How can we supply information to the requester?
-
This guidance has been updated to reflect changes to the right of access brought about by the Data (Use and Access) Act. Some of these changes are not yet in force. However, we think it is useful for it to be published now so that you are ready for these changes. In particular, they set out that you only have to carry out a reasonable and proportionate search in response to a SAR; and that you can ‘stop the clock’ when asking for clarification on a request.
In more detail
- What information do we need to provide?
- How do we decide what information to supply?
- In what format do we need to provide the information?
- What is a commonly used electronic format?
- Can we provide remote access?
- Can we provide the information verbally?
- How do we provide the information securely?
- What if we have also received a data portability request?
- Do we need to explain the information supplied?
What information do we need to provide?
The focus of a SAR is usually a copy of the requester’s personal information. However, the right of access also entitles the person to other supplementary information (eg the purposes of processing). For a full list of the supplementary information that you must provide, see What other information is a person entitled to?
This supplementary information might be contained in the copy of the personal information you supply. If it is not, you must provide this supplementary information in addition to a copy of the personal information itself.
How do we decide what information to supply?
Documents (including draft documents) or files may contain a mixture of information that includes:
- the requester’s personal information;
- personal information about other people; and
- information that is not personal.
In these circumstances, you could separately consider each document within a file, and even the content of individual documents, to assess the information they contain.
It may be reasonable (and more helpful) to give a requester a mixture of all the personal information and ordinary information relevant to their request, rather than to look at every document in a file to decide whether or not it’s their personal information. This is an appropriate approach where:
- none of the information is particularly sensitive or contentious; and
- none of the information refers to third parties.
When you respond to a SAR, you should provide enough contextual information to ensure that the response is concise, intelligible and easy for the person to understand.
Example
A person makes a SAR to their local authority, asking for specific personal information. The local authority provides an extract from a document that references the person’s name and initials. However, it is not clear from the extract what the document is, or why the person’s information is being used.
To comply with its SAR obligations, the local authority must provide additional contextual information to ensure that the SAR response is transparent and intelligible. For example, it could provide a copy of the document in full, redacting any information that is covered by an exemption, or provide further explanatory information in its cover letter.
In general, it may often be better to leave information in (unless it’s covered by an exemption), particularly if it helps the person understand how you are using their information.
In what format do we need to provide the information?
Once you locate and retrieve the relevant personal information for the request, you must provide the requester with a copy.
How you do this, and the format you use, depend upon how the requester submits their request (ie electronically or otherwise).
If the SAR is submitted electronically (eg by email or via social media), you must provide a copy in a commonly used electronic format. You can choose the format, unless the requester makes a reasonable request for you to provide it in another commonly used format (electronic or otherwise).
If the SAR is submitted by other means (eg by letter or verbally), you can provide a copy in any commonly used format (electronic or otherwise), unless the requester makes a reasonable request for you to provide it in another commonly used format.
Where the information is sensitive, you should ensure that you transfer it to the requester using an appropriately secure method. See How do we provide the information securely? for further details.
Whatever form you use to provide the information, you must ensure that it’s clear and accessible to the person. It will not be sufficient to only allow them to view documents containing their personal information or listen to audio recordings — unless they are happy to do so.
You are responsible for providing the information to the person (or their appointed representative). This means that they do not have to take action to receive the information (eg by collecting it from your premises), unless they agree to do so.
You could supply a transcript or copy of a document if it exists. However, you do not have to create new information to respond to a SAR. Although the easiest way to provide the relevant information is often to supply copies of original documents, you are not obliged to do so.
What is a commonly used electronic format?
The UK GDPR does not define a ‘commonly used electronic format’. When deciding what format to use, you should consider both the circumstances of the request and whether the person can access information in that format.
People do not have to take any specific action to access the information you provide in response to a SAR. This means that they do not have to download software, particularly because:
- it may involve people having to buy that software;
- depending on the source, it may pose a security risk to those people; and
- it does not provide them with ‘direct access’ to their personal information.
Example
A person makes a SAR for their personal information. The organisation gives a copy of this information using what it considers to be a commonly used electronic format.
When the person receives the response, some of the files are in a proprietary format, and they don’t have the software needed to access these files. The organisation considers that it has provided the information in a commonly used format because of the availability of that software package.
However, the UK GDPR does not require people to purchase specific software packages to access a copy of their information. Therefore, the organisation has not fulfilled its obligation to provide a copy, as the person cannot access it.
You could ask the person for their preferred format before fulfilling their request.
You are providing the person with direct access to their information if:
- you send the person their information in an encrypted format; and
- you separately send them a secure code that they can use to access the encrypted information.
You could also use other alternatives, such as allowing the person to access their information remotely and download a copy in an appropriate format. See Can we provide remote access? for more information.
Can we provide remote access?
The UK GDPR encourages controllers to provide people with remote access to their personal information via a secure system.
