Where you can, you should give a person the data they’ve asked for in a subject access request. On what grounds can a subject access request be refused entirely? When responding to a subject access request in these situations there can be lots to consider, but you can always contact us if you need help deciding what to do. You should look to disclose personal data if you can but it’s a balancing act in these circumstances. If you can’t get consent and it’s not reasonable to provide the information without it, then you should see if you can redact the other person’s information. You also need to think about what kind of information might be disclosed, as some information might be particularly sensitive. You need to bear in mind any duty of confidentiality you have to them. If you don’t have the consent of the other person, then you should think about whether it’s reasonable to provide that information without their consent. But you also need to think about what might happen if you disclose data about someone else.įirst, you should check to see if you need the other person’s consent to provide their information. In those situations, your aim should still be to release the personal data requested. But there may be occasions when the personal data you’ve pulled together includes information that’s closely linked to someone else. Most of the time, you should avoid disclosing information about other people. What should we do if some of the data we’re looking to provide when responding to a subject access request contains someone else’s personal data?
RETRIEVE ORIGINAL REDACTED EMAIL HOW TO
How to deal with a request for information: a step-by-step guide.If you need our advice on how to deal with a large amount of data when you’ve had a subject access request, you can contact us. In data protection law, if it’s ‘disproportionate’ then you don’t need to do it. You’re expected to do a reasonable amount of searching to find what you’ve been asked for, but you don’t need to check every single email or file if you feel it’s unlikely to relate to the request. If they request all their personal data, rather than information from a particular category or date range, you should gather all of that information as best you can. But you should be aware that the person is entitled to ask for all their personal data and so may not want to narrow it down. If you come across a very large amount of personal data while responding to a subject access request, it’s worth checking if the search can be narrowed.
This means the amount of information Rebecca needs to send is significantly reduced. Sian’s reply is that she’s only interested in information about her last performance appraisal. Without delay, Rebecca asks Sian if she requires something in particular or if she wants everything. Rebecca holds a lot of information relating to Sian.
Sian, who has worked at Rebecca’s golf club for 15 years and is also an active member of the club, has asked for a copy of all her personal data. She’s received a subject access request from Sian, one of her employees. It’s important to think about whether the information is about them or only includes their name.įor example, Rebecca owns a golf club. Who is responsible for responding to a subject access request?ĭo we need to provide everything that includes a person’s name when responding to a subject access request?.Do we always have to respond to a subject access request?.Can I charge a fee for a subject access request?.How do I decide whether a subject access request is complex?.What does the right to object mean, and when does it apply?.What if someone asks us to delete their data, but we need to keep it for a regulatory requirement?.How can I send information securely as part of a SAR?.How should I redact information before sending out a SAR?.On what grounds can a SAR be refused entirely?.When can I withhold information that someone has asked me to provide in a SAR?.What should we do if some of the data we’re looking to provide when responding to a right of access request contains someone else’s personal data?.We have a very large amount of personal data to consider in response to a subject access request.Do we need to provide everything that includes a person’s name when responding to a right of access request?.
0 kommentar(er)
