In brief – what is an individual entitled to?
This right, commonly referred to as subject access, is created by section 7 of the Data Protection Act. It is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this, and an individual who makes a written request and pays a fee is entitled to be:
- told whether any personal data is being processed;
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- given a copy of the information comprising the data; and given details of the source of the data (where this is available).
An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret). Other rights relating to these types of decisions are dealt with in more detail in Automated decision taking.
In most cases you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it. However, some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request. For more information, please see Exemptions.
In more detail…
What is an individual entitled to?
Under the right of subject access, an individual is entitled only to their own personal data, and not to information relating to other people (unless they are acting on behalf of that person). Neither are they entitled to information simply because they may be interested in it. So it is important to establish whether the information requested falls within the definition of personal data. In most cases, it will be obvious whether the information being requested is personal data, but we have produced separate guidance to help you decide in cases where it is unclear: Determining what is personal data (pdf). Please also see the key definitions.
Subject access provides a right to see the information contained in personal data, rather than a right to see the documents that include that information.
Various exemptions from the right of subject access apply in certain circumstances or to certain types of personal data; see Exemptions.
What is a valid subject access request?
For a subject access request to be valid, it should be made in writing. You should also note the following points when considering validity:
- A request sent by email or fax is as valid as one sent in hard copy. Requests may also be validly made by means of social media; please refer to the Subject access code of practice (pdf) for guidance on this.
- You do not need to respond to a request made verbally but, depending on the circumstances, it might be reasonable to do so (as long as you are satisfied about the person’s identity), and it is good practice to at least explain to the individual how to make a valid request, rather than ignoring them.
- If a disabled person finds it impossible or unreasonably difficult to make a subject access request in writing, you may have to make a reasonable adjustment for them under the Equality Act 2010 (in Northern Ireland this falls under the Disability Discrimination Act 1995). This could include treating a verbal request for information as though it were a valid subject access request. You might also have to respond in a particular format which is accessible to the disabled person, such as Braille, large print, email or audio formats. If an individual thinks you have failed to make a reasonable adjustment, they may make a claim under the Equality Act (or Disability Discrimination Act 1995 in Northern Ireland). Information about making a claim is available from the Equality and Human Rights Commission or, as appropriate, from the Equality Commission for Northern Ireland.
- If a request does not mention the Act specifically or even say that it is a subject access request, it is nevertheless valid and should be treated as such if it is clear that the individual is asking for their own personal data.
- A request is valid even if the individual has not sent it directly to the person who normally deals with such requests – so it is important to ensure that you and your colleagues can recognise a subject access request and treat it appropriately.
Can I require individuals to use a specially designed form when making subject access requests?
No. Many organisations produce subject access request forms, and you may invite individuals to use such a form as long as you make it clear that this is not compulsory and you do not try to use this as a way of extending the 40-day time limit for responding. Standard forms can make it easier for you to recognise a subject access request and make it easier for the individual to include all the details you might need to locate the information they want.
However, any request in writing must be considered as a valid request, whatever the format.
I have received a request but need to amend the data before sending out the response. Should I send out the “old” version?
The Act specifies that a subject access request relates to the data held at the time the request was received. However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it would be reasonable for you to supply information you hold when you send out a response, even if this is different to that held when you received the request.
However, it is not acceptable to amend or delete the data if you would not otherwise have done so. For organisations subject to Freedom of Information legislation, it is an offence to make such an amendment with the intention of preventing its disclosure.
Do I have to explain the contents of the information I send to the individual?
The Act requires that the information you provide to the individual is in “intelligible form”. At its most basic, this means that the information you provide should be capable of being understood by the average person. However, the Act does not require you to ensure that the information is provided in a form that is intelligible to the particular individual making the request.
