- Data subjects have the right to access their personal information.
- This is commonly referred to as 'subject access request' (SAR).
- Data subjects must make a subject access request in writing (as per sections 18 and 53 of the Promotion of Access to Information Act)
- You have one month to respond to a subject access request.
- You cannot charge a fee to deal with a request in most circumstances.
Preparing for subject access requests
☐ We know how to recognise a subject access request and we understand when the right of access applies.
☐ We understand when we can refuse a request and are aware of the information we need to provide to data subjects when we do so.
☐ We understand the nature of the supplementary information we need to provide in response to a subject access request.
Complying with subject access requests
☐ We have processes in place to ensure that we respond to a subject access request without undue delay and within one month of receipt.
☐ We are aware of the circumstances when we can extend the time limit to respond to a request.
☐ We understand that there is a need to use clear and plain language if we are disclosing information to a child.
☐ We understand what we need to consider if a request includes information about other data subjects.
- What is the right of access?
- What is a data subject entitled to?
- Personal information of the data subject
- Other information
- How do we recognise a request?
- Should we provide a specially designed form for a data subject to make a subject access request?
- How should we provide the information to individuals?
- Do we have to explain the contents of the information we send to the data subject?
- Can we charge a fee?
- How long do we have to comply?
- Can we extend the time for a response?
- Can we ask a data subject for ID?
- Can we clarify the request?
- What about requests made on behalf of others?
- What about requests for information about children?
- What about information held by credit reference agencies?
- What should we do if the information includes information about other people?
- If we use an operator, does this mean they would have to deal with any subject access requests we receive?
- Can we refuse to comply with a request?
- What should we do if we refuse to comply with a request?
- Can I require a data subject to make a subject access request?
The right of access, commonly referred to as subject access request, gives data subjects the right to obtain a copy of their personal information as well as other supplementary information. It helps data subjects to understand how and why you are using their information, and check you are doing it lawfully.
Data subjects have the right to obtain the following from you:
- confirmation that you are processing their personal information;
- a copy of their personal information; and
- other supplementary information – this largely corresponds to the information that you should provide in a privacy notice (see below).
A data subject is only entitled to their own personal information, and not to information relating to other data subjects (unless the information is also about them or they are acting on behalf of someone). Therefore, it is important that you establish whether the information requested falls within the definition of personal information.
In addition to a copy of their personal information, you also have to provide data subjects with the following information:
- the purposes of your processing;
- the categories of personal information concerned;
- the recipients or categories of recipient you disclose their personal information to;
- your retention period for storing the personal information or, where this is not possible, your criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the Information Regulator;
- information about the source of the information where it was not obtained directly from the data subject;
- the existence of automated decision-making (including profiling); and
- the safeguards you provide if you transfer personal data to a third country or international organisation.
You should provide this information in your privacy notices.
Sections 14 and 51 specify how to make a valid request. The data subject must make a subject access request to you in writing using the official form. Best practice would be to enable the form to be submitted securely online to your information officer.
If not directed to your information officer, it presents a challenge as any of your employees could receive a valid request and thereby create a legal responsibility to identify that a data subject has made a request to you and for you to handle it accordingly. If you don't use an online form, you may need to consider which of your staff regularly interact with data subjects and provide them with specific training to identify a request.
You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. A log of all requests must be maintained with date and time of receipt, details of processing through to completion.
Online forms can make it easier for you to recognise a subject access request and for the individual to include all the details you might need to locate the information they want. Paper alternatives must be available for data subjects who do not have online access.
Although you may invite data subjects to use an online form, you must make it clear that it is not compulsory and do not try to use this as a way of extending the one month time limit to respond.
If a data subject makes a request electronically, you should provide the information in a commonly used electronic format, unless the data subject requests otherwise.
Best practice would be, where possible, to provide remote access to a secure self-service system which would provide the data subject with direct access to his or her information. This will not be appropriate for all organisations, but there are some sectors where this may work well.
