How to handle a Data Subject Access Request
- Supply the information to the individual within 40 days of receiving the request. Note that, having received the access request, you cannot change or delete the personal data which you hold just because you do not wish the data subject to see it.
- Provide the information in a form which will be clear to the ordinary person (e.g., any codes must be explained).
- Ensure that you give personal information only to the individual concerned (or someone acting on his or her behalf and with their authority). For instance, you normally would not provide such information by phone. If you do not keep any information on computer or in a relevant filing system about the individual making the request you should tell them so within the 40 days.
You are not obliged to refund any fee you may have charged for dealing with the access request should you find you do not, in fact, keep any data. However, the fee must be refunded if you do not comply with the request, or if you have to rectify, supplement or erase the personal data concerned.