In the UK, you have a legal right to find out if an organisation is using or storing your personal data. All you must do is ask for a copy of this data.
This is called making a subject access request (SAR).
In this quick guide, you’ll find out:
Personally identifiable information (PII) describes any data that can be used to identify an individual, either on its own or along with other information. PII could include:
You have the right to obtain the following information:
You are only entitled to your own personal information (unless the information is also about you or you are acting on behalf of someone else).
You also have the right to limit how organisations use your data. To exercise your right, you should make your request directly to the organisation in question and be clear about why you want the data to be restricted.
In some circumstances, you can also object to an organisation using your data at all. For example, you have the right to stop an organisation from using your data for email marketing.
Crucially, you have the right to complain to the Information Commissioner’s Office (ICO) if you do not believe that the organisation is upholding your rights in this or any other data protection matter.
There are several ethical and privacy concerns over the use of profiling and automated decision-making about individuals.
In particular, women and people of BAME groups can find themselves discriminated against by companies that use automated decision making. But using technology and data to discriminate against individuals and automatically make decisions that harm them is not GDPR compliant. For example, under the General Data Protection Regulation (GDPR), the processing of biometric data (such as images of a person’s face) and the use of automated decision-making, including profiling, are only allowed in very explicit circumstances.
At KP Law, as well as representing our clients in data breaches, we also make sure our clients are compensated for any GDPR violations that impact their legal rights. And if you have been harmed because of algorithmic and automated decision-making processes, we can help.
You can make a SAR to find out if and how a company is using your PII to make automated decisions.
The Information Commissioner’s Office (ICO) is the UK’s data protection regulator. It exists to protect your information rights and uphold your data privacy. It also helps organisations to meet their obligations under the Data Protection Act (the UK’s interpretation of the GDPR).
If you discover that your personally identifiable information has been compromised in a data breach, you can ask the ICO to investigate why this happened. You can also contact the ICO if an organisation fails to respond to a SAR, or if it does not do so adequately.
The ICO has imposed substantial fines on organisations in breach of their duties. And, while the ICO does not award compensation to individuals, we can use evidence uncovered by the ICO to support your data protection compensation claim.
If you decide that you want to make a SAR, here are the steps you should take:
This should be listed on the organisation’s website (check the privacy policy usually found in the footer). If you can’t find this information, let the company know. If they don’t make it available, you can complain to the ICO.
Do you need everything an organisation has about you or just a specific piece of information? If you only need certain data and you want this quickly, it makes sense to be explicit. For example, you could ask if your data was exposed in a specific data breach.
You can make a SAR in writing, in person, or over the phone. However, we recommend that you put your request in writing. This provides a clear evidence trail if we need this at a later date.
When making a SAR, you should also include your name and contact details as well as any account or reference numbers.
Most organisations will provide what you need electronically, but if you want it in another format, you can ask if this is possible. An organisation only has to agree to this if it is reasonable to do so.
This will help if there are any delays or if they try to fob you off.
In some group action cases, we might be able to make a data request to an organisation on your behalf. However, where we cannot do this, or where you want to make your own request, the following template should help.
PRIVATE & CONFIDENTIAL
For the attention of:
Data Compliance Officer
{ORGANISATION}
[DATE]
Dear Sir/Madam
Subject Access Request
[Your Name]
[Your Address]
[Your Email Address]
I am writing to you to request access to my personal data pursuant to Article 15 of the General Data Protection Regulation (GDPR).
Please advise as to whether my personal data was disclosed inadvertently by you in the {DETAILS} privacy breach.
In particular, please provide details on the following regarding my data:
I anticipate a reply to my request within one month as required under Article 12 GDPR.
I look forward to receiving your response which I would prefer to receive via email.
Yours faithfully
[Signature]
A copy of your personal data should be provided free, although if you ask for extra copies, or if you ask for information that is ‘manifestly unfounded or excessive’, the organisation might charge a reasonable fee for administrative costs.
For example, you can make a SAR if you want to find out if information is being held about you and how it is being used. At KP Law, many of our clients make SARs to gather the evidence they need to start the compensation claim process following a data breach.
Data protection law requires organisations to respond to a request for data within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this. The organisation must let you know within one month if it needs more time and why. If the requested information is not provided in the timeframe, you can raise a complaint with the ICO.
While you can make more than one SAR, the organisation can refuse a request if they believe it to be ‘manifestly unfounded or excessive’.
Depending on the circumstances, they may also refuse a SAR if your data includes information about another individual. Again, if you think your request has been rejected unjustly, you can raise a complaint with the organisation in question, and if you remain dissatisfied, the ICO.
Organisations can also ask for further information to establish your identity, particularly where sensitive data is involved. However, such requests must be “reasonable and proportionate”.
Many organisations are either ignoring SARs or trying to fob people off with lengthy delays. So, what can you do if an organisation is failing to respond to your SAR?
If you are being told you need to pay for your data, ask why the charge is being made. You should also reference that you have the right to make a SAR for free under the Data Protection Act 2018. If you believe any fees to be unfair, you can complain to the organisation in question, and if the matter is not resolved, report your concerns to the ICO.
However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the organisation can charge a reasonable fee, taking into account the administrative costs of providing the information.
If the requested information is not provided in the established timeframe, you can complain to the organisation, and if this does not help, raise a complaint with the ICO.
Firstly, you should write to the organisation explaining what information you think is missing. You should be as specific as possible. If you are still not happy with the organisation’s response, and it is not providing all the information you asked for, you can complain to the ICO.
While you can make more than one SAR, the organisation can refuse a request if they believe it to be ‘manifestly unfounded or excessive’. Depending on the circumstances, they may also deny a SAR if your data includes information about another individual.
However, they cannot just ignore you. They must still write to you and explain why your SAR is being refused. If you think your request has been rejected unjustly, you can raise a complaint with the organisation in question, and if you remain dissatisfied, the ICO.
If more than a month has passed since you made your SAR and you have not heard anything back, you should write to the organisation reminding them of your request and their obligations under the GDPR. If you still do not hear back from them, you should complain to them using their complaints process. And, if you are not happy with their response, you can complain to the ICO.
You have the right to get your data corrected or deleted. This means that you can challenge the accuracy of any personal data that an organisation holds about you and ask for it to be corrected, added to, or deleted.
Organisations have one month to respond to your request. However, an organisation may charge you a fee or deny your request if they think it is unfounded or excessive. If the organisation refuses to change their records, you can complain to the ICO.
However, there is a difference between information that is incorrect and information that you disagree with. For example, if you have a dispute with your doctor over a diagnosis, you cannot change your health records. However, you might be able to add a note to this record stating that you disagree with the medical opinion.
If you are worried about the way an organisation is handling your information, you should let them know about your concerns.
You might want to use this if an organisation is:
If you remain unhappy, you can also complain to the ICO.
KP Law has some of the most skilled data breach lawyers in England and Wales. Here are just some of our success stories.
KP Law is a founding member of the Collective Redress Lawyers Association (CORLA). CORLA aims to improve access to justice for claimants by way of collective redress.
