• 01616 966 229
  • Request a callback
Stephensons Solicitors LLP Banner Image

  • Home
  • Legal blogs from Stephensons
  • Consumer & Dispute Resolution
Services
People
News and Events
Other
Blogs

Right of access: understanding your rights and legal obligations

View profile for Joanne Ellis
  • Posted
  • Author
Neighbour disputes and lockdown

In the landscape of data protection and privacy law, few rights are as critical and frequently exercised as the right of access. This fundamental provision, enshrined prominently within the UK General Data Protection Regulation (UK GDPR), empowers individuals with the ability to obtain details about their personal data held by organisations and individuals.

Understanding your rights as a data subject or your obligations as a data controller is essential in ensuring compliance, transparency, and accountability within data processing practices.

Defining right of access under UK law

The right of access, often referred to in practice as a ‘subject access request’ (SAR), is clearly defined under Article 15 of the UK GDPR. This provision provides individuals with the entitlement to seek confirmation from organisations regarding whether their personal data is being processed, and if so, to access that data along with supplementary information. Organisations operating within the UK jurisdiction must respond promptly and fully to a valid SAR, ensuring they comply with the obligations set by the Information Commissioner’s Office (ICO).

Who can make a right of access request?

Any person whose personal data is held and processed by an organisation or individual retains the legal entitlement to submit a right of access request. It is not limited by status, age, or occupation. Notably, this right extends to employees, customers, suppliers, former employees, and potentially anyone whose data you may have gathered in both digital and physical records. Additionally, authorised representatives, including solicitors acting on behalf of the individual, may also submit such requests provided they possess suitable authorisation evidence.

How to recognise and respond to a subject access request

There are no mandated formalities concerning how an individual must phrase or submit a SAR. Provided the nature of the request clearly intends to access personal data, the request is valid regardless of whether the phrase "subject access request" expressly appears. Requests may come through various media, including email, letter, or verbally.

Upon receiving a valid SAR, UK law obliges organisations and data controllers to respond without undue delay and, at the latest, within one month. In complex situations or where numerous requests exist, this response timeframe may be extended by two additional months, provided the requester is informed within the initial month.

Information required to comply with SARs

When responding to a right of access request, organisations must supply comprehensive and clear information, including:

  • The purpose and nature of the processing activities undertaken.
  • The categories of personal data processed.
  • Recipients or categories of recipients who received or will receive the data.
  • Details of how long the data will be retained, or the criteria used to determine this.
  • Information on the existence of rights including rectification, restriction, erasure, objection, and complaint to relevant authorities.
  • The source of personal data if it was not obtained directly from the individual.
  • Details about profiling or automated decision-making, where applicable, including meaningful details about the logic involved.

When can an organisation refuse a right of access request?

Though the right of access is extensive, it is not absolute. Organisations may lawfully refuse a SAR or limit the response under specific circumstances outlined by the UK GDPR. These exceptional scenarios typically include requests deemed manifestly unfounded, excessive, or repetitive. Where refusal occurs, organisations must clearly explain the reasoning and promptly inform the individual of their right to lodge a complaint with the ICO or seek judicial remedy.

Charging fees for responding to access requests

Generally, organisations must provide the personal data requested free of charge. However, if a request is manifestly unfounded or excessively burdensome, an organisation may charge a reasonable administrative fee proportionate to the complexity and resource required. Any fee established must be communicated clearly in advance and justified appropriately.

Dealing with third-party information

Often, personal data records may contain third-party information. Where the release of such information may have an adverse impact on another individual's privacy rights, the data controller must exercise caution. In such instances, the organisation must carefully assess whether to redact third-party details or seek consent before sharing the information with the data subject requesting access.

Risks and penalties of failing to comply with right of access requests

Organisations that neglect their responsibilities regarding right of access under UK GDPR expose themselves to significant legal, financial, and reputational risks. The Information Commissioner’s Office maintains authority to investigate failures and issue enforcement actions, including substantial monetary penalties. It is imperative to implement robust SAR handling protocols, regular staff training, and periodic audits to ensure compliance.

Frequently asked questions about right of access

can i request cctv footage through the right of access?

Yes, individuals retain the right to request and obtain copies of CCTV footage featuring themselves. Data controllers holding CCTV data must ensure that responding to such requests complies with data protection laws and respects the privacy rights of other individuals potentially visible or identifiable within the footage.

can employers refuse to provide personal data held on employees?

Employers must comply with employee SARs unless an exemption explicitly applies, such as legal privilege or confidentiality regarding ongoing disciplinary investigations. Any refusal must be justified, documented, and communicated transparently to the employee.

must requests be made formally in writing?

No, individuals making SARs are under no obligation to submit requests formally or in writing.  Data controllers must respond to valid requests regardless of the communication medium, including verbal or informal email requests, provided the request clearly indicates the intention to access personal data.

Conclusion

The right of access stands as a fundamental pillar in data protection regulation within the UK, empowering individuals to maintain control over their personal information. Organisations must establish clarity regarding their SAR obligations, ensuring transparency, responsiveness, and accountability in handling requests.

Failure to comply with these statutory obligations exposes organisations to legal penalties and significant reputational harm. It is recommended to seek professional legal advice to establish proper internal processes and training to ensure full compliance with right of access requests under UK GDPR.

Comments

    Post a comment!