How to make a subject access request following a data breach
Under the UK's data protection legislation, you have the right to find out if an organisation is using or storing your personal data. To exercise this right, all you have to do is ask for a copy of this data. This is called making a subject access request (SAR).
You can also ask if your data is being shared with anyone else (and if so, why and how), how long the company plans to store your data, and the reasons for this decision, and information on where your data came from.
Do you have to pay to make a subject access request?
A copy of your personal data should be provided free, although if you ask for extra copies, or if you ask for information that is 'manifestly unfounded or excessive', the organisation might charge a reasonable fee for administrative costs.
When can you make a subject access request?
You can make a subject access request at any time. For example, you can make a SAR if you want to find out if information is being held about you and how it is being used. In addition, at Hayes Connor Solicitors, many of our clients make SARs to start the compensation claim process following a data breach.
How do you make a subject access request?
If you decide that you want to make a SAR, here are the steps you should take:
- Decide what data you want access to. Do you want everything a company holds about you, or just a particular piece of information? It could take longer for an organisation to supply everything they have about you, so if you only need certain data and you want this quickly, it makes sense to be specific. For example, you could just ask for a copy of any emails between you and the company between particular dates
- Make your request directly to the organisation, stating clearly what you want. You can make a SAR in writing, in person or over the phone. At Hayes Connor Solicitors we always recommend that our clients put their requests in writing as this provides a clear evidence trail if we need this at a later date
- When making a SAR, you should also include your name and contact details as well as any account or reference numbers
- You should also specify what format you want the data in. Most companies will do this electronically, but if you need it in another format, you can ask if this is possible
- Keep a copy of your request as well as any proof of postage or delivery.
How long does an organisation have to respond to a subject access request?
Data protection law requires organisations to respond to a request for data within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this. The organisation must let you know within one month if it needs more time and why. If the requested information is not provided in the timeframe you can raise a complaint with the Information Commissioner's Office.
Can an organisation refuse a subject access request?
While you can make more than one SAR, the organisation can refuse a request if they believe it to be 'manifestly unfounded or excessive'.
Depending on the circumstances, they may also refuse a SAR if your data includes information about another individual. Again, if you think your request has been rejected unjustly, you can raise a complaint with the organisation in question, and if you remain dissatisfied, the Information Commissioner's Office.
At Hayes Connor Solicitors we are committed to upholding the data protection rights of our clients. With over 50 years' experience helping our clients secure the justice they deserve, our solicitors work tirelessly to ensure the best possible outcome for you. Both in terms of damages achieved and service delivered.