In more detail
- What information must we supply?
- How do we decide what information to supply?
- In what format should we provide the information?
- What is a commonly used electronic format?
- Do we need to provide remote access?
- Can we provide the information verbally?
- How do we provide the information securely?
- What if we have also received a data portability request?
- Do we need to explain the information supplied?
The focus of a SAR is usually a copy of the requester’s personal data. However, you should remember that the right of access also entitles an individual to other supplementary information (eg the purposes of processing). For a full list of the other information that you must provide please see ‘What other information is an individual entitled to?’.
This information might be contained in the copy of the personal data you supply. However, if it is not, you must remember to supply this information in addition to a copy of the personal data itself.
Documents (including draft documents), or files may contain a mixture of information that is the requester’s personal data, personal data about other people and information that is not personal data at all. This means that sometimes you need to consider each document within a file separately, and even the content of a particular document, to assess the information they contain.
It may be easier (and more helpful) to give a requester a mixture of all the personal data and ordinary information relevant to their request, rather than to look at every document in a file to decide whether or not it is their personal data. This is an appropriate approach where none of the information is particularly sensitive, contentious or refers to third-party individuals.
Once you locate and retrieve the relevant personal data for the request, you must provide the requester with a copy.
How you do this, and the format you use, depends upon how the requester submitted their request (ie electronically or otherwise):
- If the individual submitted the SAR electronically (eg by email or via social media), you must provide a copy in a commonly used electronic format. You may choose the format, unless the requester makes a reasonable request for you to provide it in another commonly used format (electronic or otherwise).
- If the individual submitted the SAR by other means (eg by letter or verbally), you can provide a copy in any commonly used format (electronic or otherwise), unless the requester makes a reasonable request for you to provide it in another commonly used format. However, where the information is sensitive, you should ensure that you transfer it to the requester using an appropriately secure method. Please see ‘How do we provide the information securely?’ for further details.
Remember that the onus is on you to provide the information to the individual (or their appointed representative). An individual should not have to take action to receive the information (eg by collecting it from your premises), unless they agree to do so.
The right of access enables individuals to obtain their personal data rather than giving them a right to see copies of documents containing their personal data. You may therefore provide the information in the form of transcripts of relevant documents (or of sections of documents that contain the personal data), or by providing a print-out of the relevant information from your computer systems. While it is reasonable to supply a transcript if it exists, we do not expect controllers to create new information to respond to a SAR. Although the easiest way to provide the relevant information is often to supply copies of original documents, you are not obliged to do so.
The GDPR does not define a “commonly used electronic format”. However, this means the format in which you supply the requester with their personal data. When determining what format to use, you should consider both the circumstances of the particular request and whether the individual has the ability to access the data you provide in that format.
You should note that the GDPR does not require individuals to take any specific action in order to access the data you provide in response to a SAR. You should not expect them to download software, particularly because:
- it may involve individuals having to buy that software;
- depending on the source, it may pose a security risk to those individuals; and
- it is not providing them with ‘direct access’ to their personal data.
An individual makes a subject access request for their personal data. The organisation provides a copy of this data using what they consider to be a commonly used electronic format.
When the individual receives the files, some of them are in a proprietary format and the individual does not have the software package needed to access these files. The organisation considers that they have provided the data in a “commonly used” format due to the availability of that software package.
However, as the GDPR does not require individuals to purchase specific software packages merely to access a copy of their data, the organisation has not fulfilled their obligations to provide a copy as the individual cannot access it.
Therefore, it is good practice to establish with the individual their preferred format, prior to fulfilling their request.
However, if you were to send the individual their information in an encrypted format, and then separately send them a secure code that they can use to access the encrypted information, you will have provided them with direct access to their data.
Alternatives can also include allowing the individual to access their data remotely and download a copy in an appropriate format. See ‘Do we need to provide remote access?’ for more information.
The GDPR encourages controllers to provide individuals with remote access to their personal data via a secure system.
This is not appropriate for all organisations, but there are some sectors where this may work well. It also helps you to meet your obligations, and reassure individuals about the amount and type of personal data you hold about them.
You should note, however, that although you provided the individual with access to their personal data, it does not necessarily mean that you provided them with a copy of their data. This depends on whether they are able to download a copy of the requested information. If an individual can download a copy of their personal data in a commonly used electronic format, then this satisfies the requirement to provide a copy, as long as the individual does not object to the format.
