How do I deal with a Subject Access Request?

A Subject Access Request gives someone the right to obtain a copy of their personal information from an organisation. This will include information about where the data has come from, what it is being used for and who you are sharing it with. An organisation must respond to a Subject Access Request within 1 month of receiving the request. The time can be extended to two months if the SAR is complex, or if there are a number of requests.

What should you do if you receive a Subject Access Request?

If you receive a Subject Access Request, it is important that you are prepared and take a proactive approach. The best way to ensure you can deal with a Subject Access Request is by complying with the GDPR and Protection Act 2018. If you stay open with your employees around what personal information you hold about them and ensure that the information you hold is accurate you have nothing to fear. In short, be transparent of what the organisation does with this data.

Ways in which you can prepare :

•Make the information available on how to request a SAR. This could be on your website, in a policy or in your privacy notice.

•Provide training to all staff on what they should do if they receive a SAR.

•Create a dedicated data protection page for employees with links to SAR policies

•Appoint a specific person or team to respond to requests ensuring that where possible, more than 1 member of staff knows how to process a SAR.

•Maintain a register which states where and how you store personal data.

•Maintain a log of SARS’s you have received and keep it updated to monitor progress

•Have documented retention and deletion policies for personal data that is processed.

•Have measures in place to send information securely e.g. – having a system to check email addresses .

•Have a well-structured file plan.

What information can be requested under a Subject Access Request?

If you receive a SAR request that isn’t specific, you can ask the requestor for clarification in what they are looking for. When this happens, the time limit for responding to the request is paused until you receive clarification. This is known as “stopping the clock” .

The UK GDPR places a high expectation on an organisation to provide information in response to a SAR. You should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information. The ICO will not seek to take enforcement action against an organisation that has failed to use extreme measures to recreate previously ‘deleted’ personal data held in electronic form. The right of access applies irrespective of whether the personal data you process is stored in one location or in many different locations.

You are only obliged to provide personal data in response to a SAR if you are a controller for that data. It is good practice to have a policy restricting the circumstances in which staff may hold information about customers, contacts or other employees on their own devices, in private email accounts or on private instant messaging applications.

Can I delete data following a Subject Access Request?

 A SAR relates to the data you held at the time you received the request. However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. It is reasonable for you to supply the information you hold when you respond, even if this is different to what you held when you received the request.

However, it is not acceptable to amend or delete the data if you would not otherwise have done so. Under the DPA 2018, it is an offence to make any amendment with the intention of preventing its disclosure.

How do I recognise a SAR?

Standard forms can make it easier for you to recognise a SAR and for individuals to let you know what they are requesting. You could consider designing a subject access form that individuals can complete and submit to you electronically. However, you should note that a SAR is equally valid whether an individual submits it to you by letter, email or verbally. An individual may prefer a third party (e.g. a relative, friend or solicitor) to make a SAR on their behalf. The UK GDPR does not prevent this;  you need to be satisfied that the third party making the request is entitled to act on behalf of the individual.

It is not uncommon for a request to mistakenly state that it is a freedom of information (FOI) request. If, in fact, it relates to the requester’s personal data, you must treat it as a SAR.

Can you refuse to respond to a SAR?

A requester may ask for any information that is held by a public authority. However, this does not mean you are always obliged to provide the information. In some cases, there will be a good reason why you should not make public some or all of the information requested.

• You can refuse an entire request under the following circumstances:
• It would cost too much or take too much staff time to deal with the request.
• The request is vexatious.
• The request repeats a previous request from the same person.

If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply. Employees can also make a formal complaint to the ICO about the refusal to the request.

Can text messages be included in a SAR?

A SAR requires you to search all places where you might hold personal data about the requester including the mediums which your business uses to communicate, for example, WhatsApp messages, texts and emails.

Where can I get more information?

The ICO have useful information on how to manage SAR’s.