The ICO exists to empower you through information.

Latest updates

24 October 2022

  • We’ve updated our FAQ How should I redact information before sending out a subject access request? To clarify the potential need to redact CCTV footage before sharing it.
  • We’ve added a new FAQ to help businesses understand what to consider when a SAR includes CCTV footage.

27 September 2022

  • We have updated our rights request FAQ When can I withhold
    information that someone has asked me to provide in a SAR? and
    included information about using exemptions.
  • We have updated our rights requests FAQ On what grounds can a SAR
    be refused entirely? to explain what is meant by ‘excessive’
  • We have added an additional FAQ to our information about rights requests: Do we need to comply with a subject access request about someone who has died?

 

Do we need to provide everything that includes a person’s name when responding to a subject access request?

No. It’s important to think about whether the information is about them or only includes their name.

For example, Colin sends two emails about Dominic: one is an office-wide email to his staff about an updated policy; the other is sent to a team about Dominic’s attendance at a conference.

In the first office-wide email, Dominic’s name is in the ‘To’ field along with the email address of every other staff member. This means that Dominic’s name would come up in a search of the email inbox for documents, emails and files relating to him. However, aside from being sent to Dominic, the email doesn’t relate to him in any other way. If Dominic asked his employer for a copy of his data, they wouldn’t need to provide the email about the updated policy because it isn’t about him.

In the second email about Dominic’s attendance at a conference, this information relates to Dominic and his employer would need to provide it if he asked for a copy of his data.

We have a very large amount of personal data to consider in response to a subject access request. How do we deal with this?

You can ask the person making the request to clarify what they need. There are several ways to narrow down the search, including the type of document they’re looking for or the timeframe they’re interested in.

For example, Rebecca owns a golf club. She’s received a subject access request from Sian, one of her employees. Sian, who has worked at Rebecca’s golf club for 15 years and is also an active member of the club, has asked for a copy of all her personal data. Rebecca holds a lot of information relating to Sian. Without delay, Rebecca asks Sian if she requires something in particular or if she wants everything. Sian’s reply is that she’s only interested in information about her last performance appraisal. This means the amount of information Rebecca needs to send is significantly reduced.

If you come across a very large amount of personal data while responding to a subject access request, it’s worth checking if the search can be narrowed. But you should be aware that the person is entitled to ask for all their personal data and so may not want to narrow it down.

If they request all their personal data, rather than information from a particular category or date range, you should gather all of that information as best you can.

You’re expected to do a reasonable amount of searching to find what you’ve been asked for, but you don’t need to check every single email or file if you feel it’s unlikely to relate to the request. In data protection law, if it’s ‘disproportionate’ then you don’t need to do it. If you need our advice on how to deal with a large amount of data when you’ve had a subject access request, you can contact us.

What should we do if some of the data we’re looking to provide when responding to a subject access request contains someone else’s personal data?

Most of the time, you should avoid disclosing information about other people. But there may be occasions when the personal data you’ve pulled together includes information that’s closely linked to someone else. In those situations, your aim should still be to release the personal data requested. But you also need to think about what might happen if you disclose data about someone else.

First, you should check to see if you need the other person’s consent to provide their information. If you don’t have the consent of the other person, then you should think about whether it’s reasonable to provide that information without their consent. You need to bear in mind any duty of confidentiality you have to them. You also need to think about what kind of information might be disclosed, as some information might be particularly sensitive. If you can’t get consent and it’s not reasonable to provide the information without it, then you should see if you can redact the other person’s information. You should look to disclose personal data if you can but it’s a balancing act in these circumstances.

When responding to a subject access request in these situations there can be lots to consider, but you can always contact us if you need help deciding what to do.

When can I withhold information that someone has asked me to provide in a subject access request? 

You should try and supply all the personal data a person has asked you to provide. At its core, data protection law is about openness and transparency – and people have the right to access their own personal data. If you withhold information, you’re denying those rights.

However, sometimes it might be appropriate to withhold some or all of the information that someone has asked you to provide. These situations – or exemptions – don’t always apply, but if they do they should be considered.

Two of the most common exemptions you’re likely to come across as a small business are:

  • third-party data (where the information includes other people’s data) ; and
  • crime and taxation (where disclosing the data may prejudice an investigation).

You have to justify and document your reasons for relying on an exemption. In your document, include what the exemption relates to and why you’re using it.

It can be helpful to explain your reasons to the requester so they understand why you’ve not fully complied with their request. But only do this if it doesn’t reveal something you were trying to withhold.

