Data Protection

DATA SUBJECT ACCESS REQUEST PROCEDURE

You have the right to ask us if we are using or storing your personal information. You can also ask us for copies of your personal information. This is called the right of access and is also known as making a data subject access request, abbreviated in this procedure to “a DSAR”. Anyone can make a DSAR and you don’t need a solicitor or a lawyer to do so.


If you make a DSAR, we usually have one month to respond to it.

 

How do I send my data subject access request?

The easiest way to make a DSAR is to Email Ian Carey who is our Data Protection Officer (email at dataprotection@careyslaw.co.uk).


You can also make requests by post, by telephone, online or face to face. If you do this, make sure to keep records of when you made your request and who you spoke to, where relevant.


Provide proof identification (if asked)

ID checks are sometimes needed to check you are the person asking for the information and to protect your personal information. When asked for ID, you should provide it.


Provide more information (if asked)

We may ask you for more information about what it is you are requesting. This may be for example where we have lots of information about you and want to narrow down our search; or we will struggle to respond to the DSAR without it, e.g. we don’t understand what you are asking for; or if you have made a similar DSAR in the past and we want to know if you want the same information or new information.


Where we contact you to ask for more information, we can stop dealing with your request until you reply.


When will we reply?

We usually will have one month to reply to your request. If your request is unclear, we may seek further clarification from you and may If necessary, stop the clock until you clarify what information you are looking for. When we ask you for ID, the clock only starts when we receive what we need from you.


If you’ve made a number of requests or your request is complex, we may need extra time to consider it. We can require up to an extra two months to respond depending on the nature of your request. If so, we will let you know within one month of getting your request, and will explain why we are taking longer to deal with it.


How much does a data subject access request cost?

Normally, we will not charge for responding to your DSAR.  We may charge a reasonable fee to cover our administrative costs if your request is manifestly unfounded or excessive. We can also charge a fee if you ask for further copies of your information following a request.


What will we send back to you?

If we have the information you asked for, we will provide you with copies of it unless there is a good reason for not doing so in which case we will tell you why.


Can we send you partial or incomplete documents?

Yes. We do not have to give you full copies of the original documents you have requested. You can only get your personal information that’s contained in the documents. This might mean you get new documents that only contain your information, or original documents with certain information removed or edited out. This is commonly known as ‘redaction’.


How will we send the information to you?

If you have said how you would like to receive the information (e.g. electronically or by post), we will send it in that format where possible.


However, where you have requested large amounts of information, you may want to discuss the best way for us to send you the information.


We will not ask you to take action to receive this information (e.g. by downloading particular software or collecting it from their premises) unless you have agreed to do so.


We will take steps to help you with your DSAR if you have a physical or cognitive impairment or have difficulty accessing or understanding information.


What if we no longer have the information you’ve requested?

We do periodically delete or destroy information because data protection law says we should not keep information for longer than we need it.


We do not always have to give you all or any of the information you request. We may withhold some, or all, of your personal information where an exemption applies.  Where there is an exemption, we will:


  • tell you why we are not completing your request for information;
  • explain our decision; and
  • tell you how you can challenge our decision (e.g. by submitting a complaint).

Sometimes we can refuse some or all of your request without telling you why and we do not always need to tell you if we do or don’t hold the requested information. Some common exemptions include:


‘Manifestly unfounded’ requests

Manifestly unfounded means we believe you are not making a DSAR because you truly want to exercise your legal right of access.


Examples of when your request may be manifestly unfounded include:

  • having no clear intention of exercising your right of access (e.g. if you make a request but then offer to withdraw it in return for some form of benefit); or
  • if you are using your request to harass or cause disruption to us or to a client we represent.
‘Excessive’ requests

There is no set meaning of what makes a data subject access request ‘excessive’. However, we will consider whether the request is clearly unreasonable such as when:

  • it overlaps with other, previous requests for similar information (particularly if we haven’t had the chance to respond to your first request); or
  • your request asks for the same information as previous requests , but not enough time has passed (e.g. you’re aware your information hasn’t changed).

We consider each request on a case-by-case basis and where we decide information cannot be provided we will explain our reasoning to you and the ICO if necessary.


Legal professional privilege

If your personal information is discussed or included in confidential communications between our firm and our legal advisors (including in-house legal teams), or it relates to an ongoing matter in which legal advice is being provided or where legal proceedings are being contemplated or progressed, then we don’t have to give it to you as part of your request. This information is considered ‘privileged’, which means it should remain confidential between our firm and the other relevant party or parties.


Complain to us

If it has been over one month since you made your request and you’ve not heard from us, you should send a follow up email or letter.

 

If you’ve already received a response to your DSAR, but are unhappy for any reason, you should raise a complaint with Ian Carey, Data Protection Officer at the firm. We recommend you do this by email, where possible to dataprotection@careyslaw.co.uk.


If you think personal information is missing from the response, you should clearly list what other information you think we have. This will help Ian Carey review our records.


Complain to the ICO

If you are not satisfied with our response to your complaint, you can complain to the ICO (further information on this can be found on the ICO website at: https://ico.org.uk/make-a-complaint/data-protection-complaints).

Talk to us

Have any questions? We are always open to talk about your legal requirements.