Subject Access Requests: A Guide to Data Rights

In the wake of Brexit, understanding your data rights under the UK General Data Protection Regulation (UK GDPR) is more crucial than ever. A Subject Access Request (SAR) remains a powerful tool that allows individuals to obtain information about how their personal data is being processed. This guide will walk you through the process of making a SAR in the UK, providing instructions and examples to help you understand what to expect and look out for in a response.

How to Make a Subject Access Request

1. Identify the Organisation

Determine which organisation you believe holds your personal data. This could be a company, public body, or any other entity processing your information.

2. Prepare Your Request

While there's no official format for a Subject Access Request (SAR), your request should include:

1. Your full name and contact details.
2. Any information used by the organisation to identify or distinguish you from others (e.g., customer number, account number).
3. A clear statement that you are making a subject access request.
4. Details of the specific information you are seeking.

There is no set format for a SAR, but data subjects can refer to the template provided by the ICO or use the example below.

Example SAR Request:

Dear [Organisation Name],

Under the General Data Protection Regulation (GDPR), I formally request access to the following information:

All notes, letters, emails, and other records that include my personal data.

Any internal memos, minutes of meetings, or documents that reference my personal data.

Any documentation of the decision-making processes concerning actions taken based on my personal data.

Please confirm receipt of this email and provide the requested information within the statutory one-month period. If you require any further information to process this request, please contact me promptly.

Best regards,

[Your Name]        

Note: If your request is broad, the organisation may ask you to narrow the scope to make it more manageable. Here’s an example of how you can refine your request:

Example of a Narrowed SAR Request:

Dear [Organisation Name],

Thank you for your response regarding my Subject Access Request. I understand the need to narrow the scope to make the request more manageable. To that end, I would like to revise my request as follows:

1. All notes, letters, emails, and other records related to my personal data from 1st January 2024 to present.

2. Any internal memos, minutes of meetings, or documents that reference my personal data from 1st January 2024 to present.

3. Any documentation of the decision-making process regarding actions taken based on my personal data from 1st January 2024 to present.

Please confirm receipt of this email and provide the requested information within the statutory one-month period. If you require any further information to process this request, please contact me immediately.

Best regards,

[Your Name]        

3. Submit Your Request

You can submit your SAR in writing (email or letter) or verbally. However, it's recommended to make the request in writing for a clear record.

4. Provide Proof of Identity

The organisation may ask you to prove your identity before processing your request. Be prepared to provide identification documents if necessary.

5. Keep Records

Maintain a record of your request, including:

• When and how you submitted it
• Any correspondence you receive
• Dates of any phone calls or conversations about your request

Timeline: What to Expect When Making a SAR

1. Submission of SAR:

• Action: Submit your SAR to the organisation.
• Details: Include your full name, contact details, any information to identify you (e.g., customer number), a clear statement that you are making a SAR, and details of the specific information you are seeking.
• Timeframe: Day 0.

2. Processing Period:

• Action: The organisation processes your request.
• Details: Organisations are required by GDPR to respond to SARs without undue delay and within one month of receipt. This period can be extended by a further two months if the request is complex or if they have received multiple requests from the individual.
• Timeframe: Day 1 to Day 30 (or up to Day 90 in exceptional cases).

3. Receipt of Response:

• Action: Receive the organisation's response.
• Details: You should receive the information requested, or a notice of extension if applicable. If the organisation refuses to provide the data, they must inform you of the reasons for the refusal and your right to complain to the ICO.
• Timeframe: By Day 30 (or by Day 90 in exceptional cases).

4. Follow-Up if Unsatisfied:

• Action: If the response is incomplete or unsatisfactory, you may follow up with the organisation.
• Details: Contact the organisation to address any issues or request further clarification. Provide specific details on what you believe is missing or incorrect.
• Timeframe: Within a few days of receiving the response.

