Subject Access Guide

12 January 2009

Hazel Grant, Ruth Boardman, Rhian Hill

For many organisations one of their key problems with data protection legislation is handling requests from individuals for access to the information held on them.

This problem is exacerbated when, as now, we enter a financial crisis and organisations start to make redundancies, freeze pay levels or delay promotions.  We have seen a marked increase in the use of access requests by employees who are in dispute with their employers.

In the UK, there have also been a large number of requests made by customers of retail banks (related to disputes over bank charges), although, of course, any individual customer could make a request of any retailer or service provider which he/she uses.

Under the Data Protection Act 1998 (DPA) individuals are entitled to access the information which an organisation holds about them.  This is an important right in data protection legislation, but can have a significant impact on businesses.  Businesses must carry out detailed searches quickly within a deadline of 40 days from receipt of the request.  The searching can expand to cover emails, databases, paper records and CCTV records.  In addition, businesses must provide the information for a very low charge, when compared to the cost of searching.  (In general the maximum charge paid by the individual is £10, with the cost of searching vastly exceeding this.  In some cases we have seen the cost of searching running to tens of thousands of pounds).  Although there are some exceptions to the right of access, businesses are often concerned as embarrassing information must be disclosed, against the wishes of the business.

In this guide we describe the key actions which an organisation should take when receiving a request for access, in order to comply with the DPA and minimise impact on the business.

What to do when a request is received

Ensure a request is logged and complied with promptly

Individuals do not have to say that they are making an access request or quote the DPA for it to be a valid request.  Consequently, personnel who might receive such requests should be trained in data protection compliance so they can recognise a request for what it is and ensure it is dealt with promptly, and within the 40 day deadline (as required by the DPA).  If the organisation does not comply with a request either promptly or fully, an individual can complain to the Information Commissioner and the Commissioner can take enforcement action.

The organisation must check that it has sufficient information to respond to the request

The organisation does not have to respond to a request until it has information which it reasonably requires to locate the information sought. The 40 days time limit for responding to the request will not start until this information has been obtained. If the request is not clear, the organisation is entitled to go back to the individual for more information.

Ensure that the individual making the request is entitled to the requested information

If the organisation is not sure about the identity of the requestor, it can ask them to provide evidence of their identity. If an individual is writing on behalf of a spouse, or a legal representative on behalf of their client, an organisation should not assume that they have authority to act on behalf of the client/individual.  (So the organisation should ask for written evidence of authority).

How extensive should the search be?

The first step after receiving a request for information is to search for any information which the organisation may hold. A helpful court decision (Ezsias v Welsh Ministers[1]) has suggested that any searches made in response to access requests must be reasonable and proportionate.  To work out what is necessary and proportionate, the court in Ezsias considered that the following factors could be relevant:

  • the cost of providing the information;

  • the length of time it may take to provide the information;

  • how difficult it would be to provide the information; and

  • the size of the organisation.

All these factors will have to be balanced against the effect of not disclosing the information on the individual making the request.

This guidance is helpful if it is difficult and costly for an organisation to retrieve archived information, or if the information is held on many sites.  It should be noted that the Ezsias case has been criticised for applying guidance and legislation out of context. However, the Ezsias case is the leading case in this area so despite the criticism it remains a good test to follow in the UK.

Does the information held fall under the DPA?

Is it in a relevant filing system?

The DPA only applies to information contained in electronic form, or information held in a relevant filing system. The Information Commissioner’s guidance suggests that in most cases, information held on a manual file would not amount to a “relevant filing system” for the purposes of the DPA. If an organisation does not have an organised system for holding paper records of personal data, then it should consider whether the information falls under the DPA.

Does the organisation process personal data?

The fact that an individual is named in a document does not mean that that document contains personal data. The leading case relating to access requests and personal data is Durant[2]. Durant suggested that for information to be personal data it had to be ‘biographical in a significant sense’ and the individual making the request has to be the focus of the information. In Durant, information about the FSA’s enquiry into Mr Durant’s complaint against Barclays bank was not personal data to Mr Durant.  This case has been followed by a number of freedom of information cases in the Information Tribunal.

A note on automated decision-taking

If the organisation is engaged in automated decision-taking, it has additional obligations under the DPA. If an organisation has decisions that are made electronically without human intervention (e.g. automatic scoring after biometric testing in graduate recruitment), an individual has a right to ask for information about any automated processing that has taken place(trade-secret information is, however, exempt). Additionally they can ask that the decision is retaken without the use of electronic means.

If an individual does not ask for information about automated processing, the organisation is not obliged to provide the information.

Bird & Bird Privacy & Data Protection

Bird & Bird is an international commercial law firm which combines leading edge legal expertise with an in-depth understanding of privacy & data protection issues in all industry sectors.

With offices in Belgium, China, Czech Republic, Finland, France, Germany, Hong Kong, Hungary, Italy, The Netherlands, Poland, Slovakia, Spain, Sweden and the UK and close ties with leading firms in the rest of Europe, Asia and North America, we offer our clients local expertise within a global context, helping them to realise their business goals both domestically and internationally.

All of our offices in Europe have dedicated privacy & data protection specialists. In countries where we do not have a physical presence, we work on a day-to-day basis with like-minded associate firms.  This includes trusted partner firms in every EU jurisdiction (and in many other jurisdictions across the world).


1 [2007] All ER (D)65
2 Michael John Durant v Financial Services Authority [2003] EWCA Civ 1746

Authors