Dealing With Subject Access Requests

Many businesses regard the Data Protection Act 1998 as something that merely requires a lot of form filling and the payment of fees, but there is a lot more to it than that.

The purpose of the Act is to protect a person's right to privacy with regard to the processing of their personal information. Individuals (‘data subjects’ in the terminology) have the right of access to information held about them. For example, a customer of your business has the right to contact you to request a copy of any data you hold on them so that they can check it. This is called a 'subject access request' (SAR). You are required by law to supply the information requested (once you have checked that they are who they say they are, of course). The individual making the request has the right to see data held in any form, not just that held on computer, so storing information in paper form does not avoid the responsibility.

If you receive a SAR, you are required to supply not only all the information you hold on the data subject but also a description of why the information is processed, details of anyone it may be passed to or seen by, and the logic involved in any automated decisions. If you unjustifiably fail to comply with a SAR, the courts may impose a fine of up to £5,000. Any person who believes they have suffered damage and/or distress as a result of a contravention of the Act may seek compensation by applying to the High Court.

In the case of a failure to comply with a subject access request the Court may award compensation for distress alone.

The interpretation of the Court of Appeal is that ‘personal data’ has been defined in such a way that employees are only entitled to see information which is biographical ‘in a significant sense’ and which has the data subject as its focus. The mere mention of a person’s name does not entitle them to see the documents concerned.

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.

Latest News

Plastic Milk Bottle Producers in Patent War Plastic Milk Bottle Producers in Patent War
Guide to Changes in Design Law Guide to Changes in Design Law
Spamming Fine Quashed Spamming Fine Quashed
.uk Domain Names Launched .uk Domain Names Launched
Same Functionality Does Not Mean Software Copyright Breach Same Functionality Does Not Mean Software Copyright Breach
'Greek' is a Geographical Term, Not a Style 'Greek' is a Geographical Term, Not a Style
Slogan Fails Distinctiveness Test Slogan Fails Distinctiveness Test
Whose Data is it Anyway? Whose Data is it Anyway?
Patent Dispute that Reaches High Court has far Reaching Implications Patent Dispute that Reaches High Court has far Reaching Implications
Design Law to Make Copying a Crime Design Law to Make Copying a Crime