If you receive a subject access request from a customer or client then you must respond within 40 calendar days of receiving it.
You can charge a maximum of £10, agreed by law, for the cost of providing this information.
You may request further reasonable information that is required to enable you to find the data requested. This might be a policy number or date of birth and post code, for example.
You can also take reasonable steps to check the identity of the person making the request if the contact details they have given you do not match your records.
You can download the ICO’s Access Aware Toolkit online, designed specifically to help prompt colleagues to recognise a request for personal information, and know how to deal with it.
If Someone Makes a Subject Access Request
A data subject may also authorise a third party to request information on their behalf. This may be due to disability, legal action or through a claims management firm.
If you think the data subject may not understand, or be aware of, the type of personal information that would be disclosed to the third party who has made a subject access request on their behalf, you may send the response directly to the subject first, rather than straight to the third party.
The data subject may then choose to share the information with the third party after having had a chance to review it.