Data Subject Access Request Policy (May 2024)

Policy

This Data Subject Access Request Policy applies to us all, including managers, consultants and any third-party to whom it has been communicated to.

Introduction

Under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA) any individual can make a request of any business for access to or a copy of any personal data that the business ‘processes’ about them, including any opinion expressed about the individual, and additional information regarding that personal data. If an individual contacts us requesting this information, this is called a Data Subject Access Request (DSAR) or Subject Access Request (SAR).

All individuals who are the subject of personal data held by us (including employees, clients and other third parties) and who make a DSAR are, subject to certain exemptions, entitled to a copy of their personal data and the following information:

  • Why we process this personal data;
  • The categories of personal data concerned;
  • The source of the data, where it was not obtained from the individual;
  • The recipients or categories of recipients we disclose the data to;
  • How long we store the data for or, where this is not known, the criteria for determining how long we will store it;
  • The right to request rectification, erasure or restriction or to object to the data’s processing;
  • The right to lodge a complaint with the Information Commissioner’s Office (ICO) or other applicable supervising authorities;
  • Whether the data is used for automated decision-making; and
  • Safeguards we provide if the data is transferred to a third country or international organisation.

Making a request

A DSAR can be made orally or in writing to any firm employee. There is no prescribed form or specific wording that must be used to make a valid DSAR (i.e., it need not include the phrase “subject access request”). For example, if someone says to a receptionist on a phone call “I want your firm to give me my personal data,” that person has made a valid DSAR. A message to the firm’s LinkedIn account asking for the sender’s personal data would most likely also qualify as a valid DSAR.

It is also possible to make a DSAR on behalf of someone else, provided that person gives their authority for the request to be made on their behalf.

If you suspect that someone you are communicating with has made a DSAR, ask them to confirm that this is indeed the case. If so, request that they fill out the Data Subject Access Request Form in the appendices section (though they are not obligated to do so for their DSAR to be valid).

Cost to the individual and refusal to respond

Under the UK GDPR, we are generally not permitted to charge for complying with a request.

We may however charge a fee or refuse to respond if the request is “manifestly unfounded” or “excessive”. In such cases, we would need to provide evidence as to how this conclusion was reached. Both grounds of refusal are high thresholds to meet and there are likely to be few cases where we can justify a refusal of a request on either basis.

According to the ICO, each request should be considered on a case-by-case basis, and we should not presume that a request is manifestly unfounded or excessive simply because the individual has previously submitted requests where one of these grounds of refusal had been deemed to apply.

A request may be considered to be “manifestly unfounded” if the individual has no clear intention to access the information or the request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption.

The request must be considered in the context it is made and it must be obvious or clear that the purpose of the request is unfounded. In most cases, use of aggressive or abusive language does not, in itself, demonstrate a manifestly unfounded request.

Factors that may indicate malicious intent include:

  1. the individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption;   
  2. the request makes unsubstantiated accusations against the firm or against specific employees;
  3. the individual is targeting a particular employee against whom they have some personal grudge; or
  4. the individual systematically or frequently sends different requests to the firm as part of a campaign with the intention of causing disruption, e.g., once a week.

Whether a request is “excessive” depends on its particular circumstances.

The following are examples of what may amount to an excessive request, although they should not be referred to as definitive evidence of an excessive request:

  1. It repeats the substance of previous requests, and a reasonable interval has not elapsed;
  2. It overlaps with other requests that are still being addressed.

The burden of proof would rest with us to prove that the request is “manifestly unfounded” or “excessive” and it is appropriate to refuse to respond or charge a reasonable fee to provide the information (we must be able to justify the cost in case the requestor makes a complaint to the ICO).

Timescale to respond

The DSAR must be dealt with promptly due to the strict time limit in place. The firm generally has one calendar month from the day of receipt to respond, even if the day of receipt is a weekend or public holiday. We may extend the one-month deadline by an additional two months, but only on the grounds that the DSAR is “complex”.

The UK GDPR and DPA do not define “complex” but the ICO indicates that a complex request could, for example, involve a significant number of tasks, manpower or hours and/or require recruitment of an extra staff member(s) to complete it.

