Don’t get caught out by subject access requests

The right of individuals to access the information an organisation holds about them is an important safeguard and a cornerstone of data protection. Garreth Cameron, group manager (business and industry) at the ICO, explains more

Share on Twitter Linkedin black
Share on Twitter Linkedin black

Whatever business you’re in, if you hold personal data, you will probably have to respond to a request at some point.


Subject access requests happen to be the top cause of complaint to the ICO, accounting for 46 percent of cases we receive.


We know that when businesses fail to respond properly to a subject access request it can end up costing them time, money and reputational damage.


What concerns do individuals raise with us?


We often see cases where a subject access request is made following a dispute with a customer or employee that hasn’t been resolved, or has been badly managed.


If you can avoid a position where the requestor feels their only option is making a subject access request, you stand a good chance of not receiving a request in the first place.


The importance of good customer service and a pragmatic approach cannot be overstated.


A disgruntled requestor may be motivated to complain if you’ve clearly not met legal obligations. Failing to respond within the statutory 40-day time limit is a common problem.


We understand it can take time to get the information required together and review it.


On the records


Good records management is key to ensuring information can be easily identified and retrieved. Of course, you shouldn’t be retaining information you no longer have a justifiable need for anyway.


It goes without saying; you should be conducting an extensive search for the data, because failing to provide something the requestor knows you hold, is a sure fire way to a concern being raised with the ICO.


In some cases individuals’ requests are just plain ignored. While in a low number of cases it may be reasonable to inform a vexatious customer that you are ceasing contact with them, you’re still obliged to respond to their subject access request if they make one.


In other cases we see, organisations fail to identify receipt of a request. It’s important that frontline staff are trained on individuals’ rights individuals, and know how to respond when a request is received.


Extra care is needed to ensure information about third parties is not inappropriately disclosed.


We recently fined a GP surgery £40,000 after the practice revealed confidential details about a woman and her family to her estranged ex-partner, after he made a subject access request.


It’s about control


Giving people more control over their data is crucial to building consumer trust.


While individuals have legal rights under data protection, you should consider whether you want to force people to resort to the law to see what information you hold about them.


It’s a better experience for the customer to be in the driving seat, with the ability to access their data without going through a formal legal process. The growth of digital services helps to make this a reality.


Remember, individuals’ rights will be brought into focus across the European Union when the General Data Protection Regulation comes into force in May 2018. The regulation will require the data to be provided free of charge and, in certain cases, in a common electronic format.


No matter what happens in the UK post-Brexit, it’s time to ensure your house is in order when it comes to subject access.

Share on Twitter Linkedin black


The CS Interview

The patriot
Share on Twitter Linkedin black

The patriot


Five things the TRI Conference taught us about today’s economy
Share on Twitter Linkedin black

Five things the TRI Conference taught us about today’s economy


The Editor's View: "A mixed picture"
Share on Twitter Linkedin black

The Editor's View: "A mixed picture"

Bank NPL analysis

Banks continue purge of bad debt from balance sheets
Share on Twitter Linkedin black

Banks continue purge of bad debt from balance sheets

Upcoming events

CCS Awards 2017

Credit Week 2018

Credit Awards 2018

Car Finance Conference 2018

Credit Strategy

Did you find our website useful?

Thank you for your input

Thank you for your feedback – an online news and information service for the UK’s commercial and consumer credit industry. is published by Shard Financial Media Limited, registered in England & Wales as 5481132, Axe & Bottle Court, 70 Newcomen St, London, SE1 1YT. All rights reserved. Credit Strategy is committed to diversity in the workplace.
@ Copyright Shard Media Group