The right of an individual to ask an organisation what information they hold about them was introduced by the Data Protection Act. It has become widely used by individuals in the UK and most organisations now have established procedures for dealing with such requests.
When the new European General Data Protection Regulation comes into force, this right will remain but with some important changes. You will need to ensure that you are fully compliant with the new legislation.
What can an individual ask my organisation for?
An individual can contact your organisation and ask if you process information about them. You are required to confirm whether or not you do and the categories of information you hold (e.g. contact details). They can also ask for access to the information that you hold.
What else does my organisation have to tell them?
An individual also has the right to ask your organisation:
- why you are processing the information;
- how long you will store the information;
- who you have shared that information with;
- if you did not receive the information directly from the individual, who provided you with the information;
- whether the information has been subject to automated decision making including profiling and where this applies other details about the decision making process.
Any correspondence with the individual should inform them of their rights to object to the processing and request that the information is amended, deleted or restricted. It should also give details of their right to complain to the Information Commissioners Office, if they are not satisfied with the outcome.
What should we check before disclosing any information?
An organisation must carry out the necessary identity checks to ensure that it has verified the identity of the individual requesting the information. Where a third party (e.g. a solicitor) is requesting information on behalf of an individual, the organisation must also be satisfied that the third party has the permission of the individual to request the information.
Can we charge for providing the information?
You are not allowed to charge for providing a copy of the information. However, if the individual asks for more than one copy of the information, then you can charge reasonable copying fees.
Where can we get specialist advice on this and other matters?
As experts in data protection law, Probert Legal can help you steer a path through the new legislation and ensure that your systems and procedures are robust.
For further information, please contact Tracey Wakelam at email@example.com