Many firms in the financial services industry will be familiar with the need to reply to Subject Access Requests (SARs) from customers. These requests typically ask for a copy of all the personal data the firm holds concerning the individual.

The Information Commissioner’s Office (ICO) is now consulting on a draft of some proposed new guidance on this ‘right to access.’

In addition to a copy of their personal data, individuals have a right to know the following:

  • Confirmation that the firm is processing their personal data
  • The organisations and other third parties the data may be passed to, together with details of the safeguards that are in place when data is shared with an organisation that is based overseas
  • Why the firm needs to process the individual’s data
  • How long the data will be retained – if the firm cannot give a precise timescale, it must instead explain its criteria for deciding how long the data will be held
  • That they can request their personal data is corrected or deleted
  • That they can object to a firm processing their data
  • That they have the right to complain to the ICO

Many firms comply with this requirement by providing the person who submitted the SAR with a link to the firm’s privacy statement, where the above issues should be explained.

Steps firms can take to ensure they comply with the right of access obligations include:

  • Making customers and other stakeholders aware of the process for making an SAR – this information can be posted on websites, promotional material and in the privacy policy
  • Creating a data protection page on the firm’s website that contains links to the SAR procedures
  • Providing training to staff that will allow them to identify an SAR and then know what to do when they receive a request
  • Maintaining a record of SARs and what information was provided when replying to each request

Personal data are items of information in the firm’s possession that relate to a living person who can be identified from that information.

Firms must treat an SAR in the same way regardless of how the request was made – telephone, email, web enquiry form, personal visit, social media communication etc. The firm must then consider how to reply to the request, and if the SAR is made via social media it may not be appropriate to use the same medium for the reply. The information can be provided verbally if it is practical to do so, and if the individual consents.

A third party – such as a relative, friend or solicitor – can make a SAR on behalf of an individual. Before replying to such a request, the firm needs to ask for proof that the individual has granted permission to the third party to act on their behalf. For example, the individual may write a letter to the third party to give this permission. Alternatively, there may be a formal power of attorney in place.

On occasions, the same information might be personal data that relates to two or more different individuals. In these circumstances, where disclosing the data to one individual would allow them to see information about other individuals, the firm may be entitled to decide that it does not need to comply with the request. However, one sensible approach might be to decide to obtain the consent of the other individuals before releasing the data to the individual who made the SAR.

Firms must reply to SARs within 30 days – or the next weekday if the 30th day falls on a weekend or public holiday – and cannot charge a fee, regardless of how long it took to locate the data. If the request is of a complex nature, or the individual made more than one SAR at the same time, firms have 90 days to reply, but must inform the individual of the reason for the extension.

The ICO invites responses to its consultation. The deadline for responses is February 12 2020.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article