15 August 2016


The ICO’s recent fine for a data breach at a GP surgery in Hertfordshire was the direct result of a subject access request gone wrong.

The practice revealed confidential details about a patient to an estranged ex-partner because there were insufficient systems in place for staff to deal with subject access requests (SAR).

The fallout in this case was huge distress to the family, damage to the organisation’s reputation and a £40,000 fine. It’s easy to imagine how bad the person responsible for dealing with subject access requests at the practice must feel. And yet such a devastating data breach could so easily have been avoided.

Subject access is a fundamental right of individuals under the Data Protection Act, so whatever business you’re in, if you hold personal data, most organisations will have to respond to a request at some point.

Our figures show that 46% of all complaints made to the ICO last year were about SARs and the difficulties people face when trying to get hold of their personal information.

As these figures and the recent case show, it’s incredibly important to make sure staff are fully equipped to deal with requests. Here’s some top tips from our recent SAR webinar to help organisations:

1. The common causes of complaints to the ICO. It’s helpful for organisations to understand what people find frustrating when asking for information: https://www.youtube.com/watch?v=hH4tWWouWXU

2. There are certain things all organisations require before they can respond to a SAR. Find out what you can reasonably ask for to be able to comply with a request: https://www.youtube.com/watch?v=7dKZkYi1swc

3. Disproportionate effort. Where and when can this be applied? https://www.youtube.com/watch?v=IWMwwUQPPGA

4. Information other than the person’s data as part of a request. Can an organisation include other people’s personal information? https://www.youtube.com/watch?v=nK-g75-eVjE

5. Exemptions. Some information is exempt from being given out, how should organisations deal with it? https://www.youtube.com/watch?v=TiGokOCedCs 


The ICO’s subject access code of practice is a comprehensive guide to SARs and is available on our website. If you have any doubts about dealing with subject access requests, you can call our helpline on 0303 123 1113.

It’s open Monday – Friday from 9am to 5pm, offering advice and guidance on everything to do with SARs.


Sally-Anne Poole manages the Civil Investigations team within the Enforcement Department. Sally-Anne’s team investigate breaches of the Data Protection Act, exercising the Commissioner’s powers of enforcement contained in part V of the Act, including civil monetary penalties.