Data Subject Access Requests
- This card represents the law pre-GDPR implementation and is being updated but for up-to-date information please see our summary GDPR card here
- The Data Protection Act 1998 (the “DPA”) provides individuals with a right to access the personal data held about them by organisations and businesses, including their employer.
- The right is exercised by making a data subject access request under section 7 of the DPA.
- The Information Commissioner has issued a Subject Access Code of Practice that contains useful guidance on dealing with requests from individuals for personal information. He expects data controllers to make extensive efforts to respond.
- Data controllers are entitled to withhold certain types of data that would otherwise fall within the ambit of a SAR, and there is a qualified right (and obligation) to withhold information about other identifiable individuals (third party data) in certain circumstances
- Individuals can complain to the Information Commissioner or apply for a court order if the data controller has failed to comply properly or at all with their SAR.