5. Formal Complaint to Organisation:

• Action: If follow-up efforts do not resolve your concerns, submit a formal complaint to the organisation.
• Details: Clearly outline your dissatisfaction with the response and request a resolution. Keep records of all correspondence.
• Timeframe: Allow the organisation a reasonable period to respond, typically within 14 days.

6. Complaint to ICO:

• Action: If the organisation fails to address your complaint satisfactorily, you can escalate the matter to the Information Commissioner's Office (ICO).
• Details: File a complaint with the ICO, including details of your SAR, the organisation's responses, and your attempts to resolve the issue. The ICO should investigate and may take appropriate action.
• Timeframe: After exhausting all other avenues with the organisation, typically after an additional 14 to 30 days.

Notes:

• SAR Compliance Timeframe: The SAR must be complied with within one month (30 days) of acknowledging receipt of the SAR. This period can be extended by up to two additional months if necessary, provided the individual is informed within the first month.
• Processing Time Start: The processing time only starts when the company has acknowledged the SAR request.
• Scope Narrowing: If the company asks you to narrow the scope of your SAR request, the processing time resets to when they acknowledge the narrowed scope of your request.
• Referral to ICO: If the organisation does not respond within the statutory timeframe (including any extensions), the data subject can lodge a complaint with the ICO. Referring to the ICO typically occurs after exhausting all other avenues to resolve the issue with the organisation, which may fit within the timeline of Day 120+ if previous steps have failed.

What to Look Out for in a SAR Response

1. Timeliness

Organisations should respond to your SAR without undue delay and within one calendar month of receipt. This timeline remains unchanged post-Brexit. They can extend this by up to two additional months for complex requests but must inform you within the first month if they're doing so.

2. Completeness

The response should include:

• Confirmation of whether your personal data is being processed
• A copy of your personal data
• The purposes of processing
• Categories of personal data concerned
• Recipients or categories of recipients to whom the data has been or will be disclosed
• How long the data will be stored (if possible)
• Information about your rights (rectification, erasure, restriction of processing, right to object)
• Information about the right to lodge a complaint with the ICO
• The source of the data (if not collected from you)
• Information about any automated decision-making, including profiling

3. Format and Accessibility

The information should be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. If you made your request electronically, the information should be provided in a commonly used electronic format, unless you request otherwise.

4. Redactions and Exemptions

Be aware of any redactions or exemptions the organisation claims for withholding information. While some may be legitimate (e.g., to protect others' personal data or due to legal professional privilege), excessive or unjustified redactions could be a cause for concern.

What to Do If You're Unsatisfied with the Response

1. Contact the Organisation: If the response is unsatisfactory, contact the organisation directly to clarify your concerns. Allow a reasonable period (e.g., two weeks) for a response.
2. Formal Complaint to the Organisation: If issues remain unresolved, submit a formal complaint to the organisation’s complaints department. Allow up to four weeks for a resolution.

Example of a Formal Complaint to the Organisation:

Dear [Organisation's Complaints Department],

Subject: Formal Complaint Regarding Subject Access Request (SAR)

I am writing to formally lodge a complaint regarding the handling of my Subject Access Request (SAR) submitted on [date]. Despite following the proper procedures and providing all necessary information, I have encountered several issues with the response received. These issues are as follows:

1. Incomplete Disclosure: The information provided does not include all the personal data that I know is held by your organisation. Specifically, [detail the missing information].

2. Improper Redactions: The response contains extensive redactions that I believe are unjustified. The reasons provided for these redactions do not align with ICO guidelines.

3. Misuse of Legal Professional Privilege: The broad application of privilege appears to be used to withhold information improperly. I request a detailed list of all documents over which privilege is claimed, with specific justifications for each.

4. Failure to Provide Legitimate Interest Assessment: I requested a summary of the legitimate interest assessment related to my data, which has not been provided. Transparency in this matter is crucial.

5. Inadequate Data Search: Given the discrepancies and withheld information, it is apparent that a thorough search of all data repositories, including archived and backup systems, has not been conducted.