If the decision is made to extend the deadline by two months, the requestor must be given notice of this before the initial one-month deadline.

Procedure responding to a DSAR

  1. Ask the requestor to confirm their request on the Data Subject Access Request Form notify [the Data Protection Manger (Timothy Halliday) who will take responsibility for ensuring that the request is actioned.
  2. The DPM will confirm the identity of the requestor by photographic identification provided alongside the request. If the identification evidence was not provided at the time the request was made, the DPM will request that it is provided and the one-month (or possibly three-month) timescale to respond will commence from the day the firm receives the identification evidence.
  3. The DPM will establish if the DSAR is reasonable and should be responded to within the standard timescale. If so, the DPM will send an acknowledgment response to the requestor which sets out the timescale that the response will be provided in. An example response letter is set out below:

Dear

Re: Data Subject Access Request

I refer to your email dated [insert date], in which you confirmed your request to make a Data Subject Access Request (DSAR).

I am [the Data Protection Manager of this firm and will be dealing with your request, and should you need to contact me at any stage you can email me at [insert email address].

I am writing to you to acknowledge your DSAR. Under the UK General Data Protection Regulation, a data subject is entitled to request what personal data we as a Data Controller retain on them and specific information regarding this data.

Timescales

[We will respond to your request promptly and no later than within one calendar month from the date that the request was received. We have received your request on [insert date] and therefore will respond and provide you with your personal data by [insert date].]

OR

[We have determined that your request is complex due to [description why the request is complex and will require more time]. Therefore, in addition to the standard one-month deadline, we will require the two-month extension for complying with complex DSARs that we are entitled to under the UK GDPR. We have received your request on [insert date] and therefore will respond and provide you with your personal data by [insert date].]

If you have any further questions, please do not hesitate to contact us and we will be happy to help.

Yours sincerely,

4. The DPM will contact the relevant department heads and third parties to ensure all relevant data are correctly identified.

5. The DPM will check if any of the statutory exemptions prevent us sharing some or all of this information with the requestor.

6. The DPM will respond to the DSAR within one month of receipt of the request (or three months for complex DSARs).

Individuals have the right to obtain a copy of their personal data from your firm, along with supplementary information. You must facilitate the exercise of their rights (UK GDPR Art 12.2). You must handle a request fairly and transparently (Art 5.1(a)).

This is a summary of how the person in charge of data protection in the firm should deal with a subject access request. For fuller guidance see the Information Commissioner’s Office (ICO) website https://ico.org.uk.

a) Diarise the deadline.

You must deal with the request without undue delay and at the latest within one month of receipt.

b) Check the legitimacy and extent of the request.

Often this will not be an issue, but you may want to:

  • check the identity of the person making the request;
  • consider if the request is ‘manifestly unfounded’ or ‘excessive’ in which case you may be able to refuse or to charge a fee;
  • request clarification as to what they are interested in. For example, do they just want data from their matter file, HR records, direct marketing records, emails or what? Of course, they may seek everything you have.

c) Collect the data.

This may include both electronic and paper documents. Accordingly, it will normally be necessary to do an electronic search and to ask those with relevant files to check their paper records. If in doubt, refer to the definition of personal data in the UK GDPR and the guidance on the ICO website.

Note: You may wish to warn colleagues not to put anything provocative in writing about this person or their request. The ICO states that in their view “a subject access request relates to the data held at the time the request was received”. However, some people make more than one subject access request, and that may require you to disclose comments made about the original request.

d) Edit out anything which you should not provide.

That may include the following:

  • data mistakenly collected by your search e.g., because it relates to someone else with the same name;
  • protected data, such as confidential employment references, documents protected by legal privilege and documents relating to a criminal investigation;
  • information relating to third parties who have not consented to disclosure unless it is reasonable to disclose it. You may have to judge the competing interests of the third party and the person requesting disclosure. If the record is primarily about the data subject, with incidental confidential information about others, you should blank out the third-party information.

