What to do if an organisation fails to respond to your subject access request

subject access request

You have the right to find out if an organisation is using or storing your personal data. To exercise this right, all you have to do is ask for a copy of this data. This is called making a subject access request (SAR).

Find out how to make a Subject Access Request on the Information Commissioner’s Office (ICO) website.

As well as using a SAR to ask for a copy of all the personal data an organisation holds about you, you can also use it to find out:

  • Whether an organisation is processing your personal data
  • How the organisation got hold of your data
  • The types of personal data being processed
  • Why your data is being processed
  • Any third parties that your data is being shared with
  • How long your data will be kept for
  • How you can have your data amended or deleted
  • Whether they use any automated decision-making processes
  • Any other supplementary information.

Find out more about Subject Access Requests.

However, while this right is enshrined under data protection legislation, it seems that many businesses are either ignoring SARs, or trying to fob people off with lengthy delays. So what can you do if an organisation is failing to respond to your SAR?

Well, first and foremost it’s vital to know your rights.

What to do if you are being charged to make a subject access request

A copy of your personal data should be provided at no cost to you. Although “reasonable” fees can be charged for manifestly unfounded or excessive requests.

If you are being told you need to pay for your data it is not unreasonable for you to ask why the charge is being made. You should also reference that you have the right to make a SAR for free under the Data Protection Act 2018.

If you believe any fees to be unfair you can complain to the organisation in question, and if the matter is not resolved, report your concerns to the ICO.

How long do you have to wait for your data?

Organisations should respond to any SAR within one calendar month. So, when making a request you should reference this deadline.

However, they might need extra time to consider your request and, if so, can take an additional two months to do this. The organisation must let you know within one month if it needs more time and why.

Of course, it could take longer for an organisation to supply everything they have about you. So if you only need certain data and you want to speed things up, it makes sense to be specific.

The ICO has provided a handy template to help you to do this.

If the requested information is not provided in the established timeframe you can complain to the organisation, and if this doesn’t help, raise a complaint with the ICO.

What to do if you can’t find the correct contact information

Organisations should provide contact information for making a SAR. Under the GDPR, this information should be available on an organisation’s website (check the privacy policy usually found in the footer).

If you can’t find this information, let the company know. If they don’t make it available you can complain to the ICO.

What to do if you are sent the wrong information

Firstly you should write to the organisation explaining what information you think is missing. You should be as specific as possible.

If you are still not happy with the organisation’s response, and it is not providing all the information you asked for, you can complain to the ICO.

What to do if an organisation refuses a subject access request

While you can make more than one SAR, the organisation can refuse a request if they believe it to be ‘manifestly unfounded or excessive’. Depending on the circumstances, they may also deny a SAR if your data includes information about another individual.

However, they can’t just ignore you. They must still write to you and explain why your SAR is being refused.

If you think your request has been rejected unjustly, you can raise a complaint with the organisation in question, and if you remain dissatisfied, the ICO.

What to do if an organisation ignores your subject access request

If more than a month has passed since you made your SAR, and you have not heard anything back, you should write to the organisation reminding them of your request and their obligations under the GDPR.

According to the ICO “a calendar month starts on the day after the organisation receives the request, even if that day is a weekend or public holiday. It ends on the corresponding calendar date of the next month.”

If you still don’t hear back from them you should complain to them using their complaints process. And, if you are not happy with their response, you can complain to the ICO.

What to do if your information is incorrect

You have a legal right to ‘rectification’ of your records. So, if something in your data is wrong, you can ask to have it corrected. Organisations have one month to respond to your request. However an organisation may charge you a fee or deny your request if they think it is unfounded or excessive.

If the organisation refuses to change their records, you can complain to the ICO.

However, there’s a difference between information that is incorrect and information that you just disagree with. For example, if you have a dispute with your doctor over a diagnosis, you can’t change your health records. But, you might be able to add a note to this record stating that you disagree with the medical opinion.

What to do if you think an organisation is mishandling your data

If you are worried about the way an organisation is handling your information, the ICO has provided a handy letter template to help you to raise your concerns.

You might want to use this if an organisation is/has:

  • Not keeping your information secure
  • Holding inaccurate information about you
  • Disclosed information about you
  • Keeping information about you for longer than is necessary
  • Collected information for one reason and is using it for something else.

If you remain unhappy you can also complain to the ICO.

What can you do if you can’t find the correct contact information?

The good news is that the ICO is intent on pursuing organisations that are not taking their data protection obligations seriously. In fact, it recently took a company to court for failing to respond to an ICO enforcement notice which ordered the business to provide information requested via a SAR.

Commenting on this case, a spokesperson for the ICO said:

“The right to access your own personal information is a fundamental and long-standing principle of data protection law. New laws brought into effect last May strengthen those rights even further.

Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution.”

At Hayes Connor Solicitors we are committed to upholding the data protection rights of our clients. For more advice on your rights, and how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, contact us to find out how we can help you to recover any losses.