- Site Tools
- Print page
- Email page
- Page alert
Subject Access Requests under the Data Protection Act 1998 (As amended) (“DPA”)
Am I a data controller?
If you have already notified your processing to the Information Commissioner you will have already made the decision that you are a data controller. If you have not notified your processing you should consider whether or not you are exempt from notification and whether in any event you process data about individuals. Please refer to the separate note on Data Protection Notification.
In summary, if you decide what and how the data is to be processed, e.g. obtained, held, or disclosed, you will be a data controller. For example, if you ask your clerks to keep and maintain records of individual solicitors (rather than firms) who have instructed you on a computer owned by your chambers’, you would be a data controller in respect of this data.
What is a subject access request (SAR)?
A subject access request is a request from or on behalf of an individual (a data subject, not a company or partnership) which seeks to discover whether personal data of the data subject is being processed by you, as a data controller. The request must be made in writing and the fee, if required, must be provided1. The current maximum fee is £10.
How do I tell if I have received a SAR?
There is no statutory form for the request. It is therefore important to be aware that a request may not make any reference to the DPA or explicitly identify itself as a SAR. However, the inclusion of the fee is usually a good indication, but it is important to be alert to an initial request which may be followed by payment of the fee.
What do I do if I receive a SAR?
The first thing to do is to acknowledge receipt of the request and ensure that it complies with the statutory requirements (i.e. that it is in writing and that the fee is provided). There is no obligation under the DPA to respond to oral requests or requests in writing when the fee has not been paid (providing that you charge a fee). However, it would be sensible to acknowledge the receipt of written requests and indicate that it will not be responded to and why. If a fee is required, the data subject must be informed of this requirement.
If you reasonably require further information as to the identity of the data subject or to locate the information which that person seeks, you should write to inform the data subject of that requirement2. Until you receive the further information you do not have to comply with the request. However, it may be sensible to start considering what actions would be required for the collation of the information you need to respond to the request at this stage, if that is possible. If you know that the data subject is not legally competent, e.g. a person who is the subject of a mental health order or a minor3, ensure that the request is made with the authority of the person who has conduct of their affairs.
If the SAR is not the first request you have received from this individual and complied with, you will have to consider whether the requests are identical or similar and whether a reasonable interval has elapsed between the requests. In assessing whether the interval is reasonable you should consider the nature of the data, the purpose for which they are processed and the frequency with which the data are altered. If you decide that the requests are identical or similar and a reasonable interval has not elapsed you have no obligation to comply4.
How long do I have to respond?
You must comply with the request promptly and, in any event, within 40 days from the date on which the request is received, or if later, when the fee or the further information is provided5. However, if the personal data consist of examination marks or other information for determining the results of an examination or in consequence of the determination of such results, the period for compliance runs for 5 months from this date or 40 days from the day on which the results of the exam are announced6.
How do I comply?
You must tell the data subject whether you are processing any of their personal data7. This requires a consideration of the information that is being processed.
If you are not processing data in respect of the data subject, and it is important to remember that this includes holding the data, you can answer the request in the negative and you will have complied with the DPA.
If you are processing such data you have to:
(1) Confirm that such processing is being carried out8.
(2) Provide a description of the data9.
(3) Indicate the purpose(s) for which such processing is being performed10.
(4) Indicate any Recipients or classes of Recipients (actual or intended) of the data11.
(5) Provide a copy of the information constituting the data in intelligible form12. It must be supplied in permanent form unless this is not possible or would involve disproportionate effort13.
(6) Provide any available information about the source of the data14. However, this may be subject to qualifications if it involves disclosure of personal data of a third party (as to which see “Third Party Data” below).
Paragraphs (1) and (2) will be met by providing the data. Paragraph (3) can be met by providing a description of the purposes akin to that included in your notification, if this remains accurate and is clear.
“Recipients” includes any person to whom the data are disclosed, and includes those processing data on your behalf (including employees and agents, for example your clerks and administrative staff), but not those to whom it is disclosed if in response to an inquiry made in exercise of power conferred by law15. However, this may also involve disclosure of the personal data of third party individuals, and is subject to the considerations set out below under “Third Party Data”. If this is a problem you can simply describe the Recipients as a class, for example, “staff”.
The SAR relates to processing being carried out at the date when the request is received. However, if data would be amended or deleted in the normal course of events and regardless of the receipt of the request, you do not have to provide it16. For example, if your normal data retention policy is such that data is deleted 39 days after receipt or creation, you do not have to supply such data.
