The right to access

The right to access

There is a legal obligation on Data Controllers to allow Data Subjects to review the information held about them.

Such requests from Data Subjects are called Data Subject Access Requests (DSAR) or Subject Access Requests (SAR).

There is a time limit of one month for supplying requested data, although in special circumstances this can be extended to a maximum of three months.

One change from the DPD is that Data Controllers can no longer ask for payment to fulfil the SAR, save for “unfounded or excessive” requests.

It is clearly good practice to design a reliable SAR process that complies with the specific GDPR requirements. All Chambers’ staff should be trained in its use, but there should be a knowledgeable internal central point of contact managing all potential SAR requests. It is vital that you and Chambers’ staff are sufficiently trained to identify that a request from an individual might be a SAR, which can be in any format and not just through the processes outlined by you or Chambers, as Data Controllers. An example might be a seemingly innocuous text request from an ex-employee to their line manager or the Senior Clerk.

Always bear in mind that an inadequate response (or no response at all, if not recognised as a SAR!) could easily trigger a complaint to the ICO or legal action.

In certain strict circumstances, the Data Controller may have grounds for refusing to fulfil a SAR. They would need to refer to policies and procedures already in place to demonstrate why the request meets the criteria for exemption, and this should be communicated to the Data Subject within one month of receiving the request.

The prospect of numerous SARs has caused a lot of consternation in most organisations, and Chambers are no exception. Concerns over the time that might be taken up by busy Members and staff; the associated expense and worries over discovering unhelpful historic data are very real. Many who have dealt with a SAR appreciate why data minimisation can be in the interest of Data Controllers as well as Data Subjects!