What are Subject Access Requests?
The Data Protection Act (DPA) was implemented into UK law in 1998 following a directive from Europe by way of the Data Protection Directive. It was designed to regulate the way personal data is used and stored. Section 1(1) of the DPA describes “personal data” being 'as being data which relates to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;’
The DPA gives individuals the right to request any information by making a subject access request (SAR) from any organisation, company or body that holds information about them. It is exclusively for individuals and not organisations or companies and such like to utilise. The one exception to this rule is that a company, perhaps a solicitor, acting on behalf of an individual can make a SAR but the third party must consent beforehand.
The maximum fine for a DPA breach is a whopping, £500,000! If that’s not a deterrent I don’t know what is!
Please note that the DPA will be superseded by the General Data Protection Regulation on 25 May 2018
For a wealth of information regarding GDPR, visit the Qdos Resource Centre
