Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.

You can ask for identification, when you receive a subject access request, obviously you need to be sure that the person who is requesting the information is the person who the information is about. If you sent the information to another party, then that would be a data breach. 

However, if it's a customer and someone that is known to you, then you cannot request more information. Asking for more information must not be used to delay providing the person with the information.  If it is obvious that the person has the legal right to the data, you do have to supply it without asking for more further identification.

If a customer emails you from the email address you have on your records and provides you with their client ID or account number for example, you would not have good grounds for requesting further proof of identity.

If a request came from a different email address it would be acceptable to request further confirmation of their identity.  If an individual is asking for information on behalf of someone else, they would have to provide legal proof that they are entitled to that information. If the data included sensitive information, you would be within your rights to send the information directly to the individual the information applies to.

Refusing a request.

You can only refuse a request if it is manifestly unfounded or excessive. If you were considering doing this, it would always be worth calling the Information Commissioner's office to ask for their guidance. 

If you do refuse you must write to the person and explain why you're refusing to provide the information, along with information about how they can appeal for your decision through the courts and also how they can complain to the Information Commissions offices because you have refused.

You will also need to be ready to justify your decision to the ICO  if the individual complains.

When you receive a Subject Access Request you have to provide them with information about all of their personal data that you're processing. So that is any information or information together that can be used to identify them as an individual.

You will also have to provide information about your company,

  • who you are
  • why your processing their data
  • how long you are retaining the data
  • your lawful basis for holding that data.
  •  In fact, everything that should be included in your privacy policy, so that information shouldn't be that hard for you to get because it should already be there. 

The ideal way to provide an individual with information, if they've put in a subject access request, is via a portal. An online system, where they can access and view all of the data is being held is the best way, it's a way that the Information Commissioners Office, considers to be the best way to provide information.

This isn't a feasible option for a lot of organisations because they don't have that sort of facility available, in which case, they would need to send the information over via email attachments or by printing out any information they hold about them and send it to them in the post.

Can the individual request what format that information is given to them, in printed format or email?

It is suggested that you send it in the same format that it was requested. So if you receive a written letter from an individual saying that they want copies of all of the information you're holding about them, then you would ideally reply in kind by sending it by post. If they request it electronically, then you should respond electronically, so you would use attachments and send it to them that way. 

Always respond in the way that it was requested whenever possible, but again, ideally having the information online for a portal, an online system where they can access the data themselves is obviously absolutely an ideal.

When a request is received through Social Media, this wouldn't be the best option to respond and you would need to make sure that you have properly identified the individual involved.

Responding via a social media platform could result in a data breach so would not be recommended, you should reply and confirm identity and consider email as the next most suitable method of response.

If the information that you're sending includes personal information or personal data of another individual, then you would need to get permission from that individual before you provide the information.

If they don't want to give you permission, you can anonymise the information if it is feasible or possible. If there is some way that the third person could be identified, even though their name isn't on it, which may be the case if it is employee related and they will know that a manager made the comments or wrote the reports, then you could refuse to include that information, that would be perfectly okay to do so.