The administration of a subject access request can be complex and costly and there are a number of practical considerations to bear in mind:
- the data subject’s motives for seeking access are irrelevant
- the data subject is not entitled to documents – he or she is only entitled to personal data. If a data controller chooses to comply by supplying documents that is the controller’s decision alone
- if the data controller has poor retention procedures (see Principle 5), the cost of administration of a subject access request will be higher as the data controller will have more personal data to find
- network and non-network devices and systems need to be searched as do archives and back-up systems and those used by data processors
- where providing access to the data subject’s personal data would necessarily involve disclosing personal data relating to another person, you may, in some cases, need the consent of that other person (unless his or her personal data can be redacted)
The cost of administering a subject access request is likely to be significant and, in most cases, you cannot charge a fee. You should, therefore, have good data management and streamlined processes to ease this burden.