In more detail
- What is a subject access request (SAR)?
- Are there any formal requirements?
- Should we provide a standard form for individuals to make a request?
- Can a request be made via social media?
- Can a request be made on behalf of someone?
- Do we have to respond to requests made via a third party online portal?
- What about requests for information about children or young people?
- What should we do if a request mentions Freedom of Information?
- Can we deal with a request in our normal course of business?
A SAR is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR.
No. The UK GDPR does not set out formal requirements for a valid request. Therefore, an individual can make a SAR verbally or in writing, including by social media. They can make it to any part of your organisation and they do not have to direct it to a specific person or contact point.
A request does not have to include the phrases 'subject access request', ‘right of access’ or ‘Article 15 of the UK GDPR’. It just needs to be clear that the individual is asking for their own personal data. Indeed, a request may be a valid SAR even if it refers to other legislation, such as the Freedom of Information Act 2000 (FOIA) or the Freedom of Information (Scotland) Act 2002 (FOISA).
This presents a challenge as any of your employees could receive a valid request and you have a legal responsibility to identify and handle any request from an individual correctly. Therefore, you may need to consider which of your staff need specific training to identify a request. In particular, staff members who regularly interact with the public should be able to identify a SAR and know the next steps.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. If you receive a request verbally, you are still likely to need to contact the individual in writing in order to confirm their identity. You may also wish to check with the requester that you have understood their request, as this can help avoid later disputes. For more information please see ‘Can we ask for ID?’.
You should also note that individuals do not have to tell you their reason for making the request or what they intend to do with the information. However, it may help you to find the relevant information if they do explain the purpose of the request.
Standard forms can make it easier for you to recognise a SAR and for individuals to include all the details you might need to locate their information.
Recital 59 of the UK GDPR recommends that organisations “provide means for requests to be made electronically, especially where personal data is processed by electronic means”. You should therefore consider designing a subject access form that individuals can complete and submit to you electronically.
However, you should note that a SAR is equally valid whether an individual submits it to you by letter, email or verbally. You must therefore make it clear that it is not compulsory to use the form and simply invite individuals to do so.
Yes. Individuals may make a SAR using any social media site where your organisation has a presence. Although this might not be the most effective way to deliver the request, there is nothing to prevent an individual doing so.
You should therefore recognise the potential for individuals to make SARs via your social media channels and ensure that you take reasonable and proportionate steps to respond effectively to these requests.
In most circumstances, it will not be appropriate to use social media to supply information in response to a SAR for information security reasons. Instead you should ask for an alternative delivery address for the response. For further details, please see ‘How do we provide the information securely?’.
Yes. An individual may prefer a third party (eg a relative, friend or solicitor) to make a SAR on their behalf. The UK GDPR does not prevent this, however you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide you with evidence of this. For example by providing a written authority, signed by the individual, stating that they give the third party permission to make a SAR on their behalf.
A building society has an elderly customer who visits a particular branch to make weekly account withdrawals. Over the past few years her daughter, who is also a customer of the branch, has always accompanied her. The daughter makes a SAR on behalf of her mother and explains that her mother does not feel comfortable making the request herself, as she does not understand data protection. The building society is rightly cautious about giving customer information to a third party, as the information they hold is mostly financial. If the daughter can provide written authority from her mother giving her permission to make a SAR on her behalf, the building society would be happy to comply.
Whilst the branch staff know the daughter and have some knowledge of her relationship with her mother, it is still necessary to require more formal authority.
You can accept electronically signed letters of authority as valid evidence, provided that you are satisfied that the third party is authorised to act on the individual’s behalf. If the third party provides additional details with their request (eg the individual’s address and account number), this may help to satisfy the validity of the request.
There are also other mechanisms that may allow a third party to make a SAR on behalf of an individual, such as powers of attorney. You need to check the type and circumstances of the particular power of attorney to determine whether the third party is authorised to make a SAR. However, it is reasonable to assume that an attorney with authority to manage the property and affairs of an individual has the appropriate authority to make a SAR on their behalf.
If there is no evidence that a third party is authorised to act on behalf of an individual, you are not required to comply with the SAR. However, you should still respond to them explaining this.
