The data protection laws allow individuals certain rights in relation to their personal data. One such right is to access their personal information - this is also known as a subject access request (SAR).
In a recent case a housing developer has been prosecution for a failure to respond to a subject access request as required by the legislation. This is after they ignored an enforcement notice from the data watchdog in the UK, the Information Commissioner Office (ICO), which ordered them to comply with the law.
What are the main rules?
The events of this prosecution relate to an incident that occurred in 2017. At that time, the relevant legislation was the Data Protection Act 1998, which stated that the company had 40 calendar days to provide the required information. This did not happen and the individual complained to the ICO and the enforcement notice followed.
What happened at court?
The company pleaded guilty and to a charge of failing to comply with an enforcement notice. It was fined £300, with a £30 victim surcharge, and was ordered to pay £1,133.75 towards prosecution costs.
What can we learn from this?
As you may be aware, the GDPR and the Data Protection Act 2018 came into force on 25 May 2018. The new law changed some of the rules around SAR's.
Main points include:
- A SAR does not require a specific format, it can be in a letter, email or verbal;
- Organisations must act on the request without undue delay and at the latest within one month of receipt;
- In most cases organisations cannot charge a fee to deal with a request;
- Organisations must provide specified information to the person making the request;
- There are clear rules around calculating the one month time limit.