Yes. If an individual asks, you can provide the response to their SAR verbally, provided that you have confirmed their identity by other means. You should keep a record of:
- the date the individual made their request;
- the date you responded;
- details of who provided the information; and
- what information you provided.
This is most likely to be appropriate if they have requested a small amount of information.
You are not obliged to provide information in this way. However, you should take a reasonable approach when considering such requests.
As the controller of the information, you are responsible for taking all reasonable steps to ensure its security. Whilst there are many different ways to send the requested information to the individual, there are some basic steps that you can take to help you with this.
On an organisational level, you should try and safeguard against human error, for example:
- ensure that you have proper systems in place to record SARs;
- ensure that those responsible for responding to a request are properly trained; and
- have a system or procedure in place to check email or postal addresses before responding to a request.
For more on this see the ‘How should we prepare?’ section above.
The method you use to provide the information to the individual will, in part, be guided by any request they have made about what format they would like to receive it (see In what format should we provide the information? above).
If you have any concerns over the method that the individual has requested you use to send their information, you should contact them, explain your concerns and ask for an alternative address or method of providing the information.
If this is not possible, but you are seeking to provide the information electronically, you may wish to consider providing it in an encrypted form, followed up by sending the passphrase to the individual separately (eg via email). This depends on the nature and sensitivity of the information (in particular if it is special category or criminal offence data).
If the individual asks for you to provide the information in hard copy, in many circumstances the postal service is a secure method of sending the information. However, depending on the nature and sensitivity of the information, you may need to consider sending it by special delivery or via a courier service.
Providing remote access to a secure system can be one method to ensure you provide the information securely. You should however note that you need to apply appropriate technical measures to this system so that both it and any information it holds are secure. A good baseline may be the security measures you already apply to your existing systems. (See Do we need to provide remote access? above).
Please see our guidance on security for more information on the security requirements of the GDPR, as well as our guidance on encryption for more details about how you can implement encryption effectively.
If an individual makes a SAR and a request for data portability at the same time, you need to consider what information comes under the scope of which request.
An easy way of considering this is to remember that:
- the right of access concerns all the personal data you hold about an individual (unless an exemption applies) – including any observed or inferred data; and
- the right to data portability only applies to personal data ‘provided by’ the individual, where you process that data (by automated means) on the basis of consent or contract.
Also, whilst the right of access may require you to provide information in a commonly used electronic format, the right to data portability goes further. It gives individuals the right to receive personal data they have provided to you in a structured, commonly used and machine-readable format. It also gives them the right to request that you transfer this data directly to another controller.
Therefore, the required format for providing the information depends on which right applies to the data in question.
You may need to explain some of the information you provide when you respond to a SAR. However, this depends on the type of information and the reason why the individual may have difficulty understanding it.
The GDPR requires that the following information is provided to an individual in a concise, transparent, intelligible and easily accessible form, using clear and plain language:
- confirmation of whether you are processing their personal data;
- the other supplementary information you are required to provide (eg your purposes of processing); and
- any other communication you have with an individual about their request.
This means that this information should:
- not include information that is irrelevant or unnecessary;
- be open, honest and truthful;
- be easy to understand by the average person (or child);
- be easy to access; and
- use common, everyday language.
This is particularly important if you are addressing the information to a child.
For more information about how to provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, please see our guidance on the right to be informed.
You are expected to give the individual additional information to aid their understanding, if the requested personal data is not in a form that they can easily understand. However, this is not meant to be onerous and you are not expected to translate information or decipher unintelligible written notes.
An individual makes a request for their personal data. When preparing the response, you notice that a lot of it is in coded form. For example, attendance at a particular training session is logged as “A”, while non-attendance at a similar event is logged as “M”. Also, some of the information is in the form of handwritten notes that are difficult to read.
Without access to your key or index to explain this information, it is impossible for anyone outside your organisation to understand. In this case, you are expected to explain the meaning of the coded information. However, although it is good practice to do so, you are not required to decipher the poorly written notes, as the GDPR does not require you to make information legible.
You receive a SAR from someone with poor English comprehension skills. You send a response which can be understood by the average person but they ask you to translate the information you sent them into French. In these circumstances, you are not required to do this, even if the person who receives the data cannot understand all of it. However, it is good practice for you to help individuals understand the information you hold about them.