In most cases, provided you are satisfied that the third party has the appropriate authority, you should respond directly to that third party. However, if you think an individual may not understand the nature of the information you are disclosing, and in particular you are concerned about disclosing excessive information, you should contact the individual first to make them aware of your concerns. If the individual agrees, you may send the response directly to them rather than to the third party. The individual may then choose to share the information with the third party after reviewing it. If you cannot contact the individual, you should provide the requested information to the third party (as long as you are satisfied that they are authorised to act on the individual’s behalf). If you are processing health data, please see ‘What about requests for health data from a third party?’.
There are cases where an individual does not have the mental capacity to manage their own affairs. There are no specific provisions which enable a third party to exercise subject access rights on behalf of such an individual in the UK GDPR, the Mental Capacity Act 2005, the Mental Capacity Act (Northern Ireland) 2016 (please note that not all provisions in the Act have been commenced at this time) or in the Adults with Incapacity (Scotland) Act 2000. However, as mentioned above, it is reasonable to assume that an attorney with authority to manage the property and affairs of an individual has the appropriate authority to make a SAR on their behalf. The same applies to a person appointed to make decisions about such matters in:
- England and Wales, by the Court of Protection;
- Scotland, by the Sheriff Court; and
- Northern Ireland, by the High Court (Office of Care and Protection).
You may receive a SAR made on behalf of an individual through an online portal, for example a third party that provides services to assist individuals in exercising their rights.
To determine whether you must comply with such a request, you need to consider if you:
- have been made aware that a particular individual is making a SAR;
- are able to verify the identity of the individual, if this is in doubt (see ‘Can we ask for ID?’);
- are satisfied the third party portal is acting with the authority of, and on behalf of, the individual; and
- are able to view the SAR without having to take proactive steps, such as paying a fee or signing up to a service.
You are not obliged to take proactive steps to discover that a SAR has been made. Therefore, if you cannot view a SAR without paying a fee or signing up to a service, you have not ‘received’ the SAR and are not obliged to respond.
You should note that it is the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. Mere reference to the terms and conditions of its service are unlikely to be sufficient for this purpose (see ‘Can a request be made on behalf of someone?’ above). The portal should provide this evidence when it makes the request (ie in the same way as other third parties).
When responding to a SAR, you are also not obliged to pay a fee or sign up to any third party service. If you are in this position you should instead provide the information directly to the individual.
If you have concerns that the individual has not authorised the information to be uploaded to the portal, you should contact the individual before you respond.
In some cases you may be unable to contact the individual directly, for example if you do not have their address details or are otherwise not satisfied with the ID information provided. If this is the case, you should contact the third party portal to advise them that you will not respond to the request until they have met each of the above requirements, and provided evidence that the individual has agreed to the information being uploaded to the portal. Until then, you have not received a valid SAR and the time limit does not start until you receive it.
If you have concerns about supplying the information via the portal for any reason, including security concerns, you should contact the individual first to make them aware. If the individual agrees, you should send the response directly to them rather than to the portal.
The right to access information you hold about a child is the child’s right rather than anyone’s else’s, even if:
- they are too young to understand the implications of the right of access;
- the right is exercised by those who have parental responsibility for the child; or
- they have authorised another person to exercise the right on their behalf.
Before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights. If the request is from a child and you are confident that the child can understand their rights, you should usually respond directly to the child. You may allow the parent or guardian to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
If a child is competent, they may authorise someone else – other than a parent or guardian – to make a SAR on their behalf (please see the earlier section, ‘Can a request be made on behalf of someone?’). This could be an adult or a representative such as a child advocacy service, charity or solicitor. However, you should not consider a child to be competent if it is evident that they are acting against their own best interests. For example, if a child authorises a third party to make a SAR on their behalf, but you have reasonable concerns that the third party is pressurising the child to make the SAR.
If you are satisfied that the child is not competent and the request is from a person with parental responsibility for the child, then it is usually appropriate to let the holder of parental responsibility exercise the child’s rights on their behalf.
If the child makes a SAR, or authorises another person to make a SAR on their behalf, what matters is that the child is able to understand (in broad terms) what it means to make a SAR and how to interpret the information they receive. When considering borderline cases, you should take into account, among other things:
- the child’s level of maturity and their ability to understand what they are asking for and what they will receive or to understand the consequences of authorising someone to act on their behalf; and
- the nature of the personal data.
