Data protection and Subject Access Requests
- The personal data, which is to be processed.
- Who the data is likely to be disclosed to or has been disclosed to.
- The information as to where the data controller received the information from and its source.
A copy of the personal data must be provided on a Subject Access Request. However, the duty to disclose this data must form part of a ‘relevant filing system’ and should not have to entail a manual search of paper records. What this means is that where documents have been converted into computerised format, only the computer documents would form part of a Subject Access Request as it is likely that these will be the only records to be processed. Data Controllers should take a common sense approach to this and make sure that they are proportionate and reasonable in their searches for data.
A Subject Access Request need not be complied with if it requests confidential disclosure, such as confidential references or examination scripts. Requests for this information will fall under an exemption from the Subject Access Request rules and do not need to be supplied, but an explanation should be given as to why the requests cannot be met.
A Subject Access Request must:
- Be addressed in writing to the data controller.
- Contain information to enable the data controller to satisfy himself as to the identity of the individual making the request.
- Provide information to enable the data controller to locate the data sought.
Data controllers must comply with requests promptly and within 40 days from receipt of the request or from the receipt of the information necessary to enable the data controller to comply with the request If, for example, insufficient information is given at first.
Data controllers may charge an administration fee up to £10 for responding to a subject access request.
As data controllers are required to promptly respond, it is a good idea to engage a Data Protection Policyand have rules for how requests will be managed to ensure that they are completed within the timescales.
Subject Access Requests are often used as a means to gain further information in a dispute or in litigation between an employer and employee. Subject Access Request can be particularly useful for employees making claims where the information required would not be normally disclosed in the course of legal proceedings. For an employee Subject Access Requests are a cheap means of recovering information.
This also allows an employee to use their legal rights to recover information without tipping off their employer or being disciplined because there is no requirement to justify the reason why a Subject Access Request has been made.