Data Protection and Subject Access
Written by Michael Coyle on 29 April 2014« Return to Reading Room
Under s 7 of the Data Protection Act 1998 the Data Controller must release the information within 40 days of a request being made. It is known as a subject access request (SAR)
IMPORTANT: THE 40 DAY PERIOD IN WHICH TO RESPOND STARTS FROM THE DATE YOU SEND IN YOUR PASSPORT OR SIMILAR ID.
IF YOU ARE A DATA CONTROLLER PLEASE NOTE:-
1. Record the date you receive the subject access request.
2. Check to see if you have received similar requests. There are serial Data protection miners out there.
3. Carry out a search of all relevant systems and manual files using the name of the data subject as the search determinant and print out the results.
4. Read through the results and blank out any references which identify another individual. If the other individual can still be identified despite having blanked out his or her name, you should seek the other individual’s consent to disclose his or her details to the data subject. If the other individual refuses to give consent, you will need to consider whether it is reasonable in all the circumstances to make the disclosure.
5. Consider whether any of the exemptions apply to any of the results of the search.
6. Supply the remainder of the information to the data subject. This information must be accompanied by a description of the purposes for the processing, the recipients to whom the data are (or are to be disclosed) and the sources of those data. The information must be provided in permanent form, ie hard copy or electronic format, unless it would not be practical to send hard copies in which case, speak to the data subject to see whether he or she will accept an alternative (such as viewing the information on screen); and accompanied by an explanation of any code or abbreviations which appear in the information.
Want to speak
Complete the form below and we’ll call you back free of charge.