If a parent or guardian, or someone authorised by the child, makes a SAR on the child’s behalf, you should also take into account:
- any court orders relating to parental access or responsibility that may apply;
- any duty of confidence owed to the child or young person;
- any consequences of allowing those with parental responsibility or those authorised to act on their behalf access to the child or young person’s information (this is particularly important if there have been allegations of abuse or ill treatment);
- any detriment to the child or young person if individuals with parental responsibility, or their authorised representatives, cannot access this information; and
- any views the child or young person has on whether their parents, guardians or authorised representatives should have access to information about them.
In Scotland, a person aged 12 years or over is presumed to be of sufficient age and maturity to be able to exercise their right of access, unless the contrary is shown. This does not apply in England, Wales or Northern Ireland but would be a reasonable starting point.
If you have regular contact with the child (which is likely to be the case for education or childcare settings), you should be in a position to assess the child’s competence.
If you do not have regular contact with the child (this is likely to be the case with banks and building societies), you should take a common sense approach. For example, if the child is aged 12 or over, you correspond directly with them and they are likely to be aware of the nature of information you process about them. It is reasonable to conclude that the child is competent to make a SAR.
However, if you process sensitive information about a child or if you hold information they may not be aware of, you should make stronger efforts to check competence.
It is not uncommon for a request to mistakenly state that it is a freedom of information (FOI) request. If, in fact, it relates to the requester’s personal data, you must treat it as a SAR.
A local authority receives a letter from a council tax payer requesting a copy of any information the authority holds about a dispute over his eligibility for a discount. The letter states it is a ‘freedom of information request’. It is clear that the request concerns the individual’s own personal data and the local authority should treat it as a subject access request.
You may be more likely to receive a SAR in the form of an FOI request if your organisation is a public authority for the purposes of FOIA, FOISA, the Environmental Information Regulations 2004 (EIR) or the Environmental Information (Scotland) Regulations 2004 (EIRs). However, whether or not your organisation is a public authority, you must deal with the request appropriately. This depends on whether it relates only to the requester’s personal data or to other information as well.
If it is clear that the requester is just asking for their own personal data, but they have cited FOIA/FOISA, you should follow certain actions:
- Deal with the request as a SAR in the normal way. The requester does not need to make a new request. You may need to ask the individual to verify their identity.
- If your organisation is a public authority, the requested personal data is, in fact, exempt from disclosure under FOIA/FOISA or the EIR/EIRs. Strictly speaking, you should issue a formal refusal notice saying so. In practice, we do not expect you to do this if you are dealing with the request as a SAR. However, if you are a public authority in Scotland, you need to follow guidance issued by the Scottish Information Commissioner.
- It is good practice for public authorities to clarify within 20 working days (the time limit for responding to FOI requests) that you are dealing with the request as a SAR under the UK GDPR, and that the one month time limit for responding applies.
If you are a public authority and the request relates to both the requester’s personal data and to other information, you should treat this as two requests:
- one for the requester’s personal data, made under the UK GDPR; and
- another for the remaining information, made under FOIA/FOISA, or the EIR/EIRs.
It is important to consider the requested information under the right legislation. This is because a disclosure under FOIA/FOISA or the EIR/EIRs is to the world at large – not just the requester. If you mistakenly disclose personal data under FOIA/FOISA or the EIR/EIRs, this could lead to a personal data breach.
It is important to draw a practical distinction between formal requests for information and routine verbal enquiries and correspondence that you can deal with in the normal course of business. You can respond to an enquiry in the normal course of business if you provide such information routinely, and can respond quickly. However, the SAR process may be appropriate where an individual requests a high volume of information and you need to conduct a time-consuming search of your records in order to comply with the request.
For example, if an individual requests copies of letters which you have sent to them previously, it is unlikely that you need to deal with this as a formal SAR. You should consider these enquiries on a case by case basis. However, you should not use your normal business processes to restrict or delay an individual’s right of access to their information.
If an employee requests a copy of their most recent payslip and their employment contract, you can deal with the enquiry in your normal course of business. The employee is entitled to this information under other laws and it is not necessary to deal with the request as a SAR.
A customer phones about a query they have about their account. You can discuss the matter on the call with the customer, including the personal data you process about them, in accordance with your normal business processes provided that you have verified the individual’s identity.