RISK

NEWS

Right of access to personal data: new guidance

5 Feb 2020

The right of access (known as subject access) is a fundamental right of the General Data Protection Regulation (GDPR). It allows individuals to find out what personal data is held about them and to obtain a copy of that data.

Following on from the initial GDPR guidance on this right (published in April 2018), the ICO has now drafted more detailed guidance that explains in greater detail the rights that individuals have to access their personal data and the obligations on controllers. The draft guidance also explores the special rules involving certain categories of personal data, how to deal with requests involving the personal data of others, and the exemptions that are most likely to apply in practice when handling a request.

As the guidance explains, individuals have the right to obtain the following from a controller:

  • Confirmation that you are processing their personal data;
  • A copy of their personal data; and
  • Other supplementary information.

Individuals also have the right to receive the following information (which largely corresponds with the information that you should provide in a privacy notice):

  • Your purposes for processing;
  • Categories of personal data you’re processing;
  • Recipients or categories of recipient you have or will be disclosing the personal data to (including recipients or categories of recipients in third countries or international organisations);
  • Your retention period for storing the personal data or, where this is not possible, the criteria for determining how long you will store it;
  • The individual’s right to request rectification, erasure or restriction or to object to processing;
  • The individual’s right to lodge a complaint with the Information Commissioner’s Office (ICO) or another supervisory authority;
  • Information about the source of the data, if it was not obtained directly from the individual;
  • The existence of automated decision-making (including profiling) and information about the logic involved, as well as the significance and envisaged consequences of the processing for the individual; and
  • The safeguards you have provided where personal data has or will be transferred to a third country or international organisation.

Under the right of access, an individual is only entitled to their own personal data.

ICO is running a consultation on the draft guidance to gather the views of stakeholders and the public, which closes on 20 February.

You can respond to this consultation via the online survey or you can download the document and email it to: SARguidance@ico.org.uk

You may also be interested in

RELATED CONTENT

RELATED COURSES

Risk Assessment and Method Statements (RAMS)
Risk Assessment and Method Statements (RAMS)

The Risk Assessment and Method Statement (RAMS) course examines the HSE’s recognised five-step approach to risk assessment.

IOSH Managing Safely
IOSH Managing Safely

The world’s best-known health and safety certificate, designed for managers and supervisors in any sector or organisation.

IOSH Safety for Executives and Directors
IOSH Safety for Executives and Directors

IOSH Safety for Executives and Directors is designed for those who have operational or strategic accountability for a company.

Introduction to health and safety
Introduction to health and safety

Introduction to health and safety gives learners a basic introduction to managing safety in their workplace.

Data breaches: your best chance of survival
Data breaches: your best chance of survival

Data breaches: your best chance of survival

Data Sharing Code of Practice laid before Parliament
Data Sharing Code of Practice laid before Parliament

The government has laid a code of practice on data sharing before Parliament, which aims to assist organisations in legally sharing data.

Firms warned to be responsible when transferring client data
Firms warned to be responsible when transferring client data

The current economic climate is changing the way many firms operate, causing some to leave the market or merge with other firms. When this happens, th...

TikTok fined £12.7 million for misusing children’s data
TikTok fined £12.7 million for misusing children’s data

The Information Commissioner’s Office (ICO) has issued a £12,700,000 fine to TikTok Information Technologies UK Limited and TikTok Inc (TikTok) for a ...