However, providing remote access should not adversely affect the rights and freedoms of others – including trade secrets or intellectual property.
We have received a request but need to amend the information before sending out the response. Should we send out the “old” version?
It is our view that a subject access request relates to the information held at the time the request was received. However, in many cases, routine use of the information may result in it being amended or even deleted while you are dealing with the request. So it would be reasonable for you to supply information you hold when you send out a response, even if this is different to that held when you received the request.
However, it is not acceptable to amend or delete the information if you would not otherwise have done so.
POPIA requires that the information you provide to a data subject is in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This will be particularly important where the information is addressed to a child.
At its most basic, this means that the additional information you provide in response to a request (see the ‘Other information’ above) should be capable of being understood by the average person (or child). However, you are not required to ensure that that the information is provided in a form that can be understood by the particular data subject making the request.
For further information about requests made by a child please see the ‘What about requests for information about children?’ section below.
A data subject makes a request for their personal information. When preparing the response, you notice that a lot of it is in coded form. For example, attendance at a particular training session is logged as “A”, while non-attendance at a similar event is logged as “M”. Also, some of the information is in the form of handwritten notes that are difficult to read. Without access to your key or index to explain this information, it would be impossible for anyone outside your organisation to understand. In this case, you are required to explain the meaning of the coded information.It is good practice to decipher poorly taken written notes, as POPIA requires you to make information understandable.
You receive a subject access request from someone whose English comprehension skills are quite poor. You send a response and they ask you to translate the information you sent them. It is good practice for you to help data subjects understand the information you hold about them.
In most cases you cannot charge a fee to comply with a subject access request.
However, you can charge the prescribed fee for the administrative costs of complying with the request.
If you decide to charge a fee you should contact the data subject promptly and inform them. You do not need to comply with the request until you have received a deposit.
You must comply with a request without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any information requested to confirm the requester’s identity; or
- a fee (only in certain circumstances)
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.
For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
You can extend the time to respond if the request is complex or you have received a number of requests from the data subject. You must let the data subject know within one month of receiving their request and explain why the extension is necessary.
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.
You need to let the data subject know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.
If you process a large amount of information about a data subject, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding - you must still respond to their request within one month. You may be able to extend the time limit if the request is complex or the data subject has made a number of requests.
You cannot ask the requester to narrow the scope of their request, but you can ask them to provide additional details that will help you locate the requested information, such as the context in which their information may have been processed and the likely dates when processing occurred. However, a requester is entitled to ask for ‘all the information you hold’ about them. If a data subject refuses to provide any additional information or does not respond to you, you must still comply with their request by making reasonable searches for the information covered by the request. The time limit is not paused whilst you wait for a response, so you should begin searching for information as soon as possible. You should ensure you have appropriate records management procedures in place to handle large requests and locate information efficiently.
POPIA does not prevent a data subject making a subject access request via a third party. Often, this will be someone acting on behalf of the data subject, but it could be anyone a data subject feels comfortable with acting for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the data subject, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
A building society has an elderly customer who visits a particular branch to make weekly account withdrawals. Over the past few years, she has always been accompanied by her daughter who is also a customer of the branch. The daughter makes a SAR on behalf of her mother and explains that her mother does not feel up to making the request herself as she does not understand data protection. The building society is rightly cautious about giving customer information to a third party, as the information they hold is mostly financial. If the daughter had a general power of attorney, the society would be happy to comply. They ask the daughter whether she has such a power, but she does not.
Whilst the branch staff know the daughter and have some knowledge of the relationship she has with her mother, it is still necessary to require more formal authority.
If there is no evidence that a third party is authorised to act on behalf of an individual, you are not required to respond to the SAR. However, if you are able to contact the data subject, you should respond to them directly to confirm whether they wish to make a SAR.
