Credit Strategy
0 £0.00
This item was added to your basket

Dear visitor,
You are viewing 1 of your 2 free articles

To view more free articles, please register

Free registration or Login

Don’t get caught out by subject access requests

The right of individuals to access the information an organisation holds about them is an important safeguard and a cornerstone of data protection. Garreth Cameron, group manager (business and industry) at the ICO, explains more

Garreth   Cameron

Share on Twitter Linkedin black
Garreth   Cameron
Share on Twitter Linkedin black

Whatever business you’re in, if you hold personal data, you will probably have to respond to a request at some point.


Subject access requests happen to be the top cause of complaint to the ICO, accounting for 46 percent of cases we receive.


We know that when businesses fail to respond properly to a subject access request it can end up costing them time, money and reputational damage.


What concerns do individuals raise with us?


We often see cases where a subject access request is made following a dispute with a customer or employee that hasn’t been resolved, or has been badly managed.


If you can avoid a position where the requestor feels their only option is making a subject access request, you stand a good chance of not receiving a request in the first place.


The importance of good customer service and a pragmatic approach cannot be overstated.


A disgruntled requestor may be motivated to complain if you’ve clearly not met legal obligations. Failing to respond within the statutory 40-day time limit is a common problem.


We understand it can take time to get the information required together and review it.


On the records


Good records management is key to ensuring information can be easily identified and retrieved. Of course, you shouldn’t be retaining information you no longer have a justifiable need for anyway.


It goes without saying; you should be conducting an extensive search for the data, because failing to provide something the requestor knows you hold, is a sure fire way to a concern being raised with the ICO.


In some cases individuals’ requests are just plain ignored. While in a low number of cases it may be reasonable to inform a vexatious customer that you are ceasing contact with them, you’re still obliged to respond to their subject access request if they make one.


In other cases we see, organisations fail to identify receipt of a request. It’s important that frontline staff are trained on individuals’ rights individuals, and know how to respond when a request is received.


Extra care is needed to ensure information about third parties is not inappropriately disclosed.


We recently fined a GP surgery £40,000 after the practice revealed confidential details about a woman and her family to her estranged ex-partner, after he made a subject access request.


It’s about control


Giving people more control over their data is crucial to building consumer trust.


While individuals have legal rights under data protection, you should consider whether you want to force people to resort to the law to see what information you hold about them.


It’s a better experience for the customer to be in the driving seat, with the ability to access their data without going through a formal legal process. The growth of digital services helps to make this a reality.


Remember, individuals’ rights will be brought into focus across the European Union when the General Data Protection Regulation comes into force in May 2018. The regulation will require the data to be provided free of charge and, in certain cases, in a common electronic format.


No matter what happens in the UK post-Brexit, it’s time to ensure your house is in order when it comes to subject access.

Share on Twitter Linkedin black
Add New Comment



The CS Interview

The patriot

The patriot


Ahead of the curve: Five reasons why Intelligent Environments secured the Best Collections Technology Award
Share on TwitterLinkedin black

Ahead of the curve: Five reasons why Intelligent Environments secured the Best Collections Technology Award


“It's time for us to address gender diversity”
Share on TwitterLinkedin black

“It's time for us to address gender diversity”

Bank NPL analysis

Banks continue purge of bad debt from balance sheets

Banks continue purge of bad debt from balance sheets


Credit Week 2018

Credit Summit

CDSP European NPL

Women in Credit Awards 2018


Credit Strategy
LinkedIn page

Did you find our website useful?

Thank you for your input

Thank you for your feedback – an online news and information service for the UK’s commercial and consumer credit industry. is published by Shard Financial Media Limited, registered in England & Wales as 5481132, Axe & Bottle Court, 70 Newcomen St, London, SE1 1YT. All rights reserved. Credit Strategy is committed to diversity in the workplace.
@ Copyright Shard Media Group