Example

David, an owner of a newsagent, has suspicions that Lara, an employee, has been stealing from his shop. David shares evidence with the police for investigation purposes. Lara requests a copy of all her personal data held by David, which he agrees to provide. However, David relies on the crime and taxation exemption to withhold the information shared with the police. He believes that telling Lara may prejudice the investigation.

If you’re unsure whether you can withhold information in your situation, you can contact us for more advice.

On what grounds can a subject access request be refused entirely?

Where you can, you should give a person the data they’ve asked for in a subject access request. It’s very unlikely that you’ll be able to refuse a request altogether, but it’s possible in certain situations such as if the request is excessive. If you decide to refuse all or part of the request, you should note your reasons why. This is because you need to be able to justify refusing a request.

A request could be considered excessive if it repeats or overlaps other recent requests. However, a request isn’t excessive just because a large amount of data has been asked for. In these cases, you can ask the person to narrow their request. If they choose not to, you’ll need to carry out reasonable searches for all the information.

Another possible situation in which you might be able to refuse a subject access request is if it’s unfounded or unreasonable. This can be where you have reasonable grounds to believe the person making the request has no real interest in obtaining the information they’ve asked for, and is only making the request to harass or cause expense to your business.

Both of these situations call for a decision to be made based on your specific situation. If you need help deciding what to do, you can contact us.

Can a young person make a subject access request?

Yes. There aren’t any age requirements attached to the right of subject access but in the UK we tend to consider 12 as the age where young people can exercise their own legal rights.

This means that if you process children’s information, they have a right to ask for copies of it. If the young person is under 12 and making their own request, you might need to satisfy yourself that they understand what they’re doing, but this shouldn’t be a barrier to supplying them with their information.

If the young person is over 12, there’s unlikely to be any reason why you shouldn’t treat the request exactly as you would if an adult made it.

Although young people can submit their own subject access requests, parents or guardians can also exercise this right on their behalf. If the young person is 12 or over, check whether they’re happy to authorise the disclosure of their personal data to their parent or guardian.

How should I redact information before sending out a subject access request?

You should redact or remove any information which doesn’t relate to the person making the subject access request. This is important because most of the time you should avoid disclosing information about other people.

If you’re thinking about using a thick black marker pen to redact information from a response sent in paper format, you should first check it’s not possible to read the information behind the black mark. This includes making sure the text still cannot be read after you’ve scanned or photocopied a redacted document. Alternatively, you could extract the relevant information and create a separate document.

If you’re sending electronic information, there are tools you can use to redact information. Another way of achieving the same aim is to copy and paste sections relevant to the SAR into a separate document and send that to the person instead.

Where CCTV footage has been requested, you’ll probably need to redact it by blurring or partially blocking out some of the footage. There are tools and services available to help you with this. The supplier of your CCTV may be able to advise you or you can search online to find out which ones are compatible with your system.

Top tip: If you’re using a computer to redact information, make sure you save it as a new file. Get advice if you don’t know how to do this.

 

How can I send information securely as part of a subject access request?

The security measures you need to take to send information securely as part of a subject access request (SAR) depend on the type of information you’re planning to send and what you think the risk is to the data.

As a general rule, if a SAR was made to you by email, then there’s an expectation that you’ll reply by email, too, unless the person says otherwise.

Some ways that you could send an electronic file securely include in a password-protected file with the password sent to the person in a separate email. If you’re sending the data by post, make sure it’s packaged appropriately. Don’t try and squeeze a large bundle of papers into a small envelope and risk it splitting in transit. Depending on how sensitive the information is, you might also want to think about if it’s necessary to send it recorded delivery or tracked, so you know whether the person has received it or not.

Whether you’re sending electronically or by post, make sure you double- or triple-check the person’s address before you send it.

What if someone asks us to delete their data, but we need to keep it for a regulatory requirement? 

Generally speaking, if you’ve got a genuine need to hold on to personal data about someone, then you can. The right to erasure – also known as the ‘right to be forgotten’ – isn’t an absolute right. This means that even if someone asks you to delete their data, you don’t automatically have to do what they say if you’ve got other legal obligations to consider.

For example, Rupert runs a small music shop and employs three members of staff. Jacob resigns and asks Rupert to delete all his information from the shop’s systems. But Rupert will need some details of the wages paid to Jacob when he completes his tax returns and may be asked for details about Jacob’s pay and employment, for example if Jacob claims benefits. Therefore, Rupert is unable to comply with Jacob’s request to delete all the information, and retains details relating to Jacob’s pay. However, he deletes other information including Jacob’s performance reviews and details of his sales targets.