You should generally tell the person making the request if you have withheld any information, but not if that would defeat the purpose of withholding it. For example, you may withhold anti-money laundering reports to avoid tipping off, and would obviously not disclose that you have done so.

There is more guidance on this subject on the ICO website.

e) Draft the response.

See the draft below.

The information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language (UK GDPR Art 12.1). This means for example that you may have to explain how you handled the request if asked, e.g., explaining the steps taken to locate personal data. You may also have to explain abbreviations used in a document so that the recipient can understand it.

Include the following:

  • The purposes of your processing (it may be helpful to use terminology from your privacy notice, e.g., as included in your terms of business or on your website).
  • The categories of personal data concerned (e.g., emails, HR records, correspondence).
  • The recipients or categories of recipient to whom you disclose such personal data (again, see what your privacy notice says about this).
  • Your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it.
  • That they have a right to request rectification, erasure or restriction or to object to such processing.
  • That they have the right to lodge a complaint with the ICO.
  • Information about the source of the data, where it was not obtained directly from them.

Template letter

Dear [Name of data subject]

Data Protection: Subject Access Request

Thank you for your [letter] of [date] making a data subject access request for [scope of request].

I am pleased to enclose the information you requested. [If appropriate] To protect the personal data of third parties I have blacked out some names and identifying details within these documents.

[OR if you have withheld some entire documents] I have not been able to include all personal data relating to you. It has not been provided where it contained [e.g., a confidential reference given for employment purposes / records of our intentions in respect of negotiations between us / legally privileged information / health records disclosure of which may put you at risk].

Purposes of our processing

We processed this personal data for the purposes of [complete as appropriate, preferably using the language used in your privacy notice].

Categories of data

We hold the following category/categories of data on you: [insert details e.g., personal data].

Recipients

The third parties whom we share your data with are [set out the recipients or categories of recipient to whom you disclose such personal data. Again, see what your privacy notice says.]

Retention period

Our retention period for storing the personal data is generally six years save for [include any categories of data for which a different period applies].

Source of the data

The source of the data is generally apparent from the data itself. In [most] cases the data was obtained from [you / our client/ as appropriate]. Some was generated by ourselves in the course of our work, such as our notes of our dealings with you, or our emails to you.

But for the avoidance of doubt, we can confirm [set out information about the source of the data, where it was not obtained directly from the maker of the request].

[Note that if you received the data from a third party you need not include anything which reveals their identity unless it is reasonable to do so, or they consent.]

Copyright

Some or all of what we are providing may be subject to copyright. If so, please respect the rights of the copyright owner, for example by not copying, distributing, transmitting otherwise making it available without the consent of the copyright owner.

Other

We do not use automated-decision making (including profiling), and we do not transfer your personal data to a third country or international organisation

Data subject rights and right to complain

If the personal data we hold about you is inaccurate and you would like us to rectify it, please let me know. In certain circumstances you can also ask us to erase the information or restrict the use of the information. You can also object to how your information is being used.

If so, please reply to me explaining the reason for your request for erasure or restriction or for your objection. If you are dissatisfied with this response, please let me know so that we can address any concerns.

You may also complain to the UK Information Commissioner’s Office. Information on how to do this is available at http://ico.org.uk/complaints.

Your rights under the UK GDPR and DPA are outlined further in our Privacy Notice, a copy of which is attached for your information]

Yours sincerely

  1. The DPM will monitor our performance in responding to the DSAR within the necessary time limit.

Criminal sanctions

Please note that under the UK GDPR and DPA it is an offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing its disclosure in response to a DSAR. Once you become aware of a DSAR, you cannot do anything to information that is responsive to that DSAR in order to prevent the requestor from receiving that information.

If you would like to alter or delete information that is responsive to a pending DSAR for reasons other than preventing that information’s disclosure (e.g., the information was scheduled to be destroyed pursuant to the firm’s file retention policy prior to the firm receiving the DSAR), please contact the DPM before doing so.

Review of this document

This policy is reviewed by Timothy Halliday (COLP/DPM) on an annual basis.

May 2024

Go Back
01538 755 761
Email Us

©eric-whitehead 2026. All rights reserved