What is the right of access?

The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data from you, as well as other supplementary information.

It is a fundamental right for individuals. It helps them understand how and why you are using their data and check you are doing it lawfully.

What is an individual entitled to?

Individuals have the right to obtain the following from a controller:

• confirmation that you are processing their personal data;
• a copy of their personal data; and
• other supplementary information.

In most cases, you can confirm whether you are processing their personal data in general terms. However, this will depend on the nature of the request. If the request is for a specific piece of information, you should be able to confirm or deny whether you are processing this information.

What other information is an individual entitled to?

Individuals have the right to receive the following information (which largely corresponds with the information that you should provide in a privacy notice):

• your purposes for processing;
• categories of personal data you’re processing;
• recipients or categories of recipient you have or will be disclosing the personal data to (including recipients or categories of recipients in third countries or international organisations);
• your retention period for storing the personal data or, where this is not possible, the criteria for determining how long you will store it;
• the individual’s right to request rectification, erasure or restriction or to object to processing;
• the individual’s right to lodge a complaint with the Information Commissioner’s Office (ICO);
• information about the source of the data, if you did not obtain it directly from the individual;
• whether or not you use automated decision-making (including profiling) and information about the logic involved, as well as the significance and envisaged consequences of the processing for the individual; and
• the safeguards you have provided where personal data has or will be transferred to a third country or international organisation.

When responding to a subject access request (SAR), you must remember to supply this information in addition to a copy of the personal data itself. If you provide this information in your privacy notice, you can include a link to or a copy of your privacy notice. Please see our guidance on the right to be informed for further information.

Are individuals only entitled to their own personal data?

Yes. Under the right of access, an individual is only entitled to their own personal data. They are not entitled to information relating to other people, unless:

• their data also relates to other individuals (see ‘What should we do if the request involves information about other individuals?’); or
• they are exercising another individual’s right of access on their behalf (see ‘Can a request be made on behalf of someone?’).

Before you can respond to a SAR, you need to decide whether the information you hold is personal data and, if so, who it relates to.

The UK General Data Protection Regulation (UK GDPR) says that, for information to be personal data, it must relate to a living person who is identifiable from that information (directly or indirectly). The context in which you hold information, and the way you use it, can have a bearing on whether it relates to an individual and therefore if it is the individual’s personal data.

In most cases, it is obvious whether the information is personal data, but we have produced guidance on what is personal data to help you decide if it is unclear.

The same information may be the personal data of two (or more) individuals. An exemption may apply, if responding to a SAR involves providing information that relates to both the individual making the request and to another individual. Please see ‘What should we do if the request involves information about other individuals?’ for more information.

Who is responsible for responding to a request?

Controllers are responsible for complying with SARs, not processors. If you use a processor, you need to have contractual arrangements in place to guarantee that you can deal with SARs properly, irrespective of whether they are sent to you or the processor. The processor must help you meet your obligations for SARs and you should make this clear in the agreement between your two parties. Please read our guidance on contracts between controllers and processors for more information.

In some cases the processor may hold personal data on your behalf (and you, as controller, do not hold that data). If so, you should be able to require the processor to search for this data and, if necessary, give you a copy. However, it is your responsibility, as controller, to decide whether individuals need to provide clarification, or if a request is manifestly excessive, for example.

If you are a joint controller, you need to have a transparent arrangement in place with your fellow joint controller(s) which sets out how you deal with SARs. You may choose to specify a central point of contact for individuals. However, individuals must still be able to exercise their rights against each controller. It is also good practice to make each joint controller aware of every SAR.

If you are unsure whether you are a controller, joint controller or processor, please read our guidance on controllers and processors.

Example

An employer is reviewing staffing and pay, which involves collecting information from and about a representative sample of staff. A third-party processor is analysing the information.

The employer receives a SAR from a member of staff. The employer needs information held by the processor to respond. The employer is the controller for this information and should instruct the processor to retrieve any personal data that relates to the member of staff.