If you’ve received a request to delete someone’s data but aren’t sure whether you should, you can contact us for advice.

What does the right to object mean, and when does it apply?

There are some situations where people can use their right to object – ie say ‘no’ – to you using their personal data.

For example, if you’re sending someone marketing information about your business and they object, you’ll need to stop. The right to object to marketing is the strongest right in this category.

There are also some situations where people can object to you using their personal data, but you can carry on using it because their objection doesn’t apply.

For example, if you need to dismiss one of your employees because of gross misconduct, they can’t object to any further use of their personal data by your company to save themselves from further repercussions. Similarly, if you’re a pub landlord and you need to bar someone from your pub because they’ve been causing trouble, the person can’t object to this use of their personal data in the hope that it will mean they can keep coming to your pub.

The right to object only applies if you’re relying on the lawful bases of ‘public task’ or ‘legitimate interest’. But you may also need to take action if someone objects to you using their data when you’re relying on the lawful basis of ‘consent’. For example, if a customer has previously given you their consent to use their personal data but has now changed their mind, they might tell you they object to you continuing to use their personal data. If this happens, you’ll have to stop – but not because of their right to object. You’ll have to stop because they’re withdrawing their consent, which means that you won’t be able to rely on ‘consent’ as your lawful basis any longer, and therefore can’t continue using their data.

As you can see, if you’re relying on ‘public task’ or ‘legitimate interest’ to use someone’s personal data, the person can object – but this doesn’t necessarily mean you have to stop using their data. You might have a good reason for continuing to use it. It all depends on what they’re objecting to, and why.

How do I decide whether a subject access request is complex?

Some factors that may add to the complexity of a request include:

  • technical difficulties in retrieving the information – for example if the data is electronically archived;
  • the request involving large volumes of particularly sensitive information;
  • potential issues around disclosing information about a child to a legal guardian; and
  • any specialist work involved in redacting information or communicating it in an accessible way.

A request isn’t complex in a data protection sense because you use a data processor or because it involves a large amount of information.

Either way, you should always keep a record of your decision and your reasoning behind it.

Can I charge a fee for a subject access request?

In most cases, you can’t charge a fee for responding to a subject access request.

But if the request is manifestly unfounded or excessive, or if someone requests further copies of their data following a previous request, then you can charge a reasonable fee for administrative costs.

For example, Jocelyn runs a hair salon. Naimh, a dissatisfied client, made a subject access request for all her information, including details of all colours and treatments she received since the salon opened. Jocelyn provided this information to Naimh. However, Naimh has since made several more requests for her information, despite Jocelyn telling her she doesn’t hold any additional information. Naimh stopped visiting the salon but continued making requests. In these circumstances, Jocelyn could consider Naimh’s continued requests manifestly unreasonable, made only for the purposes of disrupting Jocelyn’s business.

If you decide to charge a fee you should let the person know as soon as possible. You don’t need to complete their request until you receive the fee.

Do we always have to respond to a subject access request?

Yes, you always have to respond if you’re the data controller. If you’re the processor, you should handle your side of any requests as agreed in your contract with the controller.

Even if your response is to refuse the request, you still have to let the person know within one calendar month.

Who is responsible for responding to a subject access request?

If you’re the controller, it’s your responsibility to respond to a subject access request.

If you’re a processor, you should handle any request you receive as outlined in your contract with the data controller. For example, you might need to forward the request to the controller or they might tell you how to deal with it.

If you’re a joint controller, you should have a transparent arrangement in place between you and the other controller which sets out how to deal with the request.

If you need help on dealing with a subject access request you’ve received, you can contact us.

Do we need to comply with a subject access request about someone who has died?

According to data protection laws, personal data is information which relates to living people. Therefore, a person can’t make a subject access request to get information about someone who has died.

For the same reason, where you receive a subject access request but the person dies before you’ve responded, you won’t need to provide the information.

If information is required on behalf of a person who has died, eg medical records, other laws will apply instead.

What should we do when we’ve received a subject access request for some CCTV footage?

You must give someone a copy of the footage if it contains their data, unless an exemption applies. If they agree, you can arrange for them to view the footage, rather than receiving a copy.

If the footage includes other people, you’ll probably need to redact (eg edit or blur) it so they can’t be identified. You should consider the level of harm for those people if you don’t redact. If you can’t redact the third party footage, you’ll need to consider asking for their consent before releasing it. Where this isn’t possible or appropriate, you must balance the requester’s rights against any third-party rights to privacy and decide if it’s reasonable to share the footage without their consent. You should look to disclose the personal data if you can, but it’s a balancing act. Document the reasons for your decision.