Handling A Subject Access Request
An Individual (“data subject”) has the right to request access to all personal data that relates to them. The data subject does not have to give any reason for making such a request. If you receive such a request what must you do?
First of all the request must be made in writing; it must be accompanied by a £10 fee and it must provide all information reasonably required by you in order to verify the identity of the person making the request
Remember that you are entitled to charge the data subject a nominal fee of £10 for responding to the request. Many data subjects will send this money with their request but if the data subject does not then you are entitled to delay responding until you have received this.
You must respond to the request within 40 days of receipt of the request, or within 40 days of receipt of all necessary information and the fee.
If the information requested also identifies a third party then you must not disclose that information unless the third party has consented or it is reasonable, in the circumstances, to comply with the request without the third party’s consent.
Due to the time pressure in dealing with a subject access request, all businesses need to be aware of the need to respond promptly. Someone should be given responsibility for coordinating the response and all relevant data must be reviewed carefully before disclosure to ensure that it does not also relate to third parties.