What is a Subject Access Request? written for WhereIsTheCare.
It’s a way for you to gather information about yourself from a public or private organisation.
Subject Access Requests (SARs) were born from an EU directive, and are enshrined in UK law within the Data Protection Act 1998. The legislation is designed to make sure that when organisations are gathering information about you they do it responsibly, accurately and securely.
Part of that goal involves giving you the right to request all information that an organisation holds about you. That way you can make sure that your personal information is being handled correctly.
In practice it’s similar to a Freedom of Information (FOI) request. With FOI you can only ask for a very specific piece of information, from a government body and it may be denied because of various exemptions. But an SAR is a catch-all request for everything any organisation holds, so long as it relates specifically to you.
What kind of information can you get?
Anything that is defined as ‘personal data’ should be disclosed to you when you send in your request. And that covers a lot of information.
The Information Commissioner defines personal data as information that:
Relates to you
- Is used, or is to be used, to inform, or influence actions or decisions affecting you
- Can impact or have the potential to impact you in a personal, family, business or professional capacity
Information that’s specifically about you might be performance reviews, case notes on a complaint, minutes of meetings with management or records of when you’ve contacted the organisation.
But sitting behind all that will be the internal reports into your allegations, email correspondence discussing you and your claims and action plans on how to deal with the repercussions of you blowing the whistle.
It’s not just limited to written information, but audio and video logs too.
Not only that, but you’re also entitled to know which third parties that the organisation has shared your personal data with. So then you know where to send your next Subject Access Request to.
How do you send a request?
All you need to do is send a letter, along with two forms of identification and a £10 postal order to cover a nominal processing fee. The organisation will then have 40 working days to respond.
The core of an SAR is just a template letter, which can be found on this link. The majority can be copied directly but a few revisions will need to be made to make it relate specifically to your case.
The basic layout is a section with the relevant parts of the law, then a short narrative description of the key interactions you’ve had with the organisation and then a section at the end that relates to how to manage the request.
What can also be helpful is providing an appendix of the dates of key emails, telephone calls, meetings or events that you believe may have generated items of personal data. The organisation has to give you everything regardless of whether you’ve asked for it specifically, but they’ve got less of an excuse to not find things if you’ve noted them in your request.
What to do with the response?
The main problem you will face is not getting all the information you think the organisation holds. It’s a difficult position to be in, because only they will really know what is stored and what isn’t and you’ve got no way to check yourself.
If you think there is more information held, don’t take it personally. Write a letter of appeal that outlines where you think there might be further information or where you’re not satisfied with the response. For example, an internal email might say: “Can we discuss this issue at tomorrow’s meeting.” but there are no notes or minutes from that meeting. Maybe they simply haven’t checked, so you should ask them to, but it’s entirely possible that it was all done verbally and no records exist. It may be contrary to operational procedure, but it happens.
If you’re still not happy after your first appeal, you can go to the Information Commissioner to make a complaint. They may or may not take up the case formally, but will at least apply a little pressure to the organisation by asking them to address your concerns.
There aren’t a lot of exemptions that will prevent you from accessing your data, but there are a few important ones. The most relevant will be concerning ongoing negotiations, which will prevent disclosure of information relating to you if you’re in ongoing disputes with the organisation. And legal professional privilege, which will prevent disclosure of legal advice relating to you.
Should you send an SAR?
Every case is different so it’s impossible to give blanket advice. Using Subject Access Requests in this way is still somewhat untested. You’re entirely within your legal rights to ask for your personal information, but we’re still pushing at the boundaries of the case law to try and make it work in your favour and can’t guarantee that the organisation won’t fight back.
On the positive side, an SAR is one of the few ways to unlock information about you from an organisation that would much prefer to keep it secret. If you’ve blown the whistle then you know how badly you’ve been treated by your employer, but it’s easier to convince others once you have all the internal documents to prove it. Plus it’s relatively simple to do and won’t cost you a lot.
But sending in a heavy-duty SAR will aggravate an organisation that holds a lot of power over you. Not many solicitors would advise sending in an SAR during an ongoing legal dispute, and if there are legal actions pending then it may be better to hold off.
If you’d like to know more about Subject Access Requests, I would suggest reading ‘The Data Protection Act without the Lawyer’ by Jenna Corderoy.
Overall, think about the value in the information you’re likely to receive and whether it’s worth jeopardising any other proceedings. But ultimately, it’s your legal right to have the information and no one is going to give it to you unless you ask.
Sid Ryan – Fellow of the Centre for Investigative Journalism