This is not appropriate for all organisations, but there are some sectors where it may work well. It also helps you meet your obligations and reassure people about the amount and type of personal information you hold about them.
In general, you could satisfy the requirement to comply with a SAR by giving the person remote access to their information on a secure system. However, this will depend on whether they can download a copy of the requested information in a format that is accessible to them.
If a person can download a copy of their personal information in a commonly used electronic format, and they do not object to doing so, then this satisfies the requirement to provide a copy.
You should make it clear that a person has a right to ask for their information to be provided in a different format. If a requester is unable to, or does not want to, use a secure online platform to access their information, you must respond to the SAR using alternative methods. You should consider making reasonable adjustments where necessary.
If a person makes a reasonable request for you to provide their information in an alternative format, you should comply with their request where possible. However, if a person or their representative requests further copies in an alternative format after downloading their information from a portal, you could treat it as a manifestly unfounded or excessive request and refuse it, or charge a fee to respond. See Exemptions: when can we consider a request to be manifestly unfounded or excessive?
Can we provide the information verbally?
Yes. If a person asks you to, you can respond to their SAR verbally, provided you have confirmed their identity by other means. You should keep a record of the:
- date the person made their request;
- date you responded;
- details of who provided the information; and
- information you provided.
This is most likely to be appropriate if they have requested a small amount of information.
You are not obliged to provide information in this way. However, you should take a reasonable approach when considering such requests.
How do we provide the information securely?
As the controller of the information, you must take all reasonable steps to ensure its security. While there are many different ways to send the requested information to the person, there are some basic steps that you can take to help you with this.
On an organisational level, you should try and safeguard against human error. For example, you should:
- ensure that you have proper systems in place to record SARs;
- ensure that you properly train those responsible for responding to a request; and
- have a system or procedure in place to check email or postal addresses before responding to a request.
For more on this, see How can we prepare for a subject access request (SAR)?
The method you use to provide the information to the person may depend on any request they have made about the format they would like to receive their information in (see In what format do we need to provide the information?).
If you have any concerns over the method that the person has requested you use to send their information, you should contact them, explain your concerns and ask for an alternative method of providing the information.
If the person asks you to provide the information in hard copy, sending the information by post is secure in many circumstances. However, depending on the nature and sensitivity of the information, you should consider sending it by special delivery or via a courier service.
You could provide remote access to a secure system as a method of ensuring you provide the information securely. However, you must apply appropriate technical measures so that both the system and any information it holds are secure. You could use the security measures you already apply to your existing systems as a baseline. See Can we provide remote access? for more information.
Another option is that you could provide the information in an encrypted format and send a secure code to access the encrypted information separately.
See our guidance on security for more information on the security requirements of the UK GDPR, as well as our guidance on encryption for more details about how you can effectively implement encryption.
What if we have also received a data portability request?
If a person makes a SAR and a data portability request at the same time, you should consider what information comes under the scope of each request.
Remember that:
- the right of access concerns all the personal information you hold about a person (unless an exemption applies), including any observed or inferred information; and
- the right to data portability only applies to personal information ‘provided by’ the person, where you process that information (by automated means) based on consent or contract.
Also, while the right of access may require you to provide information in a commonly used electronic format, the right to data portability goes further. It gives people the right to receive personal information they have provided to you in a structured, commonly used and machine-readable format. It also gives them the right to request that you transfer this information directly to another controller.
Therefore, the required format for providing each piece of information depends on which right applies to that information.
Do we need to explain the information we supply?
You may need to explain some of the information you provide when you respond to a SAR. However, this depends on the type of information and the reason the person may have difficulty understanding it.
You must provide the following information in a concise, transparent, intelligible and easily accessible form, using clear and plain language:
- confirmation of whether you are processing the person’s personal information;
- the other supplementary information you are required to provide (eg your purposes of processing); and
- any other communication you have with them about their request.
This means that you should:
- ensure that you do not include irrelevant or unnecessary details;
- be open, honest and truthful;
- ensure the information is easy to understand for the average person (or child);
- ensure the information is easy to access; and
- use common, everyday language.
This is particularly important to consider if you are providing the information to a child.
For more detail on how to provide information in a concise, transparent, intelligible and easily accessible form, see our guidance on the right to be informed.
You should give the person additional information to put their personal information into context and aid their understanding if the requested personal information is not in a form that they can easily understand. However, this is not meant to require significant effort, and you are not expected to translate information or decipher unintelligible written notes.
Example
A person makes a request for their personal information. When preparing the response, you notice that a lot of it is in coded form. For example, attendance at a particular training session is logged as ‘A’, while non-attendance at a similar event is logged as ‘M’. Also, some of the information is in the form of handwritten notes that are difficult to read.
Without access to your key or index to explain the coded information, it is impossible for anyone outside your organisation to understand. In this case, you are expected to explain the meaning of the coded information. However, although you could do so, you are not required to decipher the poorly written notes, as the UK GDPR does not require you to make information legible.
Further reading