At a glance
- Individuals have the right to be aware of and verify the lawfulness of the processing you are carrying out.
- There is no requirement for a request to be in writing. Therefore, it is good practice to have a policy for recording details of all the requests you receive, including verbal requests.
- You must provide a copy of the information free of charge.
- You must provide the information requested without delay and at the latest within one month of receipt.
- What is the purpose of the right of access under Part 3 of the Act?
- What do we need to do to comply with a request?
- What information is an individual entitled to?
- What information do we need to provide in response to a request?
- Can we charge a fee for dealing with a subject access request?
- How long do we have to comply with a subject access request?
- What if the data involves third party personal data?
- When can we restrict the amount of information we provide?
Individuals have the right to access their personal data and supplementary information, subject to certain restrictions.
This right allows individuals to be aware of and verify the lawfulness of the processing you are carrying out.
There is no requirement for a request to be in writing. Therefore, it is good practice to have a policy for recording details of all the requests you receive. We also recommend that you keep a log of verbal requests as these will also be considered as a valid request.
You may wish to check with the requester that you have understood their request as this can help avoid later disputes.
If you have reasonable doubts about the identity of an individual, you can request more information to confirm it. This is particularly important when you are handling sensitive data. You can delay dealing with the request until you receive further information to establish their identity.
Your request for information to verify a requester’s identity should be reasonable and proportionate, taking into consideration the nature of the personal data you hold and your relationship with the individual.
When your processing is for the law enforcement purposes, individuals have the right to obtain confirmation that you are processing their data, and if so:
- access to their personal data; and
- other supplementary information – this largely aligns with the information that should be provided in a privacy notice but includes the categories of personal data concerned, information about its origin, and the right to raise a complaint with the Information Commissioner.
Unlike the UK GDPR, where you can contact the individual to clarify the request if it involves a large amount of personal data, there is no similar provision under Part 3 of the Act. In practice, you may need to contact the requester to clarify the request but this will fall within the timescale for responding to the request.
An individual is entitled to the following information:
- your purposes for processing and the legal basis you are relying on;
- categories of personal data you’re processing;
- recipients or categories of recipients you are disclosing the personal data to (including recipients or categories of recipients in third countries or international organisations);
- your retention period, or your criteria for determining this;
- their rights to request rectification, erasure or restriction;
- their ability to raise a complaint with the Information Commissioner and the ICO’s contact details; and
- the personal data you are processing (in writing) and any available information you have about the origin of the data.
Remember, the information you supply about the processing of personal data must be:
- concise, intelligible and easily accessible; and
- written in clear and plain language, adapting this to the needs of vulnerable persons, such as children.
Where possible, you should provide the information in the same form in which the request was made. For instance, you should respond to a request by email through the same means unless the volume of information makes this prohibitive.
You must provide a copy of the information free of charge.
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, you can:
- charge a reasonable fee taking into account the administrative costs of providing the information (the month starts after you’ve received the fee); or
- refuse to respond.
It will be for you, the data controller, to determine what is manifestly unfounded or excessive. However, you will have to demonstrate to the Information Commissioner why you have decided that a request is manifestly unfounded or excessive if asked, and maintain a record of this decision making.
You must provide the information requested without delay and at the latest within one calendar month, from the first day after the request was received.
If you receive a request on 30 June the time limit will start on 1 July and the deadline will be 1 August.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond.
For practical purposes if a consistent number of days is required (eg for a computer system), you should adopt a 28-day period to ensure compliance is always within a calendar month.
If you require further information to establish the identity of a requester, the month will start when you have received this.
Unlike the UK GDPR, you are not able to extend the period of compliance by a further two months if requests are complex or numerous.
You can restrict the amount of personal data you supply when it is necessary and proportionate to “protect the rights and freedoms of others.” If information contains the personal data of an individual and that of third parties, you have to consider whether it is reasonable to disclose this information and whether this would adversely affect the rights and freedoms of others. You may need to consider redacting it, and record any reasons for withholding such information from disclosure.
You may limit the following information (in full or in part):
- confirmation that you are processing data; and
- access to personal data.
if it is necessary and proportionate in order to:
- avoid obstructing an official or legal inquiry, investigation or procedure;
- avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
- protect public security;
- protect national security; or
- protect the rights and freedoms of others.
You need to justify any restriction you apply as necessary and proportionate. It is important to balance the rights of the individual against the harm disclosure would cause. You may only limit the amount of information you provide if it would prejudice the purposes stated above.
You must also inform individuals when this limitation is in place, explaining the existence and the reasons, unless providing this information itself undermines the purpose of imposing the restriction. You also need to inform them about the process for raising a complaint with the Information Commissioner or taking matters to court.
You should keep a record of your decisions and provide this reasoning to the Information Commissioner, if required.
An individual you are investigating for tax fraud makes a request for all their personal data that you hold. You can only restrict the amount of personal data you provide in so far as disclosing it will prejudice an active investigation. P45 forms, or records on the individual’s income which were self-reported for instance, are information they are aware of and therefore withholding it is likely to be unjustified. However you can clearly restrict access to investigative files and evidence which you have gathered.
In this case, you do not have to notify the individual that you have restricted their right of access, as this is likely to alert them to your investigation.
Providing a written copy of personal data you processed is only complying with part of the right. You also have to provide other information required such as the legal basis for processing and retention period, unless by providing this information will again prejudice an investigation.
There should not be a blanket application of any exemption. Instead, you have to assess individual items of personal data you hold to decide whether disclosure will prejudice an ongoing investigation.