If your organisation ignores subject access requests it does so at its peril. Recent case law has illustrated the importance the Information Commissioner’s Office (ICO)places on subject access requests. If your organisation has not and/or does not comply with such a request, the ICO may take action.
Under UK data protection legislation all individuals have certain rights if their personal data is processed in the UK. This includes the right to make subject access requests of an organisation. These requests can seek a variety of outcomes but is often a request that the organisation disclose to the individual the personal data which it holds on the individual. If an organisation ignores a subject access request or does not provide all the personal data held, the individual can complain to the ICO. The ICO can then issue an enforcement notice requiring the organisation to take certain action in the event of a breach of the law. Failure to comply is a criminal offence.
What else must your organisation know about subject access requests? To ensure that it complies with the rules on subject access requests, your personnel should be aware of the following:
- Subject access requests may be made verbally and do not require to be in writing to be valid. It is, therefore, good practice to record requests received, especially those that are not in writing.
- Requests must be responded to within one calendar month of receipt.
- Requests need not actually use the phrase “subject access request.”
- An organisation cannot charge a fee unless the request is manifestly unfounded or excessive.
- In addition to potential ICO enforcement action, individuals have the right to seek compensation from an organisation for a failure to comply with the rules.
Given the potential consequences of non-compliance, your organisation should have a Subject Access Request Policy and ensure that all personnel are aware of the rules and the timescales involved. In addition, they should be aware to whom requests should be passed in your organisation.
Please note that this blog is intended as a short summary of the rules on subject access requests. No responsibility can be accepted for any action taken in reliance on this blog and specialist advice should be taken in every case. If you would like further information, please contact Malcolm Homes on 01383 721621 or email@example.com