8.1 Subject Access Request (SAR)
Under data protection legislation individuals have the right to obtain confirmation, usually at no cost to themselves, that their data is being processed by the data controller and to receive copies of that personal data. In the case of security and surveillance systems this would typically be CCTV images or access control data.
It is the data controller who is responsible for complying with SARs, unless this has been contracted out to a data processor (in relation to personal data processed by that data processor). Nevertheless, the terms of the Data Processing Agreement between data controller and data processor will usually require the data processor to pass on the SAR to the data controller within a certain time period, and to provide reasonable assistance to the data controller so that the data controller can respond to the SAR in sufficient detail and within the time limit.
Before sharing any personal data you must verify the identity of the person making the request using “reasonable means”. In the case of a request for CCTV footage, this will usually mean photographic images to enable positive identification of the applicant, unless they are already known to you and you have verified that they are the one who made the request (e.g. because they did so in person). Parents can make applications on behalf of young children although particular care should be taken when deciding whether to disclose a child’s personal data.
Where data includes images or information about individuals other than the applicant, these data / images must be redacted unless it can be shown that it is reasonable to disclose those third parties’ information to the applicant, without the third parties’ consent.
Time Limit to Respond
The requested information must be provided without delay and at the latest within one month of receipt of the SAR.
You will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
Right to Charge
You can only charge the individual making a SAR if and to the extent that:-
- their request is manifestly unfounded or excessive (and you haven’t already refused to comply with the request – as explained below); or
- they are requesting further copies of the same information.
In either case you can charge a reasonable fee based on the administrative cost of providing the information.
Refusing to Comply
You can only refuse to comply with a SAR in extremely limited circumstances.
If a request is manifestly unfounded or excessive, you can refuse to comply with the request provided that you notify the individual of this decision and can justify the decision to the ICO if it were investigated.
There are also limited exemptions available under the Data Protection Act 2018. We strongly suggest taking specialist advice on the availability of these exemptions before choosing to rely upon one of them. One of the exemptions applies if disclosure might prejudice an ongoing criminal investigation. We expect this to be the most common exemption used by security and surveillance providers.
If you refuse to comply with a SAR, you must notify the individual of that fact in writing, giving the legal reasoning for your refusal. You must also inform them of their right to complain to the ICO and that they may be entitled to a judicial remedy. This notification must be given without undue delay and, at the latest, within one month from receipt of the SAR.