I request the following actions to address these issues:

1. Full disclosure of all information related to me held by your organisation.

2. A detailed account of any advice given on redactions, including justifications.

3. A comprehensive list of all documents claimed under privilege, with specific explanations for each claim.

4. A summary of the legitimate interest assessment.

5. Confirmation of a thorough data search across all repositories.

Please provide a complete and truthful response by [specific deadline, e.g., Friday, 26th July 2024]. If these issues are not resolved to my satisfaction, I will escalate my complaint to the Information Commissioner's Office (ICO).

Thank you for your prompt attention to this matter.

Yours sincerely,

[Your Name]        

3. Complaint to the ICO: If the organisation fails to resolve your complaint, escalate the matter to the Information Commissioner's Office (ICO). Prepare a comprehensive complaint including evidence where necessary. Be prepared to wait several months for a response and potentially receive a superficial response initially. Do not be deterred by a rejection; stay persistent and escalate the issue through the ICO's Complaint Handling Procedure (CHP).

Example of a Formal Complaint to the ICO:

Dear Information Commissioner's Office,

Subject: Formal Complaint Regarding Subject Access Request (SAR) Non-Compliance

I am writing to formally complain about the handling of my Subject Access Request (SAR) by [Organisation's Name]. Despite following the proper procedures and providing all necessary information, I have encountered several issues with the response received. These issues are as follows:

1. Incomplete Disclosure: The organisation did not provide all the personal data that I know is held by them. Specifically, [detail the missing information].

2. Improper Redactions: The organisation's response contains extensive redactions that I believe are unjustified. The reasons provided for these redactions do not align with ICO guidelines.

3. Misuse of Legal Professional Privilege: The organisation has broadly applied privilege to withhold information improperly. I have requested a detailed list of all documents over which privilege is claimed, with specific justifications for each, but have not received this information.

4. Failure to Provide Legitimate Interest Assessment: I requested a summary of the legitimate interest assessment related to my data, which has not been provided. Transparency in this matter is crucial.

5. Inadequate Data Search: It is apparent that a thorough search of all data repositories, including archived and backup systems, has not been conducted by the organisation.

I have raised these concerns with the organisation and requested the following actions:

1. Full disclosure of all information related to me held by the organisation.

2. A detailed account of any advice given on redactions, including justifications.

3. A comprehensive list of all documents claimed under privilege, with specific explanations for each claim.

4. A summary of the legitimate interest assessment.

5. Confirmation of a thorough data search across all repositories.

Despite my efforts, these issues remain unresolved. Therefore, I am seeking your assistance to ensure that [Organisation's Name] complies with the UK GDPR and provides the requested information.

Thank you for your prompt attention to this matter.

Yours sincerely,

[Your Name]

[Your Contact Information]        

Conclusion

Understanding and exercising your rights under the UK GDPR through a Subject Access Request (SAR) is an essential step in protecting your personal data. However, it’s important to remain vigilant if you encounter certain responses from organisations. Claims of legal privilege, attempts to charge a fee, or assertions that your request is manifestly excessive could indicate that the organisation is attempting to withhold information. In such cases, it’s prudent to question these claims and seek full transparency.

Additionally, if an organisation has engaged a law firm in relation to your data, consider submitting a SAR to the law firm as well. This can help uncover discrepancies and ensure you receive all the information you are entitled to. Remember, the goal is to ensure compliance and transparency, and you have the right to hold organisations accountable.

By staying informed and proactive, you can better navigate the SAR process and safeguard your personal data rights.

Have you made a Subject Access Request? Share your experiences or questions in the comments below!

