Request for Subject Access

Any written request for personal information  – by a customer for their information – should be processed in accordance with data protection legislation. 

This document is designed to help you through the process. 

Once a request for personal information is received by the business, the time limit for responding starts!  This is only one month under the General Data Protection Regulation so it is important that the request is passed to a central co-ordinator as soon as possible.   The receipt should be acknowledged.  

Do you have enough information in the Request to identify the subject of the data to be found?  Are you sure that the person making the request has the legal right to do so .  You can ask for more information if you need it. 

Search through all systems ( manual or electronic) for information.  Then go through all the documents to extract the personal information to be disclosed. Remember that expressions of opinion count.  It is not about disclosing whole documents, but the relevant data within those documents. 

THIRD PARTIES – any data about someone other than the data subject is a third party.  You should seek the consent of a third party to disclose their data IF it cannot be deleted from the data without destroying the data itself.  In most cases this should be possible.  You are responsible for the information the business holds so just make sure that the Response includes details of where you got the information from.  

You need to assess what is disclosable in each case. 


In the Response, you need to state that you are disclosing what is held and possible to disclose under the legislation.  You can withhold anything given to you by the requester but offer a copy if they wish it.  You can decide to include it but make sure the Requester is aware of what is the source of the data. 

You should give the Requester the opportunity to request a review by the business on what’s been disclosed if they think you haven’t released everything you should.  They also have the right to go to the Information Commissioner’s Office as well and you should provide contact details for them. 

Should you be in a position where you are aware of data held in archived storage, but it will take some time to collate it, then the best approach is to let the requester know this is the case.  You should not put yourself in a position where you could be accused or perceived to be using this as delaying tactics.