subject access request

UK Information Commissioner’s Office has published detailed guidance on the Right of Access.

The right of access is a fundamental right under data protection law. And it has never been more necessary. In a world where personal data is used almost everywhere – by everyone – it’s vital that people have the right to be able to find out what’s happening to their information.

More and more people are waking up to the power of their personal data, and are exercising their rights. That’s why, as an organisation, it’s important that you know how to deal with a subject access request (SAR) effectively and efficiently.

The right of access detailed guidance that ICO has published today will help you to do that.

Main clarifications were done on the three key points raised.

  1. Stopping the clock for clarification – one issue which we received a lot of feedback on was that seeking clarification on requests often didn’t leave enough time to respond. As a result, our position now is that, in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to clarify their request.
  2. What is a manifestly excessive request – to combat confusion over when to class a request as manifestly excessive, we’ve provided additional guidance to help and broadened its definition.
  3. What can be included when charging a fee for excessive, unfounded or repeat requests – we’ve taken the feedback on board about the fee for staff time involved in responding to manifestly unfounded or excessive requests, or responding to follow-up SARs, and have updated what organisations can take into account when charging an admin fee.

ICO is planning to add more supportive resources like a simplified SAR guide for small businesses which picks out the key ‘need-to-knows’ from the detailed guidance.

The right of access is a cornerstone of data protection law and good SAR compliance instils trust and confidence. That’s why it’s essential that organisations get this right, because people’s trust in how organisations use their personal data plays a role in their overall confidence and support for your services.

Original article: ICO

Photo by Ron Dyar on Unsplash.

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on print
Share on email

Latest Blog Posts

dpa gdpr

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the application of the GDPR. They

Read More »

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data