What are subject access requests?
The Data Protection Act gives individuals the right to know what ‘personal information’ an institution is holding and processing about them. So long as no exemption applies, individuals can request and receive a copy of that information.
To access the information and obtain a copy of it, individuals need to make a data subject access request. The application cannot be made over a telephone but must be evidenced in writing (including e-mails and faxes). Dependent on the circumstances and individual requests may vary from very broad in nature (i.e. all information that you hold about me) or very specific (i.e. copy of medical records between 24/04/2010 and 24/05/2011).
What information is classed as sensitive?
Personal data automatically is classed as sensitive if it is about an identifiable, living individual and includes any of the following:
Racial or ethnic origin.
Trade union membership.
Physical of mental health.
Commission of offences or alleged offences.
What information can be requested?
Under the Data Protection Act, individuals have the right to be informed of the following:
Whether the data subject to processing is being personal and if so:
A full description of that particular data.
The purposes for which the data is being processed;
To whom the information is being disclosed or will potentially be revealed.
Individuals may also request a copy of the data and information about how decisions about their data are being made.
Format of the Subject Access Request
Under the Act, any request for personal data is classed as a subject access request. Data controllers are entitled to ask data subjects for a fee of £10 to cover the costs of processing the request. The £10 charge does not apply to medical records.
The data controller has 40 calendar days to reply. Before responding, the data controller may also ask the following:
The data controller can ask for the subject access request to be submitted in writing; this is to prevent potential fraudulent access request. A form submitted in writing will help the data controller to satisfy its obligations under the Data Protection Act 1998.
The data controller is also entitled to request the data subject to provide more accurate information about the person concerned to the subject access request, this will enable the data controller to locate the information more quickly. Although, individuals are perfectly entitled to seek all information held about them it is useful when individuals cooperate with data controllers and submit relatively narrow and specific requests.
Once the above have been satisfied, the 40 days response period starts to run. It is prudent to ensure that proper procedures are in place to correctly date the files and keep all correspondence in chronological order, not to miss any deadlines.
When processing data subject requests it is important to give consideration to the following:
Does the data subject request directly or indirectly require disclosure of information about another third party individual?
The Act applies to information about third parties that inevitably forms a part of the initial subject access request. To the maximum possible extent you should always try to fulfil your obligations about data, subject claims without identifying third party individuals.
If it is not feasible to adequately provide the information without disclosing data about a third party, you should refer to section 7(4) of the Act for a list of full considerations that should be taken into account.
Have you obtained third party consent?
The best way of dealing with your obligations under the Act is to get third party’s consent, this is not a requirement and whether or not it is reasonable to ask for approval will depend on particular circumstances.
Section 7(6) of the Act provides further guidance about the factors that should be taken into account when deciding whether or not it would be ‘reasonable in all the circumstances’ to make a disclosure without consent.