Subject Access Requests: Getting the basics right

A blog by Andrew Laing, ICO Head of Data Protection Complaints

26 September 2022

Information can drive everything in our lives from healthcare to job opportunities to the decisions made

for and about us. We need to trust that our information rights will be respected if we are to confidently use the products and services provided by organisations which power our economy and society.

Access to personal data is a fundamental data protection right. We all have the right to ask an organisation whether or not they are using or storing our personal information. We can also ask for copies of your personal information, verbally or in writing. This is called the right of access and is commonly known as making a subject access request (SAR).

As the UK data regulator the ICO deals with over 35,000 complaints from individuals every year, the vast majority of those complaints are to do with the rules and obligations around accessing personal data.

We see the same sort of issues being raised across the whole of the economy, public and private sector and the purpose of this blog is to suggest some of the ways in which we offer help and assistance, and some of the tools that we have available for organisations to get this area right.

We write to thousands of organisations asking that they do more to resolve complaints involving access rights and we make no apologies for asking data controllers to take this area seriously. The right of access is a fundamental one and it is essential that when requests are made they are responded to correctly.

We know that the vast majority of organisations want to get this right. During the course of our work we are contacted about many issues and through those contacts we see some common themes emerge:

  • Delay – information right requests taking too long
  • Relationship break down – no one to contact, questions not being answered, incomplete or unsatisfactory responses.
  • Trust – lack of trust in what they’re being told
  • Understanding – lack of understanding leads to information being perceived as unclear or unhelpful

Every year we issue thousands of pieces of advice to organisations. Some of the key takeaways are:

Talk to your customers

Find out what they want. Customers appreciate good service and are less likely to complain to us if you handle their data protection complaint well. If you’re unable to meet the deadline for individual rights requests, tell them.

Dialogue is key

Ask your customers what they want, we see a lot of requests made for all the information held when actually the requester only wants information relating to a specific incident. Although you cannot ask requesters to narrow the scope of their request, ask them to provide additional details – such as the context in which information may have been processed and likely dates when processing occurred – to help you locate the requested information.

Being proactive to builds trust

If you’re dealing with a complex or particularly large SAR, explain that you’ll send out information in batches and provide a timeframe for this. Or, if someone’s opt out request won’t happen instantly let them know. People often come to us when they don’t know what’s going on with their data protection complaint.

Explain exemptions if they apply. While a customer may not be happy, providing an explanation of why information has not been provided can help them understand your decision. The same can be said for any information you redact. Keep a record of your decision making so that you can share it with us if we get in touch.

Use plain English

Data protection legislation can be confusing, explain things in a way that someone will understand.

Honesty is the best policy

People complain when their information is being used in a way they didn’t expect, or they don’t understand. Keep your privacy policy up to date where necessary and make sure it’s accessible and easy to understand. Put yourselves in their shoes, be open with them and explain.

We’re here to help

If there are areas of the law that you’re not too sure about or there are things that you’d like to explore in more detail there’s lots of information and guidance on our website. Our SAR code of practice has practical examples of how to comply with the law and improve your information rights handling. The Data Sharing code of practice is also one that we’d encourage you to look through. Likewise the Accountability Framework contains lots of information to help you get it right. If you’re an SME we have dedicated resources there to help you. More broadly, talk to your counterparts, ask for help from your trade bodies and pick up the phone to us!

In November the ICO will be holding a free event for local government information rights practitioners. This event is an opportunity for information rights practitioners from all levels of local government to discuss and seek advice from us on the areas of our remit of most importance to you. You can register your interest for this free event here.

Andy Laing is Head of Data Protection Complaints at the ICO.