An individual makes a request for their personal data. When preparing the response, you notice that a lot of it is in coded form. For example, attendance at a particular training session is logged as “A”, while non-attendance at a similar event is logged as “M”. Also, some of the information is in the form of handwritten notes that are difficult to read. Without access to the organisation’s key or index to explain this information, it would be impossible for anyone outside the organisation to understand. In this case, the Act requires you to explain the meaning of the coded information. However, although it would be good practice to do so, the Act does not require you to decipher the poorly written notes, since the meaning of “intelligible form” does not extend to “make legible”.
You receive a subject access request from someone whose English comprehension skills are quite poor. You send a response and they ask you to translate the information you sent them. The Act does not require you to do this since the information is in intelligible form, even if the person who receives it cannot understand all of it. However, it would be good practice for you to help them understand the information you hold about them.
Can I charge a fee for dealing with a subject access request?
Yes, an organisation receiving a subject access request may charge a fee for dealing with it, except in certain circumstances relating to health records. If you choose to charge a fee, you need not comply with the request until you have received the fee. The usual maximum fee you can charge is £10. There are different fee arrangements for organisations that hold credit, health or education records. Please refer to the Subject access code of practice (pdf) for more details, and for credit reference agencies please also see What about personal data held by credit agencies?
Although you need not comply with a request until you have received a fee, you cannot ignore a request simply because the individual has not sent a fee. If a fee is payable but has not been sent with the request, you should contact the individual promptly and inform them that they need to pay.
Some organisations choose not to charge a fee. However, once you have started dealing with an individual’s request without asking for a fee, it would be unfair to then demand a fee as a way of extending the period of time you have to respond to the request.
Can I ask for more information before responding to a subject access request?
The Act allows you to confirm two things before you are obliged to respond to a request.
First, you can ask for enough information to judge whether the person making the request is the individual to whom the personal data relates. This is to avoid personal data about one individual being sent to another, accidentally or as a result of deception.
The key point is that you must be reasonable about what you ask for. You should not request lots more information if the identity of the person making the request is obvious to you. This is particularly the case, for example, when you have an ongoing relationship with the individual.
You have received a written subject access request from a current employee. You know this employee personally and have even had a phone conversation with them about the request. Although your organisation’s policy is to verify identity by asking for a copy of a utility bill, it would be unreasonable to do so in this case since you know the person making the request.
However, you should not assume that, on every occasion, the person making a request is who they say they are. In some cases, it is reasonable to ask the person making the request to verify their identity before sending them information.
An online retailer receives a subject access request by email from a customer. The customer has not used the site for some time and although the email address matches the company’s records, the postal address given by the customer does not. In this situation, it would be reasonable to gather further information, which could be as simple as asking the customer to confirm other account details such as a customer reference number, before responding to the request.
The level of checks you should make may well depend on the possible harm and distress which inappropriate disclosure of the information could cause to the individual concerned.
A GP practice receives a subject access request from someone claiming to be a former patient. The name on the request matches a record held by the practice, but there is nothing else in the request to enable the practice to be confident that the requestor is the patient to whom the record relates. In this situation, it would be reasonable for the practice to ask for more information before responding to the request. The potential risk to the former patient of sending their health records to the wrong person is such that the practice is right to be cautious. They could ask the requestor to provide more information, such as a date of birth, a passport or a birth certificate.
The second thing you are entitled to do before responding to a subject access request is to ask for information that you reasonably need to find the personal data covered by the request. Again, you need not comply with the subject access request until you have received this information. In some cases, personal data may be difficult to retrieve and collate. However, it is not acceptable for you to delay responding to a subject access request unless you reasonably require more information to help you find the data in question.
A chain of supermarkets is dealing with a general subject access request from a member of staff at one of their branches. The person dealing with the request is satisfied that the staff member has been sent all information held in personnel files and in files held by his line manager. However, he complains that not all information about him was included in the response. The employer should not ignore this complaint, but it would be reasonable to ask the member of staff for further details. For example, some of the information may be in emails, and the employer could reasonably ask for the dates when the emails were sent, and who sent them, to help find the information requested.
It might also be useful for the employer to ask if the member of staff is seeking information that does not relate to his employment. For example, he may be seeking information that relates to a complaint he made as a customer of the supermarket.
