Request for Subject Access
- A valid subject access request can be in writing or by email.
- The request must have clear identity details – name, address and date of birth stating the exact data required e.g. a specific period or all personal data. (Data can be in electronic or manual format or both).
- It must be signed by the requester – the Data Subject.
Individuals requesting Subject Access must have one valid form of identification.
Charges
In most circumstances we cannot charge the data subject for personal data.
However, if the request is excessive, unfounded, or a repeat request we can apply a reasonable administration charge. The guidance around this is not explicit. If a charge is to be applied, the reason for charge should be clearly documented and the data subject/requester should be advised.
In some cases the data requester could be a solicitor, or insurance company acting on behalf of the data subject. In this case written consent must be obtained. The third party requester should make it clear if their request is a SAR, or a request under AMRA. If the request is under AMRA it will be related to employment and insurance purposes and could include, accident claims, life insurance, insured negligence claims. If the third party request does not make this clear, they should be asked to confirm whether the report is being requested under GDPR or AMRA.
Refusal of SAR
The GDPR regulations do allow for SARs to be declined, for example if the data has not changed since a previous request. If a request is to be declined, the DS must be informed of this decision and the reason for it within one month of the request, and be informed of how they can complain against the decision.
A SARs request may also be refused on medical grounds if the request is deemed not suitable to share with the patient. I.e. current/past mental health issues with ongoing care.