This is subject to qualification if the data consists of examination marks or similar information and where the period for compliance has been extended pursuant to Sch. 7 8(2) DPA. In that case, the data must be provided by reference not only to the data when the request was received but also by reference to the data as held from then until compliance17.
When considering whether you are processing and what you have to disclose the following issues should be addressed:
(1) What information about the data subject am I processing?
(2) Is it processed or intended to be processed automatically and therefore data?
(3) If not, is it held in a relevant filing system and therefore data?
(4) Is it personal data?
(5) Is it nevertheless exempted from compliance?
(6) Does it include personal data relating to third party individuals?
(7) What form does my response have to take?
(8) What happens if the data subject is not happy with my response?
(1) What information about the data subject am I processing?
This question involves consideration, investigation and identification of the information which you are processing and which is being processed on your behalf by others. You need to identify this information in order to assess whether it constitutes personal data. It should be remembered that this is not a disclosure-type exercise, in that it is the information which needs to be considered, not documents. At this stage you should not exclude from further consideration any information about the data subject which you are processing. If the information is not data or is not personal, this will become clear in the following steps.
(2) Is it processed or intended to be processed automatically and therefore data?
Is the information identified above held on computer or on CD-ROM or some other computer-readable means, such as floppy disks, ZIP disks etc? If so, it will be data18. If, however, it was held on computer in the past, was printed out and is no longer held by you or on your behalf on computer or computer-readable media, it will not necessarily be data. Manually organised files are considered below.
(3) Is the information held in a relevant filing system?
Even if the information is not processed automatically and is held on manual files it may still be data. If it is held in a “relevant filing system” as defined in the DPA it will be data19. The Court of Appeal has considered this definition and concluded that information stored only on manual files which are not indexed in such a way that the information can be searched in a way equivalent to an automated search will not normally be covered20.
(4) Is it personal data?
Even if the information is “data” within the DPA, it is not necessarily “personal data”. In order to be personal data the data must be data which relates to an individual from which they can be identified or which together with other information in the barrister’s possession would enable such identification.
In Durant v FSA the Court of Appeal held that this definition should be construed narrowly, and that it is likely in most cases that only information that names or directly refers to the data subject will qualify. This means that not every mention of the data subject’s name will be personal data; the information must affect the privacy of the data subject in their personal or family life, their business or professional capacity.
If the information is biographical in a significant sense, that is, going beyond the recording of the data subject's involvement in a matter or an event that has no personal connotations or if the information has the data subject as its focus rather than some other person with whom he may have been involved this will probably be personal data.
(5) Is the data nevertheless exempted from compliance?
There are certain circumstances in which compliance with the SAR may be limited or excused. The following categories of exemptions may apply:
National security21 - if the exemption is required for the purpose of safeguarding national security. In this context “required” is to be interpreted consistently with the European principle of proportionality.
Prevention and detection of crime, apprehension and prosecution of offenders, assessment or collection of tax or duty or imposition of similar nature, only to the extent that it is likely to prejudice such matter22
Regulatory activity (e.g. for protecting the public from financial loss from misconduct or negligence in financial services e.g. banking and insurance, from the conduct of bankrupts or from misconduct in other professions), but only to the extent that compliance would be likely to prejudice the proper function of such activity23.
Data processed only for journalistic, artistic or literary purposes (“the special purposes”24)- but only if compliance is incompatible with the special purposes25
Data processed only for statistical or historical purposes (“research purposes”) but only under certain conditions26
Data which the data controller is required to make public by law27
References given by you for the education, training or employment of the data subject given in confidence28
Compliance where disclosure of the personal data would be likely to prejudice the combat effectiveness of the armed forces29
Personal data processed for assessing a person’s suitability for judicial office or for appointment as a QC or the conferment of an honour by the Crown30
Personal data processed for the purpose of management forecasting or planning for a business or other activity only to the extent that such compliance would prejudice the conduct of the business or other activity31
Personal data processed for corporate financial services only to the extent that compliance could or it is believed that it could affect the price of an instrument which exists or may be created or if it exemption is required to protect an important economic or financial interest in the UK32
Records of the intentions of the data controller in relation to any negotiations with the data subject are exempt to the extent that compliance would prejudice such negotiations33
Personal data consisting of information recorded by candidates during an examination are exempt from the SAR34
Legal professional privilege - to the extent that a claim to such privilege could be maintained in legal proceedings35
Self-incrimination - you need not comply with the request to the extent that such disclosure would reveal evidence of an offence (other than under the DPA) and thereby expose you to proceedings for that offence36
Personal data which is processed for the purposes of assessing any person's suitability for the offices listed in the schedule to The Data Protection (Crown Appointments) Order 2000 (SI 2000/416) is exempted from compliance with the SAR.
