (SAR). However, many of us are unsure about the process and what to expect after making such a request. In this blog post, we will guide you through the essential aspects of SARs and what you can anticipate during the process.
1. Response Time
Once you submit a subject access request, the organisation in question is generally required to respond within one month. However, in some cases where your request is complex or you have made multiple requests, the organization may need more time. They can extend the response time by up to two additional months. If an extension is necessary, they should inform you within the initial one-month period, providing an explanation for the delay.
2. Fees, Charges, and Time Limit
In most circumstances, organisations must provide the requested personal information free of charge. However, there are exceptions. If the organisation deems your request as “manifestly unfounded or excessive,” they may charge a reasonable fee to cover administrative costs. Moreover, if you request further copies of your information following the initial request, they may apply a fee as well. It’s essential to note that if a fee is applicable, the one-month response time begins only after the organisation receives the payment.
3. Contents of the Response
When the organisation responds to your subject access request, they should inform you whether or not they process your personal information. If they do, they must provide you with copies of the relevant data. Alongside this, the response should include the following details:
a. Purpose of Information Usage: The organization should clarify the reasons for processing your personal information.
b. Information Sharing: You have the right to know who the organization shares your data with.
c. Data Retention: The response should outline how long the organization intends to store your information and how they arrived at this decision.
d. Your Rights: The organisation should explain your rights, such as challenging the accuracy of your data, requesting its deletion, or objecting to its use.
e. Complaint Rights: You have the right to complain to the Information Commissioner’s Office (ICO) if you believe your data protection rights have been violated.
f. Data Origin: The response should include details about the source of your information.
g. Profiling and Automated Decision-making: If applicable, the organization must disclose whether they use your data for profiling or automated decision-making and explain how they do it.
h. Data Transfers: If your data has been transferred to a third country or an international organization, the response should provide information about the security measures taken during the transfer.
4. Specific Requests
If you are particularly interested in receiving any additional information beyond the standard response, it is advisable to state your requirements clearly in your initial request.
5. Not Receiving Everything Requested
It’s important to understand that you may not always receive all the information you requested through a subject access request. There could be various reasons for this:
a. Partial Disclosure: Depending on the circumstances, you might only receive part of the requested information.
b. No Disclosure: In certain cases, the organization may not provide any personal information at all.
c. Refusal: An organization can refuse to comply with your request if they consider it to be “manifestly unfounded or excessive.”
Other reasons for not receiving all the requested information include the application of exemptions or when the type of information you asked for is not covered by a subject access request.
6. Frequently asked questions
1. Am I entitled to receive copies of entire documents?
No. Your right of access does not entitle you to receive full copies of original documents held by an organisation – only your personal information contained in the document.
Example
You make a subject access request to your bank for full copies of your bank statements.
Your bank is not required to provide copies of the actual bank statements, but they must provide you with your personal data contained within them, for example, by providing you with a list of transactions.
By doing so, they have now complied with your subject access request without having to give you a full copy of the original bank statements.
2. What does ‘manifestly unfounded or excessive’ mean?
There is no set definition of what makes a subject access request ‘manifestly unfounded or excessive’. It will depend on the particular circumstances of your request. An organisation should explain the reasons for their decision.
As an example, an organisation may consider a request to be ‘manifestly unfounded or excessive’ when it is clear that:
- it has been made with no real purpose except to cause them harassment or disruption;
- the person making the request has no genuine intention of accessing their information (eg they may offer to withdraw their request in return for some kind of benefit, such as a payment from the organisation); or
- it overlaps with a similar request they are still addressing.
To decide this, an organisation must consider each request on a case-by-case basis and be able to explain their reasoning to you.
3. What is an exemption?
An organisation may withhold some, or all, of your personal information because of an exemption in data protection law.
Exemptions are meant to protect particular types of information, or how certain organisations work.
Sometimes an organisation may not even have to let you know whether or not they hold information about you.
An organisation may also refuse to give you your information if it also includes personal information about someone else, except where:
- the other individual has agreed to the disclosure; or
- it is reasonable to give you this information without the other individual’s consent.
In their decision-making, an organisation has to balance your right of access against the other individual’s rights over their own information.
This may lead the organisation to refuse your subject access request.
Alternatively, the organisation may attempt to remove (or edit out) the other individual’s information before sending your information to you. This is commonly known as ‘redaction’.
This could mean you only receive partial information – such as copies of documents showing blanked-out text or missing sections.
In any case, an organisation normally needs to:
- tell you why they are not taking action;
- justify their decision; and
- explain how you can challenge this outcome.
4. What happens if the organisation requires proof of ID?
ID (identity) checks are usually required for security – they are part of an organisation’s measures to protect your personal data from unauthorised access.
If an organisation asks you for proof of ID, the one-month time limit does not begin until they have received it.
5. What information is not covered by my request?
The right of access does not cover all types of information or uses of personal information. Some common examples of this include:
- information used for personal/household activity (eg friends writing letters to you or pictures of you taken by family members);
- images of you captured on a domestic CCTV system within the boundary of their domestic property; and
- information about a deceased relative’s medical records (as data protection law only applies to living individuals).
6. Can I submit the same request again?
Yes, you can ask an organisation for access to your information more than once. However, they may be able to refuse your request if:
- they have not yet had the opportunity to address your earlier request; or
- not enough time has passed since your last request (eg your information has not changed since then).
Remember, you can also ask an organisation for further copies of your information following a request, but they can charge a reasonable fee for this.
Conclusion
Making a subject access request empowers you to take control of your personal information and understand how organizations process and use it. By knowing what to expect during the process, including response times, potential fees, and the contents of the response, you can exercise your data protection rights effectively. Remember that despite your best efforts, you might not receive all the information you requested, but understanding the reasons behind this can help you navigate the subject access request process more confidently.