Dealing With Subject Access Requests

Many businesses regard the Data Protection Act 1998 as something that merely requires a lot of form filling and the payment of fees, but there is a lot more to it than that.

The purpose of the Act is to protect a person's right to privacy with regard to the processing of their personal information. Individuals (‘data subjects’ in the terminology) have the right of access to information held about them. For example, a customer of your business has the right to contact you to request a copy of any data you hold on them so that they can check it. This is called a 'subject access request' (SAR). You are required by law to supply the information requested (once you have checked that they are who they say they are, of course). The individual making the request has the right to see data held in any form, not just that held on computer, so storing information in paper form does not avoid the responsibility.

If you receive a SAR, you are required to supply not only all the information you hold on the data subject but also a description of why the information is processed, details of anyone it may be passed to or seen by, and the logic involved in any automated decisions. If you unjustifiably fail to comply with a SAR, the courts may impose a fine of up to £5,000. Any person who believes they have suffered damage and/or distress as a result of a contravention of the Act may seek compensation by applying to the High Court.

In the case of a failure to comply with a subject access request the Court may award compensation for distress alone.

The interpretation of the Court of Appeal is that ‘personal data’ has been defined in such a way that employees are only entitled to see information which is biographical ‘in a significant sense’ and which has the data subject as its focus. The mere mention of a person’s name does not entitle them to see the documents concerned.

One of the major problems with this legislation is that some businesses simply do not have the systems in place to refer enquiries to the right person. Furthermore, in many cases data is held in a variety of locations and in different forms. So far, the full impact of the new legislation has not been felt but as individuals become increasingly aware of their personal rights it could become a serious issue for businesses. In particular, when looking to purchase a new IT system, thought should be given to the ability to comply with the Data Protection Act. Also, staff in client-facing roles should be trained how to respond to SARs.
We can assist you in devising policies and procedures to help you to meet your data protection obligations.
View my profile
Stewart Matthews
Partner - Head of Company/Commercial
T: 01908 304560(DDI)
The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.

Latest News

Whose Data is it Anyway?
Patent Dispute that Reaches High Court has far Reaching Implications
Design Law to Make Copying a Crime
Court Fight Increases Cost of Copyright Violation
Web Content - Can Do and Can't Do
Ex-Couple's Trade Mark War Ends in Stalemate
When is Ideal Not Ideal?
Economic Loss Essential in Trade Mark Dispute, Rules CJEU
Estate Agents Win Website Dispute
Repackaging Setback for Pharmaceutical Vendor