Step by step instructions on how to respond to a subject access request under the data protection legislation.
Whilst it is important that you do not send copies of personal information to people who are not the data subject, you must not appear obstructive.
Data Protection legislation requires you to take ‘reasonable measures’ to verify the identity of a data subject. You can often verify their identity from their circumstances, such as their address or signature.
For example, if the information being requested is a reference the application form can help you verify their identity: is the signature or address on the application form the same as that given on the subject access request?
If you require further verification of the data subject’s identity you have two options.
Telephone the individual and ask them two questions based on the information you hold about them ask so as to confirm their identity.
Write to the individual and ask them to send you a photocopy of their passport or drivers licence (this option will take longer and it is also possible that the individual does not have a passport or drivers licence).
Check the data subject
Check that the record is actually about the person concerned and not about someone else.
You should only print out documents or emails which are about the person making the subject access request.
For example, an email might carry the subject line ‘Meeting about Tom Smith’ but if the email only contains details about whether people can attend the meeting, the email is not about Tom Smith.
Screening and Redacting
Once you have collected together the information we hold about a data subject you must examine it in detail to establish if it should be disclosed.
This must be done on a case-by-case basis for each individual piece of information. In some cases you might have to disclose only parts of particular documents.
When answering a subject access request you may have to redact (‘blank out’) parts of a document which are not liable for disclosure.
Hard copy documents
- Print out the document or, if it is a paper record, make a photocopy.
- Using a black marker pen, blank out the exempt information.
- Make a photocopy of the blanked out version. This is the copy that will go to the person making the request.
- Using the highlighter tool, highlight the exempt information in black.
- Save the blanked out version as a separate copy.
- Print out the document and send to the data subject – do not send the document in electronic format as it is possible the highlighting could be removed.
- Alternatively use Adobe Acrobat or similar software which has a redaction tool.
Screen out duplicate records
For example, if you have had an email exchange with some colleagues you only need to print out the last email in the exchange if previous correspondence is included within it.
Remove data about other individuals
You should only disclose information which is about the person making the subject access request.
Where a document contains personal data about a number of individuals, including the data subject, you should not disclose the information about the third parties (unless you have their consent or it is otherwise reasonable to disclose the information).
- If the record is primarily about the data subject, with incidental information about others, you should consider blanking out the third party personal data.
- If the record is primarily about third parties, withhold it if blanking out is not feasible and the third party is not willing to consent.
Where the document contains personal data of a third party we are required to balance the interests of the third party against the interests of the data subject and either withheld, redact and / or seek the third parties’ consent.
References which have been provided in confidence will usually be exempt from disclosure.
Do not disclose any records which:
- contain advice from our lawyers
- contain requests for legal advice
- were written as part of obtaining legal advice
Do not disclose information which is being used, or may be used in future, in negotiations with the data subject, if the information gives away our negotiating position and disclosing the information would weaken our negotiating position.
You may discover material which does not reflect favourably on us. For example, you may find documents which show that standard procedures have not been followed, or documents which may cause offence to the data subject. These documents must be disclosed.
However, you should bring their contents to the attention of the relevant manager, and ensure that appropriate action is taken to address any issues they raise.
You must not destroy or refuse to disclose records because they would be embarrassing to disclose: this is a criminal offence if it is done after you know a subject access request has been made.