Dealing With Subject Access Requests

Many businesses regard the Data Protection Act 2018 as something that merely requires a lot of form filling and the payment of fees, but there is a lot more to it than that.

The purpose of the Act is to protect a person's right to privacy with regard to the processing of their personal information. Individuals (‘data subjects’ in the terminology) have the right of access to information held about them. For example, a customer of your business has the right to contact you to request a copy of any data you hold on them so that they can check it. This is called a 'subject access request' (SAR). You are required by law to supply the information requested (once you have checked that they are who they say they are, of course). The individual making the request has the right to see data held in any form, not just that held on computer, so storing information in paper form does not avoid the responsibility.

Guidance on dealing with SARs is available from the Information Commissioner's website.

If you receive a SAR, you are required to supply not only all the information you hold on the data subject but also a description of why the information is processed, details of anyone it may be passed to or seen by, and the logic involved in any automated decisions. If you unjustifiably fail to comply with a SAR, the courts may impose a fine of up to £5,000. Any person who believes they have suffered damage and/or distress as a result of a contravention of the Act may seek compensation by applying to the High Court.

In the case of a failure to comply with a subject access request the Court may award compensation for distress alone.

The interpretation of the Court of Appeal is that ‘personal data’ has been defined in such a way that employees are only entitled to see information which is biographical ‘in a significant sense’ and which has the data subject as its focus. The mere mention of a person’s name does not entitle them to see the documents concerned. 

SARs are goverened by the General Data Protection Regulation. There is guidance on this from the ICO.

One of the major problems with this legislation is that some businesses simply do not have the systems in place to refer enquiries to the right person. Furthermore, in many cases data is held in a variety of locations and in different forms. So far, the full impact of the new legislation has not been felt but as individuals become increasingly aware of their personal rights it could become a serious issue for businesses. In particular, when looking to purchase a new IT system, thought should be given to the ability to comply with the Data Protection Act. Also, staff in client-facing roles should be trained how to respond to SARs.
 
We can assist you in devising policies and procedures to help you to meet your data protection obligations.