Complying With Subject Access Requests Under The Data Protection Act

by Kate McCormick

As explained in our Guide to Personal Data and Confidential Information, the Data Protection Act (DPA) contains a right for the subject of any personal or sensitive personal data held by an organisation, to request copies of that information to be supplied to them and to request to be informed of the source of such data and to whom and for what purpose it is being disclosed and processed. Such a request must be complied with within forty days.

Compliance with such a request can be reasonably straightforward if the information is contained within a specific file solely relating to that person or within a self contained entry in a database. However, often the data about that person will be subsumed within a larger document and inextricably linked with other confidential information or data concerning other individuals. How then is the subject access request to be dealt with when revealing the information requested could itself constitute a breach of confidence or a breach of the DPA?

The DPA deals with this situation by obliging the subject access request to be complied with only so far as:
• the other person(s) mentioned or identified in the document have consented to the information being released; or
• the organisation deems it reasonable in all the circumstances that the information should be released without those persons’ consent;
and wherever possible the details of those other persons are removed so that their identities can no longer be ascertained from the document.

What is ‘reasonable in all the circumstances’ depends upon whether the information is confidential or not, whether the organisation has taken steps to contact the other person(s), whether consent has been expressly refused by the other person(s) and whether they are capable of giving consent. For example, if the other person(s) cannot be found and the data is not confidential, then it could be released provided the organisation has made reasonable efforts to trace them. The subject’s human rights to see the information may also be a consideration and should be weighed up in any decision. Consent can be obtained in advance so it may be wise to consider this when a report or document is first compiled.

There are other exemptions under the DPA where a subject access request does not have to be complied with, such as for the prevention or detection of crime or the protection of national security; where negotiations are taking place with the subject which could be prejudiced; or where legal professional privilege applies to a document.

Other points in relation to subject access requests

A ‘data controller’ is entitled to request payment of a fee of up to £10 for each subject access request received. It is vitally important to check that the request has emanated from the subject of the data themselves and not an impersonator. You can insist that the subject complete a specific ‘subject access request’ form if necessary for this purpose or ask to see proof of identification. You can also ask for further details from the subject if necessary to extracate the exact data requested. Where these measures are necessary, the forty-day period will not start to run until the above information and/or payment has been furnished.

Once a request has been received, the ‘data controller’ can continue to process the data as it would do normally but may not alter or correct it simply because of the request.

Failure to comply with a subject access request within the forty-day period can lead to a court order for compliance and possibly an order for damages to be paid, if the subject suffers any harm.

Personal information can be located in a variety of places including emails, on tapes, in memos, on CCTV footage and in photographs, as well as in hard copy or electronic files. It is always wise to communicate with the subject to establish exactly what they are looking for and in what form they require it, so that you do not go to more trouble and expense than is necessary. The default position is that documents should be provided in hard copy, in a form that can be easily understood but a subject may agree to receive the data by email or other format.