Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.

The sixth data principle states that personal data shall be processed in accordance with the rights of data subjects, under the act.  This principle ensures that any data that is processed is processed in line with data subject’s rights.

One of the main rights under the Data Protection Act is as a data subject, you have a right to have access to any personal data that is collected about you. This known as a subject access request.

They may request to see a copy of the information that is held about them. However, for this to be a valid subject access, request it must be made in writing.  It does not have to refer to the data protection act itself or be in any standard format to be classed as a subject access request.

For a person who finds it impossible or unreasonably difficult to make a subject access request in writing organisations may have to make an exception to receiving a written request, under the Disability Discrimination Act 1995.

Information that is provided, must be in a format that can be understood by an average person. It does not have to be tailored to the individual.  However, organisations must take into account the format in which someone may require the information, for example, you may need to be in a large print, braille, or in an audio format.

Organisations must reply to a subject access request within 1 month of receiving the request and or a fee. In complying with the request they must state, whether any of the personal data is being processed and the details of the source of the data.

The individual must be supplied with a copy of the information held about them, together with a description of the personal data held, the reason why it is being processed, and whether it is being given to any other third parties.  If you are dealing with a subject access request, it is important that you ensure that the person requesting the data is the person for whom the data is held and therefore you may need to verify the persons’ identity before complying with the request.

The Act does allow for third parties to make subject access requests on behalf of others. For example a solicitor. Where this is the case you must be happy that the third party is entitled to act on behalf of that person.  Always refer to your manager if you are in doubt about releasing the information. Further information regarding this will be covered later in the course.

In the majority of circumstances when complying with subject access request you must only send the person the information that is held about them and not disclose information held about another person.

There are various exceptions and special rules which apply. In particular where the access to the information held about a person is likely to cause serious harm to the physical or mental health or condition of the data subject. For full details about subject access requests, please refer to the downloadable ICO Data Protection booklet.

The other part of this act covers the rights of individuals to object to data processing, examples are:
if it is likely to cause or is causing damage or distress:-

  • a right to prevent processing for direct marketing
  • a right to object to decisions being taken by automated means
  • a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
  • a right to claim compensation for damages caused by a breach of the Act.