Right of access
-
This guidance has been updated to reflect changes to the right of access brought about by the Data (Use and Access) Act. Some of these changes are not yet in force. However, we think it is useful for it to be published now so that you are ready for these changes. In particular, they set out that you only have to carry out a reasonable and proportionate search in response to a SAR; and that you can ‘stop the clock’ when asking for clarification on a request.
We are currently experiencing problems with guidance downloads, which means that you may not be able to access the PDF of this guidance using the "download options" button. You can access a PDF version of this guidance at this link.
About this detailed guidance
This guidance discusses the right of access in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding to help you apply the right of access in practice. It is aimed at data protection officers (DPOs) and those with specific data protection responsibilities in larger organisations. This guidance does not specifically cover the right of access under parts 3 and 4 of the Data Protection Act 2018 (DPA). However, some of the guidance contains practical examples and advice which will still be relevant. Please also refer to our separate guidance on the right of access – part 3 of the DPA 2018 and on intelligence services processing – the right of access.
If you haven’t yet read the ‘in brief’ page on the right of access in the Guide to Data Protection, you should read that first. It introduces this topic and sets out the key points you need to know, along with practical checklists to help you comply.
To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.
Legislative or legal requirements
Must refers to:
- legislative requirements within the ICO’s remit; or
- established case law (for the laws that we regulate) that is binding.
Good practice
- Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there is a good reason not to. If you choose to take a different approach, you need to be able to demonstrate that this approach also complies with the law.
- Could refers to an option or example that you may consider to help you to comply effectively. There are likely to be various other ways for you to comply. This approach only applies where indicated in our guidance. We will update other guidance in due course.
Contents
- What is the right of access?
- How can we prepare for a subject access request (SAR)?
- How do we recognise a subject access request (SAR)?
- What should we consider when responding to a request?
- How do we find and retrieve the relevant information?
- How can we supply information to the requester?
- Exemptions: when can we refuse a SAR?
- Exemptions: when can we consider a request to be manifestly unfounded or excessive?
- Exemptions: can we refuse a SAR if it involves information about other people?
- Are there any special cases?
- Health information
- Education information
- Social work information
- Can the right of access be enforced?
- Can we force a person to make a SAR?