Nearly half of all complaints received by the Information Commissioner’s Office (ICO) relate to Subject Access Requests. There are so many elements in the response to a request that it is easy to get it wrong. When you need advice and support, we are here to help. You can book a free 20 minute call to get you started.

What is a subject access request?

Very simply, an individual has the right to see the information being held about them by an organisation and this is called a Subject Access Request. When the person makes a request, the organisation should provide access to or a copy of all the information that relates to the individual making Subject Access Requests - advice and support, who what, why, when, how and where.the request. Occassionally the individual only wants access to specific information or information for a specific time period.

How long do I have to respond?

You have a calendar month to respond to the request, although in certain circumstances this can be extended to increase the response time to 3 months. So if you receive a subject access request on the 15th May you have until the 15th June to respond.

What do I need to provide?

A subject access request entitles the individual to access to their information in an easily readable format. You also need to provide some additional information required by data protection legislation.

Sounds easy doesn’t it? Experience tells us that organisations can make a complete mess of providing a response. This comes from not understanding how to verify someone’s identity, to providing too much or too little information and everything in between.

Subject access requests can be complex, but you want to get it right from the start.

An individual can make a subject access request by email, letter or verbally. It does not have to be confirmed in writing! Are your systems robust enough to identify verbal requests? Remember a person making the request will probably not ask for a subject access request. They could just say that they want to see all the information held about them, or even a small segment of the information held about them.  One of my clients gets regular requests for a copy of a form that the customer completes as part of the sales process. That’s a limited request.

In order to support organisations to respond correctly we have a range of services. This covers an initial advice call to talk through how you will respond, all the way through to the complete service where we collate, redact and respond to the request. You can book an initial call here. 

We also have a flowchart which shows the process for responding to a subject access request, if you would like a copy please email us.