The most daunting thing we have to face as individuals is going up against an organisation and requesting your own data from it, especially if it is a large one. This is one of the main reasons why data protection legislation is in place, to protect the individuals.
The first principle mentioned in any data protection seminar that I have been on, is that an organisation has to bear in mind, is being “lawful, fair and transparent” when it comes to using personal information. That way it’s easier for “us mortals” to speak to the “organisation gods”. The law has provided us with a way to get information about us out of them and find out how they are using it.
Let’s just look at one way of doing this for now, this is requesting the data that an organisation holds about us, as an individual – legally referred to as a subject access request.
Subject access request
In case you’re interested the reason for this title it’s that, legally, us individuals are referred to as data subjects. So when a request is made to access our personal data, the title of subject access request (or SAR for short) is used, and that seem to make sense right?
Each organisation should have a published point of contact for data protection matters. this should be either in their emails, on their website, or other published material. So, as a customer/client/member you should find out where to go easily. If there is nothing that says where to go (and this is becoming increasingly common) pick up the phone and call their customer services, or go online to see if there is a chat tool on their website.
You have to give the request in a similar way to how you provided the data in the first place. Therefore, as most registrations are done in writing, it is most likely that an email, letter, or even a chat message (if the organisations website has this option) will be needed.
Organisations do not have to answer you straight away, but they should provide you with either the answer to your query within one month. If they can’t, they need to say why they cannot respond within 14 days (and that is calendar days). Also, they cannot charge you for this information unless the amount of information being requested is either substantial or complex. There is onus on the organisation to quantify why they believe it meets this particular criteria. You can appeal any decision relating charges to ICO, but this will delay the information coming out of the organisation.
The longest time taken to obtain your information, in normal circumstances should be two months.
The Good Bit
You are in the driving seat, even though there is this spanner in the works about the appeals process.
Complaints about not providing information to individuals are taken seriously and there are a number of cases where the ICO has penalised organisations for inaction. This action has been taken against public bodies to and not just private organisations.
Requests for information can be either to obtain all of the information held by an organisation, or for a subset that you are particularly concerned about. The next good bit is that they have to include any information they have added about you to your records, but you have to specify that your SAR relates to all of your records. Please be aware, the one grey area relates to the distribution of information obtained as a legal obligation, or where there is a safeguarding issue attached to the information being requested.
So, if things work as they should, the organisation should have a clear process to receive your request, provide you with an estimate of how long your request will take to process and provide you with information in a clear and concise manner.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
Associated articles:
- https://eyebray.com/policies-procedures-internal-documents/ : This has information about the basics to show how your organisation complies with data protection law .
- https://eyebray.com/legal-basis-processing/ : This helps to start detailing how to decide what personal information to collect and why .
- https://eyebray.com/sharing-data-whats-story/ : Avoid some common pitfalls by reading this article .
If not, we would be pleased to answer your enquiry calling us on 07943211611 or emailing us at enquiries@eyebray.com,
There is other information at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ direct from the ICO.