Data Subject Access Requests

Key Points

  • This card represents the law pre-GDPR implementation and is being updated but for up-to-date information please see our summary GDPR card here
  • The Data Protection Act 1998 (the “DPA”) provides individuals with a right to access the personal data held about them by organisations and businesses, including their employer.
  • The right is exercised by making a data subject access request under section 7 of the DPA.
  • The Information Commissioner has issued a Subject Access Code of Practice that contains useful guidance on dealing with requests from individuals for personal information. He expects data controllers to make extensive efforts to respond.
  • Data controllers are entitled to withhold certain types of data that would otherwise fall within the ambit of a SAR, and there is a qualified right (and obligation) to withhold information about other identifiable individuals (third party data) in certain circumstances
  • Individuals can complain to the Information Commissioner or apply for a court order if the data controller has failed to comply properly or at all with their SAR.

The full content of this page is available to subscribers only. Please purchase a subscription if you feel this content will be of use to you.


Login or subscribe (includes subscription information) to access the full content of this page.