Personal data processed only for the purposes of your personal family or household affairs are exempt from compliance with the SAR37
Health, education and social services records (see below)
Personal data the disclosure of which is restricted by specific enactments are exempted from compliance with the SAR38
There are more complex requirements with respect to Health, Social Services and Education records. It is not possible to provide a complete explanation in respect of those provisions in this summary. Those who are likely to hold such personal data are advised to consider the detailed provisions of the following SI’s, (although the position is briefly, and necessarily incompletely, set out below):
The Data Protection (Subject Access Modification) (Health) Order 2000 (SI 2000/413)
The Data Protection (Subject Access Modification) (Social Work) Order 2000 (SI 2000/415)
The Data Protection (Subject Access Modification) (Education) Order 2000 (SI 2000/414)
Health Records
Compliance with the SAR by the disclosure of personal data consisting of information as to the physical or mental health or condition of the data subject is not required unless and until a health professional is consulted as to whether compliance would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person. If in the opinion of the health professional compliance would be likely to cause such harm, compliance with the SAR is not required.
Social services records
Records of personal data contained in records relating to in personal social services functions are exempted from compliance with the SAR in any case to the extent which compliance would be likely to prejudice the carrying out of social work by reason of the fact that serious harm to the physical or mental health or condition of the data subject or any other person would be likely to be caused.
Education records
Personal data in an educational record as defined in Sch.11, 1 DPA is exempted from compliance with the SAR to the extent that compliance would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person.
Court processing
If the personal data consist of health or social services or educational records (as defined) which are processed by the Courts and which are contained in reports provided by a local authority or a Health and Social Services Board, a Health and Social Services Trust, a probation office or other person pursuant to certain enactments set out in the Sis (“the Rules”) and where the information may be withheld under the Rules by the court in whole or in part from the data subject, these are exempt from compliance with the SAR.
Please note that s. 27(5) DPA, which provides as follows:
“27(5) Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.”
means that the exemptions provided for in Part III of the DPA (and in the SI’s made thereunder) are a complete code of the exemptions from compliance with the SAR. You cannot have recourse to any other rule of law or enactment to avoid compliance.
(6) Does it include personal data relating to third party individuals?
See “Third Party Data” below.
(7) What form does my response have to take?
Your obligation is provide the data in permanent and intelligible form, not the documents containing the data. This is not a disclosure-type exercise. However, it may be simpler to provide redacted copies of documents rather than retype the data in hard copy. If it is impossible or involves disproportionate effort or if the data subject consents you may provide the data in another form, e.g. soft copy, provided it is intelligible form. It may be advantageous to retype the data if the nature of the document (even in redacted form) discloses information about third parties which may lead to their identification. For example, if the document is a prescription (an undisclosed document which has been scanned onto a CD-ROM), it may be more appropriate to re-type the personal data and omit the remainder.
Third Party Data
The personal data of the data subject may include references to other individuals. Although the data subject has a right to be provided with their personal data, this right has to be balanced against the rights of third parties in respect of their personal data. This is set out in ss. 7(4) - (6) and s. 8(7) DPA. The effect of these provisions is that you do not have to comply with SAR to the extent that the personal data contains information relating to another individual who can be identified from that information unless the third party has consented to disclosure or it is reasonable in all the circumstances to disclose it without consent.
Since you are required to provide information about recipients and sources of data, the third party considerations may apply to these
When considering whether it is reasonable to disclose in the absence of consent, the following factors should be considered:
(a) any duty of confidentiality owed to the other individual,
(b) any steps taken by the data controller with a view to seeking the consent of the other individual,
(c) whether the other individual is capable of giving consent, and
(d) any express refusal of consent by the other individual.
Where, for example, an email contains not only the personal data of the data subject but also personal data of a third party, you must consider whether it is reasonable to disclose the personal data of the data subject to the extent that it enables the data subject to identify the third party. In making this assessment you should consider what information you know or reasonably believe is in the possession of the data subject which may enable them to identify the third party.
In assessing whether it is reasonable to disclose the above factors are non-exclusive and other factors may affect your decision.