In most cases, provided you are satisfied that the third party has the appropriate authority, you should respond directly to that third party. However, if you think a data subject may not understand what information would be disclosed, and in particular you are concerned about disclosing excessive information, you should contact the data subject first to make them aware of your concerns. If the data subject agrees, you may send the response directly to them rather than to the third party. The data subject may then choose to share the information with the third party after reviewing it. If you cannot contact the data subject you should provide the requested information to the third party (as long as you are satisfied that they are authorised to act on the data subject’s behalf).
There are cases where a data subject does not have the mental capacity to manage their own affairs. However, it is reasonable to assume that an attorney with authority to manage the property and affairs of a data subject has the appropriate authority to make a SAR on their behalf.
Even if a child is too young to understand the implications of subject access rights, it is still the right of the child rather than of anyone else such as a parent or guardian. So it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them ('competent person').
Before responding to a subject access request for information held about a child, you should consider whether the child is mature enough to understand their rights. If you are confident that the child can understand their rights, then you should usually respond directly to the child. You may, however, allow the parent to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so. When considering borderline cases, you should take into account, among other things:
- the child’s level of maturity and their ability to make decisions like this;
- the nature of the personal data;
- any court orders relating to parental access or responsibility that may apply;
- any duty of confidence owed to the child or young person;
- any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
- any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
- any views the child or young person has on whether their parents should have access to information about them.
A person aged 12 years or over is presumed to be of sufficient age and maturity to be able to exercise their right of access, unless the contrary is shown.
A data subject can make a subject access request to a credit reference agency.
Responding to a subject access request may involve providing information that relates both to the data subject making the request and to another data subject.
You may not comply with the request if it would mean disclosing information about another data subject who can be identified from that information.
For the avoidance of doubt, you cannot refuse to provide access to personal information about a data subject simply because you obtained that information from a third party.
If we use an operator, does this mean they would have to deal with any subject access requests we receive?
Responsibility for complying with a subject access request lies with you as the responsible party. You need to ensure that you have contractual arrangements in place to guarantee that subject access requests are dealt with properly, irrespective of whether they are sent to you or to the operator.
You are not able to extend the one month time limit on the basis that you have to rely on an operator to provide the information that you need to respond. As mentioned above, you can only extend the time limit if the request is complex or you have received a number of requests from the data subject.
If an exemption applies, you can refuse to comply with a subject access request (wholly or partly).
A data subject believes that information held about them is inaccurate. They repeatedly request its correction but you have previously investigated and told them you regard it as accurate.
The data subject continues to make requests along with unsubstantiated claims against you as the responsible party.
You refuse the most recent request because it is manifestly unfounded and you notify the data subject of this.
A request may be excessive if:
- it repeats the substance of previous requests and a reasonable interval has not elapsed; or
- it overlaps with other requests.
However, it depends on the particular circumstances. It will not necessarily be excessive just because the data subject:
- requested a large amount of information, even if you might find the request burdensome. Instead you should consider asking them for more information to help you locate what they want to receive;
- wanted to receive a further copy of information they have requested previously. In this situation a responsible party may charge the prescribed fee for the administrative costs of providing this information again and it is unlikely that this would be an excessive request;
- made an overlapping request relating to a completely separate set of information; or
- previously submitted requests which have been manifestly unfounded or excessive.
When deciding whether a reasonable interval has elapsed you should consider:
- the nature of the data – this could include whether it is particularly sensitive;
- the purposes of the processing – these could include whether the processing is likely to cause detriment (harm) to the requester if disclosed; and
- how often the data is altered – if information is unlikely to have changed between requests, you may decide you do not need to respond to the same request twice. However, if you have deleted information since the last request you should inform the individual of this.
You must inform the data subject without undue delay and within one month of receipt of the request.
You should inform the data subject about:
- the reasons you are not taking action;
- their right to make a complaint to the Information Regulator; and
- their ability to seek to enforce this right through a judicial remedy.
You should also provide this information if you request the prescribed fee or need additional information to identify the data subject.
It is unlawful to require a data subject to make a subject access request against their free will.