By Charlotte Higgins, Bell & Buxton

Our columnist on the importance of approaching a Subject Access Request with care 

Individuals have the right to access their personal data.  This is commonly known as a subject access request.

Individuals have the right to obtain a copy of their personal data as well as other supplementary information.

The COVID-19 pandemic may lead to an increase in employees or ex-employees exercising their right of access.

Let’s start at the beginning: how do you recognise a subject access request?

A request can be made verbally or in writing.

A request does not have to be labelled “subject access request” and can be sent to anyone within the organisation.  It can also be sent via social media.

It is good practice to have a policy in place and appropriate training so that your employees can recognise when a request has been made.

How long do you have to respond?

You have one month to respond to a request, starting on the day you receive the request, until the corresponding calendar date in the next month.  If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.

You can extend the timeframe for the response, but only if the request is complex or you have received a number of requests from the same individual.  The extension can be up to a further two months.

What information do you need to provide?

The individual has the right to receive a copy of all personal data you are processing, including other supplementary information as to how you are processing their personal data (which should be included within your privacy notice).

How to determine personal data?

Personal data is information that relates to an identified or identifiable individual.  What identifies an individual could be as simple as a name or a number.  The GDPR provides a non-exhaustive list of identifiers, including:

  • name;
  • identification number;
  • location data; and
  • an online identifier.

How to provide the personal data to the individual

In the event that the request was made electronically, the response should be made electronically.  The GDPR sets out that it is good practice to set up a remote access secure system in order for that individual to gain access to their data.

Can you charge the employee a fee?

Generally you cannot charge a fee for dealing with a request, unless you are able to show that the request is manifestly unfounded or excessive, or an individual requests further copies of their data having already made a request.

Subject access requests can be time consuming and expensive to a business.  If you need advice relating to how to deal with subject access requests, please contact Charlotte Higgins on 0114 249 5969.