fbpx

A step-by-step guide to making a subject access request

In the UK, you have a legal right to find out if an organisation is using or storing your personal data. All you must do is ask for a copy of this data. 

This is called making a subject access request (SAR).

In this quick guide, you’ll find out:

What is personally identifiable information?

Personally identifiable information (PII) describes any data that can be used to identify an individual, either on its own or along with other information. PII could include:

What information are you entitled to?

You have the right to obtain the following information:

You are only entitled to your own personal information (unless the information is also about you or you are acting on behalf of someone else).

Limiting an organisation’s use of your data

You also have the right to limit how organisations use your data. To exercise your right, you should make your request directly to the organisation in question and be clear about why you want the data to be restricted.

In some circumstances, you can also object to an organisation using your data at all. For example, you have the right to stop an organisation from using your data for email marketing.

Crucially, you have the right to complain to the Information Commissioner’s Office (ICO) if you do not believe that the organisation is upholding your rights in this or any other data protection matter.

Automated decision making

There are several ethical and privacy concerns over the use of profiling and automated decision-making about individuals.

In particular, women and people of BAME groups can find themselves discriminated against by companies that use automated decision making. But using technology and data to discriminate against individuals and automatically make decisions that harm them is not GDPR compliant. For example, under the General Data Protection Regulation (GDPR), the processing of biometric data (such as images of a person’s face) and the use of automated decision-making, including profiling, are only allowed in very explicit circumstances.

At KP Law, as well as representing our clients in data breaches, we also make sure our clients are compensated for any GDPR violations that impact their legal rights. And if you have been harmed because of algorithmic and automated decision-making processes, we can help.

You can make a SAR to find out if and how a company is using your PII to make automated decisions.

What is the Information Commissioner’s Office?

The Information Commissioner’s Office (ICO) is the UK’s data protection regulator. It exists to protect your information rights and uphold your data privacy. It also helps organisations to meet their obligations under the Data Protection Act (the UK’s interpretation of the GDPR).

If you discover that your personally identifiable information has been compromised in a data breach, you can ask the ICO to investigate why this happened. You can also contact the ICO if an organisation fails to respond to a SAR, or if it does not do so adequately.

The ICO has imposed substantial fines on organisations in breach of their duties. And, while the ICO does not award compensation to individuals, we can use evidence uncovered by the ICO to support your data protection compensation claim.

ico logo png

Making a subject access request

If you decide that you want to make a SAR, here are the steps you should take:

Find out where to send your SAR.

This should be listed on the organisation’s website (check the privacy policy usually found in the footer). If you can’t find this information, let the company know. If they don’t make it available, you can complain to the ICO.

Decide what data you want.

Do you need everything an organisation has about you or just a specific piece of information? If you only need certain data and you want this quickly, it makes sense to be explicit. For example, you could ask if your data was exposed in a specific data breach.

Make your request.

You can make a SAR in writing, in person, or over the phone. However, we recommend that you put your request in writing. This provides a clear evidence trail if we need this at a later date.

Provide any information that will help them to fulfil your request.

When making a SAR, you should also include your name and contact details as well as any account or reference numbers.

Specify what format you want the information in.

Most organisations will provide what you need electronically, but if you want it in another format, you can ask if this is possible. An organisation only has to agree to this if it is reasonable to do so.

Keep a copy of your request as well as any proof of postage or delivery

This will help if there are any delays or if they try to fob you off.

Subject access request template

In some group action cases, we might be able to make a data request to an organisation on your behalf.  However, where we cannot do this, or where you want to make your own request, the following template should help.

PRIVATE & CONFIDENTIAL

For the attention of:

Data Compliance Officer

{ORGANISATION}

[DATE]

Dear Sir/Madam

Subject Access Request

 [Your Name]

 [Your Address]

 [Your Email Address]

 

I am writing to you to request access to my personal data pursuant to Article 15 of the General Data Protection Regulation (GDPR).

Please advise as to whether my personal data was disclosed inadvertently by you in the {DETAILS} privacy breach.

In particular, please provide details on the following regarding my data:

    • What data was breached. {LIST THE SPECIFIC DATA YOU WANT. FOR EXAMPLE: BOOKINGS BETWEEN 1 June 2020 and 1 Sept 2020}
    • When the breach occurred
    • When the breach was discovered
    • How long my data was compromised
    • Your assessment of the risk of harm to me, because of the breach
    • A description of the measures taken or that will be taken to prevent further unauthorised access to my personal data
    • Information and advice on what I can do to protect myself against any harm, including identity theft and fraud.