As with a request that is sent without the required fee, you should not ignore a request simply because you need more information from the person who made it. You should not delay in asking for this, but should ensure the individual knows you need more information and should tell them what details you need. Provided you have done so, the 40-day period for responding to the request does not begin to run until you have received the appropriate fee and any additional information that is necessary.
What about subject access requests made on behalf of others?
The Act does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
A building society has an elderly customer who visits a particular branch to make weekly withdrawals from one of her accounts. Over the past few years, she has always been accompanied by her daughter who is also a customer of the branch. The daughter makes a subject access request on behalf of her mother and explains that her mother does not feel up to making the request herself as she does not understand the ins and outs of data protection. As the information held by the building society is mostly financial, it is rightly cautious about giving customer information to a third party. If the daughter had a general power of attorney, the society would be happy to comply. They ask the daughter whether she has such a power, but she does not.
Bearing in mind that the branch staff know the daughter and have some knowledge of the relationship she has with her mother, they might consider complying with the request by making a voluntary disclosure. However, the building society is not obliged to do so, and it would not be unreasonable to require more formal authority.
If you think an individual may not understand what information would be disclosed to a third party who has made a subject access request on their behalf, you may send the response directly to the individual rather than to the third party. The individual may then choose to share the information with the third party after having had a chance to review it.
There are cases where an individual does not have the mental capacity to manage their own affairs. Although there are no specific provisions in the Data Protection Act, the Mental Capacity Act 2005 or in the Adults with Incapacity (Scotland) Act 2000 enabling a third party to exercise subject access rights on behalf of such an individual, it is reasonable to assume that an attorney with authority to manage the property and affairs of an individual will have the appropriate authority. The same applies to a person appointed to make decisions about such matters:
- in England and Wales, by the Court of Protection;
- in Scotland, by the Sheriff Court; and
- in Northern Ireland, by the High Court (Office of Care and Protection).
What about requests for information about children?
Even if a child is too young to understand the implications of subject access rights, data about them is still their personal data and does not belong, for example, to a parent or guardian. So it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.
Before responding to a subject access request for information held about a child, you should consider whether the child is mature enough to understand their rights. If you are confident that the child can understand their rights, then you should respond to the child rather than a parent. What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so. When considering borderline cases, you should take into account, among other things:
- the child’s level of maturity and their ability to make decisions like this;
- the nature of the personal data;
- any court orders relating to parental access or responsibility that may apply;
- any duty of confidence owed to the child or young person;
- any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
- any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
- any views the child or young person has on whether their parents should have access to information about them.
In Scotland, the law presumes that a child aged 12 years or more has the capacity to make a subject access request. The presumption does not apply in England and Wales or in Northern Ireland, but it does indicate an approach that will be reasonable in many cases. It does not follow that, just because a child has capacity to make a subject access request, they also have capacity to consent to sharing their personal data with others – as they may still not fully understand the implications of doing so.
What should I do if the data includes information about other people?
Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual. The Act says you do not have to comply with the request if to do so would mean disclosing information about another individual who can be identified from that information, except where:
- the other individual has consented to the disclosure; or
- it is reasonable in all the circumstances to comply with the request without that individual’s consent.
So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights in respect of their own personal data. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.
For the avoidance of doubt, you cannot refuse to provide subject access to personal data about an individual simply because you obtained that data from a third party. The rules about third party data apply only to personal data which includes both information about the individual who is the subject of the request and information about someone else.
Please refer to the Subject access code of practice (pdf) for more information.
For further information, read our more detailed guidance:
If I use a data processor, does this mean they would have to deal with any subject access requests I receive?
Responsibility for complying with a subject access request lies with you as the data controller. The Act does not allow any extension to the 40-day time limit in cases where you have to rely on a data processor to provide the information that you need to respond.
An employer is reviewing staffing and pay, which involves collecting information from and about a representative sample of staff. A third-party data processor is analysing the information.
