What a subject access request is and how to make one
Under the UK's data protection legislation, you have the right to find out if an organisation is using or storing your personal data. To exercise this right, all you must do is ask for a copy of this data. This is called making a subject access request (SAR).
You can also ask if your data is being shared with anyone else (and if so, why and how), how long the company plans to store your data, the reasons for this decision, and information on where your data came from.
What is a subject access request (SAR)?
A subject access request is either a written or verbal request, asking for copies of any personal data that an organisation holds about you. This request is filed under the Data Protection Act 2018.
Subject access requests will provide you with the opportunity to understand exactly how an organisation is using your data and, importantly, if they are doing so legally.
What is included in a subject access request?
Exactly what will be included in a subject access request will depend on the circumstances and what you request to see. Typically, a request will include the following:
- Confirmation of whether an organisation is processing your personal data
- A copy of the personal data the organisation holds
- Supplementary information
- The purpose for holding certain data
- Third parties your data is being shared with
- How long the data has been held for/how long it will continue to be held for
- How you request for data to be deleted
- How an organisation obtained data that was not directly provided by you
Do you have to pay to make a subject access request?
A copy of your personal data should be provided free, although if you ask for extra copies, or if you ask for information that is ‘manifestly unfounded or excessive’, the organisation might charge a reasonable fee for administrative costs.
When can you make a subject access request?
You can make a subject access request at any time. For example, you can make a SAR if you want to find out if information is being held about you and how it is being used. In addition, at Hayes Connor Solicitors, many of our clients make SARs to start the compensation claim process following a data breach.
How do you make a subject access request?
If you decide that you want to make a SAR, here are the steps you should take:
- Identify where to send your request. Under the GDPR this information should be available on an organisation’s website (check the privacy policy usually found in the footer)
- Decide what data you want access to. Do you want everything a company holds about you, or just a particular piece of information? It could take longer for an organisation to supply everything they have about you, so if you only need certain data and you want this quickly, it makes sense to be specific. For example, you could just ask for a copy of any emails between you and the company between particular dates
- Make your request directly to the organisation, stating clearly what you want. You can make a SAR in writing, in person or over the phone. At Hayes Connor Solicitors we always recommend that our clients put their requests in writing as this provides a clear evidence trail if we need it later
- When making a SAR, you should also include your name and contact details as well as any account or reference numbers
- You should also specify what format you want the data in. Most companies will do this electronically, but if you need it in another format, you can ask if this is possible
- Keep a copy of your request as well as any proof of postage or delivery.
How long does an organisation have to respond to a subject access request?
Data protection law requires organisations to respond to a request for data within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this. The organisation must let you know within one month if it needs more time and why. If the requested information is not provided in the timeframe, you can raise a complaint with the Information Commissioner’s Office.
Can an organisation refuse a subject access request?
While you can make more than one SAR, the organisation can refuse a request if they believe it to be ‘manifestly unfounded or excessive’.
Depending on the circumstances, they may also refuse a SAR if your data includes information about another individual. Again, if you think your request has been rejected unjustly, you can raise a complaint with the organisation in question, and if you remain dissatisfied, the Information Commissioner’s Office.
What can you do if your request is refused or ignored?
If an organisation has not responded to you following a request, or they have refused to disclose the data they have relating to you, you may be entitled to claim subject access request compensation.
Subject access request compensation can help to cover the costs of any financial losses or emotional stress caused by the mishandling oof your personal information.
Speak to our team about subject access request compensation
At Hayes Connor Solicitors we are committed to upholding the data protection rights of our clients.
With over 50 years' experience helping our clients secure the justice they deserve; our SAR solicitors work tirelessly to ensure the best possible outcome for you. Both in terms of damages achieved and service delivered.
You can find out more about our expertise and how we handle claims here. To have your claim assessed for free, you can use our secure online claim form. Or to speak to our SAR solicitors, please do not hesitate to give us a call on 0330 041 5131.