How do I request my Personal Data?
Under section 7 of the Data Protection Act 1998 (DPA), individuals are entitled to access the information that businesses hold on them. If the business does hold the individual’s personal data, then they have a right to access that data, as well as any other additional information related to the data, such as why they hold that data etc. Individuals can also ask them for copies of the personal information, verbally or in writing. This is called the right of access and is commonly known as making a subject access request or SAR.
Does A SAR Request Have To Be in Writing?
A SAR no longer needs to be made in writing and does not have to mention that it is a subject access request, as long as it is clear that the data subject is requesting a copy of their personal data. An individual can make a SAR verbally or in writing, including on social media. An individual does not need to use a specific form of words, refer to legislation or direct the request to a specific contact.
Will I have to Pay A Fee For A SAR?
In short, no. In most circumstances, businesses will need to give the subjects a copy of the information they request free of charge. There are however certain situations when businesses may charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive.
This fee must be based on the administrative cost of complying with the request, and the business must notify the individual of the fact that they will be charged for the request.
Businesses can also refuse to grant excessive, unfounded or repetitive requests. If they do this, they must explain to the individual why they are refusing to comply and inform them of their right to appeal to the organisation’s supervisory authority.
What Can You Do If You Get A Refusal Notice From SAR?
An individual should always receive a response of some kind to a subject access request. Even if the organisation holds no information about them, or it has a reason to withhold that information, the business must still write to the individual and explain that this is the case.
If more than one month has passed since a subject access request and the business has not responded, then follow these steps:
- Step 1: Write to the organisationreminding them of the request, and of their obligations under General Data Protection Regulation (GDPR). The Information Commissioner’s Office (ICO) have a standard template letter for this on their website. When doing this, be sure to give the business a deadline to respond, for example 7 or 14 days.
- Step 2: Make a complaint to the organisation. If the individual still doesn’t hear back from the business after writing to them to remind them of their obligation, then they should complain directly to them using their complaints process.
- Step 3: Complain to the Information Commissioner’s Office (ICO). If the individual has arrived at this point and is still unhappy with the response, then they should complain directly to the ICO.