What is a subject access request (SAR)?
Under the GDPR, an individual has a right of access to information held about them by any organisation and to receive a response within one month, which is known as the Right of Subject Access.
North Kesteven District Council will ensure that the right of subject access to information held by the Council can be fully exercised by everyone. However, a Subject Access Request (SAR) only relates to personal data, and not to information relating to other people.
A SAR must be made in writing and enough information must be provided to judge whether the person making the request is the individual to whom the personal data relates. This is to avoid personal data about one individual being sent to another, accidentally or as a result of deception.
However, until the identification has been received, the Council will not process a request. The Council has one month (which we can extend in some circumstances) to respond to the request. A person will be required to confirm their identity and will usually be asked to provide the following:
- Full Name
- Address
- Date of Birth
- One Photographic piece of Evidence, such as, Passport, Driving Licence with photograph, Travel Pass with photograph and;
- One Other piece of Evidence, such as, Council Tax Bill, Utility Bill, Bank/Building Society Statement, Birth Certificate.
If a request is submitted to the Council, the individual is entitled to be told free of charge whether the Council holds any data about the person. If the Council does, the individual has the right:
- To be given a description of the data, the purposes for which the data are being processed, and those to whom the data may have been disclosed;
- To be given a copy of the data in an intelligible form enabling them to port the data to another provider, with any unintelligible terms explained;
- If there is a specific request, to be given an explanation as to how any decisions taken about an individual solely by automated means have been made;
- To have more power to withdraw their consent and have their data amended or deleted, known as the ‘right to be forgotten’.
However, it must be noted that some records cannot be deleted, even if the data subject has asked to ‘be forgotten’. This might be for reasons of financial regulatory compliance, or because the Council can show it has ‘legitimate’ reason for retaining and processing the data. In this instance, the Council may need to pseudonymise or anonymise the data the Council cannot legitimately delete to be compliant, but these will be reviewed on a case by case basis.
These rights apply to electronic data and to data in ‘manual’ (i.e. non-electronic) formats. If a request is for information other than information about themselves, such as information about decisions or actions by the Council, these cannot be submitted as a Subject Access Request. This would be a request under Freedom of Information legislation or Environmental Information Regulations.
The Council has a duty to protect the Data Protection rights and other legal rights of other individuals when we respond to SARs. Information which does not relate to the individual who submitted the request may be redacted, particularly if it relates to other individuals. Sometimes the Council may not be able to release data relating to the individual who submitted the request because doing so would also reveal information about other persons who have not consented to their data being released, and it would not be reasonable in the circumstances to release the data without their consent. In such cases, the individual who submitted the request will be informed that data about them has been withheld and the reasons for doing so.
Making a Request
SARs should be submitted to the Corporate Information Team via: