Anyone can ask for a copy of any personal data your practice holds on them. This is known as a subject access request (SAR).
You must respond to a request as soon as possible and within one month.
Recognising a SAR
There’s no set way of making an access request. The person does not have to use a request form if you provide one, or call it an access request.
They can make a request in writing or verbally, to any person or part of your practice. It can be made through social media. It’s your responsibility to recognise a SAR, however the request is made.
If you’re not sure, you can check with the person that you’ve understood their request. This can avoid disputes later on.
All your staff should know:
- how to identify a SAR
- what to do when one is made
You’ll need to keep a record of the details of access requests. It’s good practice to keep a log of any verbal requests made over the phone or in person.
How to respond
Before responding you need to:
- check the identity of the person making the request
- remove any information about someone else (third-party information) from the material
When responding you need to:
- confirm that you’re processing their personal data
- provide them with a copy of it
- give details of how the data is collected, used and disposed of
Providing a copy of their data
You can send them a hard copy – a print out or photocopy. If someone asks electronically, for example by email, you must respond electronically, unless they ask otherwise.
You should provide the information for free in an easily accessible format. It should be in a way that’s easy for them to understand, for example:
- explain any codes they would not know
- write clearly in plain language
- be transparent
You only have to provide the personal data, not the documents themselves. You can redact any information that belongs to a third person.
You can download an ICO document on how to disclose information safely.
Telling them how you use their data
You must let them know:
- what category of data you hold, for example sensitive (special)
- what it’s being used for
- where you got it from
- who it’s been disclosed to – particularly if international or ‘third countries’ (outside the EEA)
- how long you’ll keep it for, or what criteria you use to decide how long you keep it
- how it’s being kept safe – if transferred internationally or to third countries
- details of any automated decision making – including profiling – for example to predict their behaviour
You must also tell them they have the right to:
- complain to the regulator
- object to you processing their personal data
- ask you to erase, restrict, change or remove their personal data
Access requests and legal privilege
As a legal professional you do not have to release information if it breaches:
- legal professional privilege
- duty of confidentiality towards a client
Access to personal data and solicitor’s lien
If your client requests access to their personal data this will override any right you have to exercise a lien over their papers.
You can read about SARs in more detail on the ICO website and what to do when you get one.
> Next section: Appoint a data protection officer (DPO)