The ICO has issued a reminder to finance companies that they must handle subject access requests in a timely manner following a surge in demand for personal information in the wake of recent events such as the mass action over Payment Protection misselling.

A subject access request must be responded to within 40 calendar days of receiving it.  An organisation is, however, entitled to suspend the clock until it has received the following:-

  1. sufficient information to confirm the identity of the person making the request;
  2. any information that it reasonably requires to locate the requested personal data (for example, if it is contained in emails, the dates when the e-mails were sent and who sent them); and
  3. a fee for dealing with the request up to the £10 statutory maximum, if the organisation chooses to charge one.

A subject access request can be validly made by e-mail and need not refer to the Data Protection Act, nor be sent to the person in your organisation who normally deals with subject access requests.  It is therefore important to provide appropriate training and procedures to ensure that staff receiving subject access requests can identify them as such and deal with them accordingly.