An individual can make a request to an organisation for details of personal information that the organisation holds on him or her. Under the General Data Protection Regulations (GDPR), part of the Data Protection Act 2018, the regulations require that the processing of any personal data is done lawfully and is fair and transparent and that it is accurate. An individual can request information to ensure that the principles of processing personal data are complied with. A formal request can be made under the GDPR.

An individual has a right of access to obtain a copy of his or her personal data. This is so that the individual can understand how and why an organisation is using their data and to check that it is being used lawfully. This is known as a subject access request (SAR). An SAR must be responded to within a month.

If an individual is not satisfied that disclosure has been made then they can complain if necessary to the Information Commissioner’s Office (ICO). Court proceedings can also be issued to seek an order for compliance.

In the case of Parris v SHC Clemsfold Group LTD and SHC Rapkyns Group LTD, Claim No. D00BN516 [2019] we acted for the Claimant seeking an Order that the Defendants comply with a number of subject access requests made in 2016. Following a four day trial at Lewes County Court the Defendants (also known as Sussex Healthcare) were found not to have carried out adequate searches for the claimants personal data and were therefore in breach of their obligations to provide information. They were ordered to carry out further searches for further disclosure of information.

Here is a link to the judgment.