Raworths LLP
Dealing With Subject Access Requests Dealing With Subject Access Requests

Legal Articles

Mar 15

Dealing With Subject Access Requests

Many businesses regard the Data Protection Act 1998 as something that merely requires a lot of form filling and the payment of fees, but there is a lot more to it than that.

The purpose of the Act is to protect a person’s right to privacy with regard to the processing of their personal information. Individuals (‘data subjects’ in the terminology) have the right of access to information held about them. For example, a customer of your business has the right to contact you to request a copy of any data you hold on them so that they can check it. This is called a ‘subject access request’ (SAR). You are required by law to supply the information requested (once you have checked that they are who they say they are, of course). The individual making the request has the right to see data held in any form, not just that held on computer, so storing information in paper form does not avoid the responsibility.

If you receive a SAR, you are required to supply not only all the information you hold on the data subject but also a description of why the information is processed, details of anyone it may be passed to or seen by, and the logic involved in any automated decisions. If you unjustifiably fail to comply with a SAR, the courts may impose a fine of up to £5,000. Any person who believes they have suffered damage and/or distress as a result of a contravention of the Act may seek compensation by applying to the High Court.

In the case of a failure to comply with a subject access request the Court may award compensation for distress alone.

The interpretation of the Court of Appeal is that ‘personal data’ has been defined in such a way that employees are only entitled to see information which is biographical ‘in a significant sense’ and which has the data subject as its focus. The mere mention of a person’s name does not entitle them to see the documents concerned.

In 2015, legislation  was brought in which makes requiring a prospective employee make their own request for a Criminal Record Check unlawful. 

Source: Commercial

  • « Older Entries
  • Newer Entries »

‹  Return to News / Articles

Other Articles

Mar 18

GDPR Guidance

If you have not yet taken steps to ensure your business complies with the General Data Protection Regulation (GDPR), the time to start is now: less than two months remain...

MORE

Mar 18

The GDPR and Your Firm's Pension Scheme

The press is awash with comment about the General Data Protection Regulation (GDPR), which will be fully enforced from 25 May 2018. It would be difficult for any organisation not...

MORE