Your Information Request
Since the advent of data protection in the late 1990s, individuals have had the right to see the personal data that is held about them. This sort of request is called a subject access request and this important legal right has recently been improved through the new General Data Protection Regulation (a.k.a.GDPR) and the UK Data Protection act 2018.
One of the changes concerns a departure from the premise that all subject access requests require an upfront fee to be paid by the individual (the data subject) to the organisation or business which processed their personal data (the data controller). This upfront fee was previously £10 but could be as high as £50 in some cases.
The data controller was under no obligation to provide the data subject which access to their personal data if the fee was not paid. In fact, many businesses and public sector organisations would use this requirement to try and avoid making personal data available to data subjects. In some cases, the requirement to pay a fee was also used to deny access to personal data to many people by making it cost prohibitive to make a subject access request. The NHS for many years took this approach and would require individuals to pay a higher fee of £50 first before releasing any personal data held in medical files.
Now an individual can request access to their personal data without being asked for a fee. However, there is a limited exception where the provision of the personal data could be deemed excessive. This approach is likely to be the exception rather then the rule though, and most UK businesses, public sector organisations and third sector groups who process personal data will not charge a fee. This is quite important, because the personal data belongs to the individual not the data controller. Likewise, when a data controller begins processing an individual’s personal data, they do not have to pay that individual anything to obtain personal data from them. On this basis, why should an individual then have to pay a fee to see the personal data held by the data controller, when the data controller does not own the personal data and has not paid the individual anything for it?
The second change that is important concerns that length of time a data controller must comply with a subject access request. Previously, the data controller had a period of 40 days to supply an individual with their personal data. The new rules limit this to 30 days. This too, is an improvement as many data controllers would use the previously timescale as an excuse for undue delay to release the personal data to the data subject.
The new GDPR and Data Protection Act 2018 improves an individual’s information rights in many other ways too. For example, by fining a data controller for breaching their legal obligations, and by creating a right to compensation where things have gone wrong. These other important protections are outside the scope of this article, but if you have questions please get in touch.
If you are concerned about what data controller may be doing with your personal data, then why not ask to see it? You can do this simply by writing to the data controller, and in some cases, providing the data controller with appropriate identification to demonstrate that you are who you say you are. At legal spark, we carry out subject access requests regularly on behalf of our clients and if you, or someone you know requires assistance with their information rights, please get in touch.