Telephone +44(0)1524 64544
Email: info@shadowcat.co.uk

Data Protection - Subject Access Requests 02

Who Has, and What Is, the Right of Access?

Fri Nov 6 12:15:01 2020

SAR on key on a keyboard

In the last few weeks there has been new guidance and rules issued by the Information Commissioner's Office regarding Subject Access Requests. In this and the following few blogs I am going to be taking a look at what this means for businesses.

What is a Subject Access?

It is the right for an individual to obtain any personal information that may have been collected about them. It also allows them to collect supplementary information (such as commentary made) about them. It allows an individual to view the data you collect. Verify or correct the data. Check the legal rights for a company to hold the data and that they are lawfully collecting such data.

It may also lead to a request to replace, or remove data. It is commonly referred to as 'subject access'.

Who Can Request an SAR?

The individual for whom the data refers to is normally the person who makes a request. However, any individual can ask a third party to request the data on their behalf.

An organisation is within its right to request for reasonable evidence that a third party has been authorised to make the request on behalf of the individual. An organisation can request they validate their identity in the same manner as the individual to whom the data relates.

How Can They Make A Request?

A valid request is when the individual asks for their own data. This can be done verbally, or in writing, and it can be made via mechanisms such as social media. The individual need not quote their rights, the legislation, use a specific set of words, or direct their request to a specific individual.

Requests can be made by the individual, or their third party representative, via your online portals and external facing addresses.

What About Children or those with a Legal Guardian?

The organisation should make a judgement as to the age, or maturity, of the subject in regards to them understanding their rights. A business should be confident that they understand their rights and if they do then you should respond directly to the individual to whom you hold data.

However, if the child authorises such, you may respond to a parent or guardian but only if you believe it is in the best interests of the child. Otherwise you should ensure that you deal directly with the data subject. Dependent on the competency, or maturity, of the data subject you may also allow requests from third parties on their behalf who are not their parent or guardian.

In the next article we are going to briefly look at a response to a request, and what has been clarified in relation to the rights of an organisation.

For detailed guidance on SAR visit the ICO website. There is also a detailed guide to a request involving other persons.


[Don't forget that you can join in this conversation by tweeting at @shadowcat_mdk].