This does not excuse you from providing as much of the personal data of the data subject as is possible without the identifying material39.
It may help to consider an example.
Your lay and professional clients fall out. You are no longer instructed in the case. During the case your professional client sent you several emails which contained very uncomplimentary opinions about your lay client which you have retained on your computer. The emails also contain information and instructions about another case in which you were instructed. Your policy on data retention is to delete your emails about every 6 months. Your lay client sends a valid SAR. He specifies that he is interested in any comments about him by your professional client with whom he now has a dispute.
The emails contain information about the data subject, which is processed automatically; therefore it is data. The data subject is the focus of the data; therefore it is personal data. However, it also includes references to your professional client.
You ask your professional client for his consent but he refuses to give it. The information in the email concerning the data subject was not given in confidence, but the instructions in the other case are the subject of legal professional privilege. In any event, those instructions do not relate to the data subject so that information can be redacted.
The data subject has given a specific reason for the information he seeks, so you have take reason into consideration when balancing the rights of your lay and professional clients when making your decision as to whether to include the name of your professional client. You should also consider that the context of the information will probably render any attempt to redact the name of the professional client meaningless, since the lay client will know that it is unlikely that you will have received correspondence about him from any other person.
Despite the refusal of consent, the right of the data subject to be provided with a copy of the redacted email should take precedence; you are required to disclose the redacted email together with the name of the professional client as the source of the information.
(8) What happens if the data subject is not happy with my response?
If the data subject considers your response inadequate there are 2 avenues open to them. They may complain to the Information Commissioner that you have failed to comply with their request or they can apply to the Court for an order under s. 7(9) DPA requiring you to comply.
If the Information Commissioner considers that subject access should have been given he may serve an information notice to determine if you are complying with the data protection principles (DPP)40. Failure to comply with the SAR is a breach of the 6th DPP41. Usually the Office of the Information Commissioner will enter into negotiations to resolve the matter, but if these fail, it may serve an enforcement notice requiring you to comply42. Failure to comply with an enforcement notice is a criminal offence. If you disagree with the information notice or the enforcement notice you can appeal them to the Information Tribunal. The burden of justifying the notices rests on the Information Commissioner43.
If the application is made to the Court, the Court may consider the information which you hold on the data subject in order to assess whether you have complied. However, it cannot order its disclosure to the data subject unless and until it decides that you have failed to comply with the SAR44.
Sources of Guidance
This note is necessarily a brief overview of the various provisions. Further guidance may be obtained from the Related Links section of this page.
You should also refer to:
Data Protection: Law and Practice (2nd edn; 2003) Rosemary Jay and Angus Hamilton.
Blackstone’s Guide to the Data Protection Act 1998 - Peter Carey.
1 S 7(2) DPA
2 S7(3) DPA
3 The guidance provided by the Information Commissioner’s Office suggests that the question of legal competence must be addressed on a case by case basis, but that minors over the age of 12 may be considered sufficiently mature to make a SAR.
4 Ss. 8(3) and (4) DPA
5 S. 7(8) DPA
6 Sch. 7 8 DPA
7 S.7(1)(a) DPA
8 S. 7(1)(a) DPA
9 S. 7(1)(b)(i) DPA
10 S. 7(1)(b)(ii) DPA
11 S. 7(1)(b)(iii) DPA
12 S. 7(1(c)(i) DPA
13 S. 8(2)(a) DPA
14 S. 7(1)(c)(ii) DPA
15 S. 70(1) DPA
16 S. 8(6) DPA
17 Sch. 7 8(3) DPA
18 S. 1(1) DPA
19 S. 1(12) DPA
20 Durant v FSA [2003] EWCA Civ 1746, 50
21 S. 28 DPA
22 S. 29 DPA
23 S. 31 DPA
24 S. 3 DPA
25 S. 32 DPA
26 S. 33 DPA
27 S. 34 DPA
28 Sch. 7, 1 DPA
29 Sch. 7 2 DPA
30 Sch. 7 3 DPA
31 Sch. 7 5 DPA
32 Sch. 7 6 DPA
33 Sch. 7 7 DPA
34 Sch. 7 9 DPA
35 Sch. 7 10 DPA
36 Sch. 7 11
37 S. 36 DPA
38 The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (SI 2000/419)
39 S. 7(5) DPA
40 S. 43 DPA
41 Personal data shall be processed in accordance with the rights of data subjects under this Act.
42 S. 40 DPA
43 S. 47 DPA
44 S. 15(2) DPA
