Policies
Data Subject Access Request Policy
What is the right of access?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data, as well as other supplementary information. It helps individuals to understand how and why we are using their data, and check we are doing it lawfully.
How do we recognise a subject access request (SAR)?
An individual can make a DSAR verbally or in writing. A request is valid if it is clear that the individual is asking for their own personal data. An individual does not need to use a specific form of words, refer to legislation or direct the request to a specific contact.
An individual may ask a third party (e.g. a relative, friend or solicitor) to make a DSAR on their behalf. Before responding, we need to be satisfied that the third party is entitled to act on behalf of the individual. We will request this information in writing. It is the third party’s responsibility to provide evidence of their authority.
What we consider when responding to a request
We will comply with a DSAR without delay and at the latest within one month. We may extend this by up to two months if the request is complex or numerous.
If we process a large amount of information, we may ask you to clarify what your request relates to. The time limit is paused until we receive clarification, although we will supply what we can within one month.
Can we ask for ID?
Yes. We need to verify the identity of the requester (or the person on whose behalf the request is made). If we're unsure, we will request identity verification. The response time begins only after we receive this.
Can we charge a fee?
Not usually. In most cases, SARs are free of charge. However, we may charge a ‘reasonable fee’ for manifestly unfounded or excessive requests or for additional copies.