I anticipate a reply to my request within one month as required under Article 12 GDPR.

I look forward to receiving your response which I would prefer to receive via email. 

Yours faithfully

[Signature]

What else do you need to know about making a subject access request?

You do not have to pay to make a subject access request

A copy of your personal data should be provided free, although if you ask for extra copies, or if you ask for information that is ‘manifestly unfounded or excessive’, the organisation might charge a reasonable fee for administrative costs.

You can make a subject access request at any time

For example, you can make a SAR if you want to find out if information is being held about you and how it is being used. At KP Law, many of our clients make SARs to gather the evidence they need to start the compensation claim process following a data breach.

An organisation has one month to respond to a subject access request

Data protection law requires organisations to respond to a request for data within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this. The organisation must let you know within one month if it needs more time and why. If the requested information is not provided in the timeframe, you can raise a complaint with the ICO.

An organisation can refuse a subject access request

While you can make more than one SAR, the organisation can refuse a request if they believe it to be ‘manifestly unfounded or excessive’.

Depending on the circumstances, they may also refuse a SAR if your data includes information about another individual. Again, if you think your request has been rejected unjustly, you can raise a complaint with the organisation in question, and if you remain dissatisfied, the ICO.

Organisations can also ask for further information to establish your identity, particularly where sensitive data is involved. However, such requests must be “reasonable and proportionate”.

What to do if an organisation fails to respond to your subject access request

Many organisations are either ignoring SARs or trying to fob people off with lengthy delays. So, what can you do if an organisation is failing to respond to your SAR?

What to do if you are being charged to make a subject access request

If you are being told you need to pay for your data, ask why the charge is being made. You should also reference that you have the right to make a SAR for free under the Data Protection Act 2018. If you believe any fees to be unfair, you can complain to the organisation in question, and if the matter is not resolved, report your concerns to the ICO.

However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the organisation can charge a reasonable fee, taking into account the administrative costs of providing the information. 

What to do if your data is not supplied within the legal timeframe

If the requested information is not provided in the established timeframe, you can complain to the organisation, and if this does not help, raise a complaint with the ICO.

What to do if you are not sent all the information you requested

Firstly, you should write to the organisation explaining what information you think is missing. You should be as specific as possible. If you are still not happy with the organisation’s response, and it is not providing all the information you asked for, you can complain to the ICO.

What to do if an organisation refuses a subject access request

While you can make more than one SAR, the organisation can refuse a request if they believe it to be ‘manifestly unfounded or excessive’. Depending on the circumstances, they may also deny a SAR if your data includes information about another individual.

However, they cannot just ignore you. They must still write to you and explain why your SAR is being refused. If you think your request has been rejected unjustly, you can raise a complaint with the organisation in question, and if you remain dissatisfied, the ICO.

 

What to do if an organisation ignores your subject access request

If more than a month has passed since you made your SAR and you have not heard anything back, you should write to the organisation reminding them of your request and their obligations under the GDPR. If you still do not hear back from them, you should complain to them using their complaints process. And, if you are not happy with their response, you can complain to the ICO.

What to do if your information is wrong

You have the right to get your data corrected or deleted. This means that you can challenge the accuracy of any personal data that an organisation holds about you and ask for it to be corrected, added to, or deleted. 

Organisations have one month to respond to your request. However, an organisation may charge you a fee or deny your request if they think it is unfounded or excessive. If the organisation refuses to change their records, you can complain to the ICO.

However, there is a difference between information that is incorrect and information that you disagree with. For example, if you have a dispute with your doctor over a diagnosis, you cannot change your health records. However, you might be able to add a note to this record stating that you disagree with the medical opinion.

What to do if you think an organisation is mishandling your data

If you are worried about the way an organisation is handling your information, you should let them know about your concerns.

You might want to use this if an organisation is:

  • not keeping your information secure
  • holding inaccurate information about you
  • disclosing information about you
  • keeping information about you for longer than is necessary
  • collecting information for one reason and is using it for something else.

If you remain unhappy, you can also complain to the ICO.