#UKGDPR #SubjectAccessRequest #DataRights #PrivacyLaw #BrexitDataProtection #GDPR #UKLaw #DataPrivacy #ICO #DigitalRights

References

1. Information Commissioner's Office (ICO). (2024). "Right of access". Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

2. UK Government. (2018). "Data Protection Act 2018". Available at: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

3. Court of Appeal. (2017). "Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd & Ors [2017] EWCA Civ 121". Available at: https://www.bailii.org/ew/cases/EWCA/Civ/2017/121.html

4. Barwell, J. (2024, June 29). "Exposing GDPR Non-Compliance: A Deep Dive into Mishandled Subject Access Requests". LinkedIn. https://www.dhirubhai.net/pulse/exposing-gdpr-non-compliance-deep-dive-mishandled-subject-barwell-luwee/

5. Barwell, J. (2024, July 9). "ICO Inaction: Undermining GDPR and Public Trust in Data Protection". LinkedIn. https://www.dhirubhai.net/pulse/ico-inaction-undermining-gdpr-public-trust-data-john-barwell-rokae/

6. Barwell, J. (2024, July 21). "Navigating the Complexities of UK GDPR Rights: A Personal Journey". LinkedIn. https://www.dhirubhai.net/pulse/navigating-complexities-uk-gdpr-rights-personal-journey-john-barwell-0dzde

7. Barwell, J. (2024, July 24). "Enhancing Transparency in UK Data Subject Access Requests: Overcoming Redaction and Omission Challenges". LinkedIn. https://www.dhirubhai.net/pulse/enhancing-transparency-uk-data-subject-access-requests-john-barwell-8mkec/

8. Barwell, J. (2024, July 23). "Shielding Documents and Controlling the Narrative: Legal Tactics in UK Data Protection". LinkedIn. https://www.dhirubhai.net/pulse/shielding-documents-controlling-narrative-legal-tactics-john-barwell-jocoe/

9. Information Commissioner's Office (ICO). (2024). "Make a complaint". Available at: https://ico.org.uk/make-a-complaint/

10. Barwell, J. (2024, July 26). "My Battle for UK GDPR Compliance: Challenging Muckle LLP's Handling of Subject Access Requests". LinkedIn. https://www.dhirubhai.net/pulse/my-battle-uk-gdpr-compliance-challenging-muckle-llps-handling-john-efbge/

11. Barwell, J. (2024, July 27). "Exposing Overreaching Redactions: A Case Study in UK GDPR Compliance Challenges". LinkedIn. https://www.dhirubhai.net/pulse/exposing-overreaching-redactions-case-study-uk-gdpr-john-barwell-lw2se/

Public Interest Disclosure Statement

This statement outlines the principles guiding disclosures made in my articles, which aim to serve the public interest by promoting transparency and accountability.

1. Guiding Principles Public Interest: Disclosures are made to serve the public interest, inspired by the principles underlying the Public Interest Disclosure Act 1998.
2. Ethical Reporting: I strive to adhere to ethical reporting practices to the best of my ability as a non-professional writer.
3. Factual Accuracy: All information disclosed is factual and evidence-based to the best of my knowledge.
4. Good Faith: Disclosures are made without malice and with a genuine belief in their truth and public importance.
5. Proportionality: The extent of disclosure is proportionate to the perceived wrongdoing or risk.
6. Confidentiality: Sources and sensitive information are protected where appropriate.

Legal Considerations

Disclosures are made with consideration of:

• Data Protection Act 2018 and GDPR: Personal data is processed in compliance with data protection principles.
• Defamation Act 2013: Truth: Factual statements are true to the best of my knowledge. Honest Opinion: Opinions are clearly identified and based on facts. Public Interest: Publication is believed to be in the public interest.
• Human Rights Act 1998: Disclosures exercise the right to freedom of expression, balanced against other rights.

Ethical Standards

While not a professional journalist, I strive to maintain high ethical standards in my reporting, including:

• Verifying information to the best of my ability
• Seeking comment from those involved where possible
• Being transparent about my methods and limitations

Disclaimer

This statement does not claim legal protections specific to employee whistleblowers or professional journalists. While every effort is made to ensure accuracy and ethical compliance, this is not legal advice. I am not a legal professional or a qualified journalist. Legal and ethical advice will be sought in cases of uncertainty.

By adhering to these principles, I aim to make responsible disclosures that serve the public interest while respecting legal and ethical obligations.