Tech Insight : Explosion In Subject Access Requests

Following the recent Nigel Farage and Coutts Bank row, we look at what a Subject Access Request (SAR) is, how to make one, and why there appears to have been an explosion of them in recent times.  

What Happened Between Nigel Farage and Coutts? 

To summarise in a way that’s relevant this article, in a chain of events starting at the end of June, British broadcaster and former UK politician Nigel Farage was informed by Coutts bank that, due to a “commercial decision”, it would no longer do business with him and was closing his account. The NatWest-owned Coutts bank is widely regarded as being a bank for wealthy people because to be a customer you famously need to maintain at least £1m in investments or borrowing (mortgage), or £3m in savings.  Following several allegations and theories about why Coutts may have done this, Mr Farage submitted a SAR to find out exactly why. The 40-page document sent back to him by the bank revealed that staff at the bank had spent time compiling evidence on the “significant reputational risks of being associated with him”. The document was reported to have suggested that the bank didn’t want him as a customer because his views didn’t align with the firm’s “values”, e.g. Mr Farage’s position on LGBTQ+ rights and his friendship with former US president Donald Trump. In short, the document suggested that Mr Farage’s views were at odds with the bank’s position as an inclusive organisation. 

Although there are other aspects to this story, the relevant point here in terms of this tech-insight is that Mr Farage would not have known the reason or have received an apology – as he did (as well as heads rolling at the bank) were it not for the SAR. 

What Is A Subject Access Request (SAR)? 

A SAR (sometimes called a DSAR – data subject access request) allows an individual to ask an organisation for copies of any personal information that it holds about them. This legal right was granted under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 with the intention of empowering people to be aware of and understand how their personal data is being processed by organisations. 

How Do You Make A SAR? 

You can make a SAR in writing or electronically, i.e. by email or via an online form (check that it’s the right and appropriate form first). 

What Should You Write? 

The Information Commissioner’s Office (ICO), says that a SAR should include: 

– A clear title in the email / form subject line e.g., ‘subject access request’. 

– A comprehensive list, which it may be best to compile beforehand, of what personal data you want to access, and how you would like to receive the information.  

– It’s also important to include your full name and contact details (email address and phone number). 

It’s worth noting that a template request is available on the ICO website here.

Then What Happens? 

Upon receiving a SAR, the organisation must respond within one month. In some cases, however, this period can be extended to two months if the request is complex or if the organisation receives multiple requests from the same individual. 

When responding to a SAR, an organisation must provide a copy of the requested personal data in a structured, commonly used, and machine-readable format. The response should include information about the purposes of the processing, the recipients or categories of recipients of the data, and the retention period for the data.  

Some Exemptions To Note 

There are, however, some exemptions to organisations having to send you a copy of the requested data, for example if the disclosure would reveal information about another individual or if it could prejudice criminal investigations or legal proceedings. 

Is It Free To Make A SAR? 

In most cases, organisations can’t charge a fee for handling a SAR. However, if the request is clearly unfounded, excessive, or repetitive, an organisation could decide to charge a reasonable fee or refuse to comply with the request. 

What If You’re Not Happy With The Response Or If There’s No Response? 

It’s a legal right so, unless an exemption can be proved, the organisation should respond. If, however, an individual believes that an organisation has not responded appropriately to their SAR or has mishandled their personal data, they can complain to the Information Commissioner’s Office (ICO). 

That said, from April 2022 to March 2023, 15,848 complaints related to Subject Access were reported to the ICO, prompting the ICO to publish a new guide to on responding to subject access requests, and warning companies not to get “caught out” by not responding / responding poorly and risking a fine or reprimand. 

Surge In SARs 

The press coverage over the Nigel Farage and Coutts story highlighted SARs and how useful and important they can be, and how they allow individuals to stand up to powerful organisations and have control and transparency over the use of their personal data will, no doubt, add to what could be described as an explosion of SARs since the legal right was granted with GDPR. For example, SARs are now often used by employees in dispute with their employer looking for information to use in their defence in negotiations or at an employment tribunal, and by celebrities, public figures, and politicians (e.g., to find out the plans and motives of opposition parties). 

What Does This Mean For Your Business? 

For any individual, SARs gives them legal power to challenge organisations, gives them a means for greater control and understanding about how their personal data is being processed by organisations, and a way to complain and get satisfaction if they’re not happy. SARs are a way to greater transparency and, as highlighted above, can be very useful in many situations, e.g. for employment tribunals. For businesses, SARs are a reminder of their data protection responsibilities under GDPR and of the need to comply or face financial and reputational consequences.

Several years down the line from the introduction of GDPR, businesses should already have a more organised and compliant way of handling data and should have processes in place to ensure that SARs requests are assessed quickly and accurately and that the requested data is sent promptly in a structured, commonly used, and machine-readable format. With SARs now widely used, businesses need to be prepared.