Right of access (RoA) / data subject access requests (DSAR) policy and procedure

Who can make requests

Living persons

A subject access request is most often made by the “data subject” who wants to see a copy of the information that an organisation holds about them. However, subject access goes further than this and an individual is entitled to be:

  • Told whether any personal data is being processed
  • Given a description of the personal data, the reasons it is being processed
  • Told whether it will be given to any other organisations or people
  • Given a copy of the personal data
  • Given details of the source of the data (where this is available)

General third party

A third party, e.g. solicitor, may make a valid request on behalf of an individual. However, where a request is made by a third party on behalf of another living individual, appropriate and adequate proof of that individuals consent or evidence of a legal right to act on behalf of that individual exist e.g. power of attorney must be provided by the third party.

Requests on behalf of children

Even if a child is too young to understand the implications of subject access rights, information about them is still their personal data and does not belong to anyone else, such as a parent or guardian. So it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.

Before responding to a DSAR made by someone with parental responsibility about a relevant child for information held, you should consider whether the child is mature enough to understand their rights. If they are, the request should come from or with the expressed consent of the child.

As a guide the Data Protection legislation and ICO indicate that a child is only likely to have capacity to make decisions about Data Protection issues if they are aged 13 years or over.