The employer receives a subject access request from a member of staff. To respond, the employer needs information held by the data processor. The employer is the data controller for this information and should instruct the data processor to retrieve any personal data that relates to the member of staff.
If you use a data processor, then you need to make sure that you have contractual arrangements in place to guarantee that subject access requests are dealt with properly, irrespective of whether they are sent to you or to the data processor.
Read an explanation of the role of a data processor in Who has rights and obligations under the Data Protection Act?
What if sending out copies of information will be expensive or time consuming?
In some cases, dealing with a subject access request will be an onerous task. This might be because of the nature of the request, because of the amount of personal data involved, or because of the way in which certain information is held.
Under section 8(2) of the Act you are not obliged to supply a copy of the information in permanent form if it would involve disproportionate effort to do so. The Act does not define “disproportionate effort” but the Court of Appeal has clarified that data controllers can take into account difficulties which occur throughout the process of complying with a request, including difficulties in finding the requested information.
This approach accords with the concept of proportionality in EU law, on which the DPA is based. When responding to a SAR, you should balance any difficulties involved in complying with the request against the benefits the information might bring to the data subject, whilst bearing in mind the fundamental nature of the right of subject access.
In order to apply the exception, the burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the SAR, and that it would be disproportionate in all the circumstances of the case for you to take further steps.
Please refer to the Subject access code of practice for more details on this provision.
Even if you can show that supplying a copy of information in permanent form would involve disproportionate effort, you should still try to comply with the request in some other way. This could form a useful part of your discussions with the applicant, in order to identify an alternative way of satisfying their request.
An organisation has decided that to supply copies of an individual’s records in permanent form would involve disproportionate effort. Rather than refuse the individual access, they speak to her and agree that it would be preferable if she visited their premises and viewed the original documents. They also agree that if there are documents that she would like to take away with her, they can arrange to provide copies.
What about repeated or unreasonable requests?
The Data Protection Act does not limit the number of subject access requests an individual can make to any organisation. However, it does allow some discretion when dealing with requests that are made at unreasonable intervals. The Act says that you are not obliged to comply with an identical or similar request to one you have already dealt with, unless a reasonable interval has elapsed between the first request and any subsequent ones.
The Act gives you some help in deciding whether requests are made at reasonable intervals. It says that you should consider the following:
- the nature of the data – this could include considering whether it is particularly sensitive;
- the purposes of the processing – this could include whether the processing is likely to cause detriment to the individual; and
- how often the data is altered – if information is unlikely to have changed between requests, you may decide that you are not obliged to respond to the same request twice.
If there has been a previous request or requests, and the information has been added to or amended since then, you might consider whether you need only provide the new or updated information to the requester. However section 8(6) of the Act states that “information to be supplied pursuant to a request….must be supplied by reference to the data in question at the time when the request is received…”. This means that, when answering a SAR, you are required by the Act to provide a full response to the request: not merely providing information that is new or has been amended since the last request.
In practice we would accept that you may attempt to negotiate with the requester to get them to restrict the scope of their SAR to the new or updated information; however, if the requester insists upon a full response then you would need to supply all the information.
A library receives a subject access request from an individual who made a similar request one month earlier. The information relates to when the individual joined the library and the items borrowed. None of the information has changed since the previous request. With this in mind, along with the fact that the individual is unlikely to suffer if no personal data is sent in response to the request, the library need not comply with this request. However, it would be good practice to respond explaining why they have not provided the information again.
A therapist who offers non-medical counselling receives a subject access request from a client. She had responded to a similar request from the same client three weeks earlier. When considering whether the requests have been made at unreasonable intervals, the therapist should take into account the fact that the client has attended five sessions between requests, so there is a lot of new information in the file. She should respond to this request (and she could ask the client to agree that she only needs to send any “new” information). If the client does not agree, the therapist should provide a copy of all the information on the file.
But it would also be good practice to discuss with the client a different way of allowing the client access to the notes about the sessions.