How to respond to a subject access request: a step by step guide for organisations

30 April 2019

Subject access requests are quick and easy for an individual to make. But for any organisation receiving an SAR, many long hours and significant resources will be needed in order to properly respond. As with any difficult task, procrastination does not make responding any easier. Any individual dissatisfied with the speed or content of an organisation’s response will also find it quick and easy to complain to your organisation or the ICO. This SAR guide is intended to make responding to SARs as straightforward as possible. 
 

1. Recognise the subject access request 

A SAR is any request by an individual for their own personal data. Although it must be in writing, it can be sent to anyone in your organisation, by any means and in any form. It does not need to mention the GDPR or Data Protection Act 2018. It does not matter that the request incorrectly refers to the Freedom of Information Act 2000. 
 
A SAR does not simply entitle an individual to a copy of their own personal data. They are also entitled to receive a number of other pieces of information about how their personal data is being processed (Article 15 GDPR) including the purpose of processing the data, the source of the data and who the data has or will be shared with.
 
As soon as a request is identified, ensure that any routine data deletion or destruction processes are suspended with respect to the personal data of that individual. In addition, it is now a criminal offence to delete, destroy, alter or conceal personal data to frustrate a SAR (Section 173 DPA 2018).
 

 

2. Identify the individual making the subject access request

Before communicating with the individual, satisfy yourself with respect to their identity. The measures you take depend on what is reasonable in the circumstances. It may be reasonable to seek proof of identity (usually recent photographic ID and utility bill) from an unknown client but not an employee with who you are in day to day contact.  
 
A request may be made on behalf of an individual by a representative, for example, a solicitor. Seek reassurance that the individual has authorised the representative to make the request, correspond with you and receive the response on their behalf. Requests made on behalf of children need to be carefully considered with reference to the ICO’s guidance.  
 

 

3. Act swiftly and clarify the subject access request

You have one month to respond from the receipt of the SAR. It is possible to extend this period by a further two months in complex cases, although the individual should be informed as soon as this becomes apparent. 
 
Where the SAR is broad or unclear, the ICO strongly encourages organisations to contact the individual to clarify the personal data which they wish to receive. Although the individual is under no obligation to explain why they want the personal data or what they intend to do with it, they may be able to narrow the parameters of their request. This could include refining the data range or categories of information sought. It is useful to confirm at this stage whether the individual wants their own communications to / from the organisation to be disclosed.
 
Opening up a line of communication with the individual provides immediate reassurance that an organisation is taking its responsibilities seriously.   
 

 

4. identify personal data to be disclosed

Organisations are expected to be able to conduct reasonable and proportionate searches of its hard copy or electronic filing systems in order to identify the personal data belonging to the individual. This may include client / employee files, Outlook accounts and data held by data processors. All forms of information may fall to be disclosed, including audio recordings or CCTV footage. Data which has effectively been put beyond use may be excluded. 
 

What is personal data?

Personal data is broadly defined as any information relating to an individual who can be identified from that information (or in combination with other information in an organisation's possession). It does not matter that information does not refer to an individual by name, so long as they can be identified by other means, for example, their initials or ID number. Personal data may be known to the individual or within the public domain. Importantly, personal data includes any recorded opinion of that individual. 
 
The obligation upon the organisation is to disclose the information from the original document or record, but not necessarily the document or record itself. In many cases, providing the original document or record may be appropriate. In other cases, especially where there is a significant amount of mixed data (see below), it may be more appropriate to provide extracts of the personal data, so long as it is in an intelligible form. 
 

 

5. Identify personal data exemptions

There are a series of good reasons why personal data should not be disclosed, reflected within the range of exemptions to disclosure within Article 15 GDPR and schedules 2 – 4 of the Data Protection Act 2018, for example, where disclosure would prejudice defined public functions or communications are subject legal professional privilege. 
 
You are not required, and should not, disclose an individual’s personal data if this would adversely affect the rights of other individuals. This issue frequently arises with respect to mixed data such as email communications and meeting notes which are the personal data of the individual, as well as the others in the email chain or at the meeting. In determining whether to disclose this mixed data, consideration must be given to whether the third parties have consented to its disclosure or whether it is otherwise reasonable to disclose it. There are no easy rules of thumb to follow. Rather, careful consideration needs to be given to the specific content and context of this material. 
 

 

6. Securely disclose the personal data 

If a subject access request has been made electronically, the default expectation is that an organisation will provide the response electronically. However, it is good practice to check with the individual first. Especially where sensitive or special category data is being disclosed, ensure that this is disclosed in the most secure means possible.  
 

 

7. Keep a record of review and decisions made 

You should keep an audit trail of the request, including the sources of information which was collated, the review undertaken, key decisions made concerning whether information amounted to personal data and whether exemptions applied, the response provided and disclosure made, as well as all communications with the individual and other third parties. This will be essential if the individual seeks an internal review of the response or complains to the ICO. 
 

 

Further information

A review of ICO’s annual reports shows a steadily increasing number of complaints received in relation to subject access: 6,550 in 2014/2015, 6,883 in 2015/2016 , 7,709 in 2016/2017 and 8,197 in 2017/2018. 
 
Please see our related blog ‘Subject Access Requests under the GDPR: What employers need to know’. Should you have any queries relating to your organisation’s compliance with a subject access request, please contact Emily Carter or contact a member of our data protection team.
 
This blog should be used for information purposes only. The  information provided in this blog is based on current legislation and recent developments and should not be relied on as an exhaustive explanation of the law or the issues involved without seeking legal advice.

Latest blogs and news

Coaching, Teaching and Support Work in Lockdown: Safeguarding and Data Protection considerations when working with children online

The COVID-19 crisis has forced sports clubs, schools, universities and charities to rapidly change their approaches to coaching, teaching and support work. The regulations on social distancing have forced organisations to innovate; services which had previously been offered mostly or wholly in person were rapidly shifted online during “lockdown 1” and will return online at least for the duration of “lockdown 3”.  If the vaccine rollout has the desired effect there will no doubt be some return to “traditional” methods, but it seems very unlikely that the changes brought about by the pandemic will be completely reversed.  In this blog, Claire Parry from Kingsley Napley’s Regulatory team and Fred Allen from the Public Law team look at the challenges organisations face engaging with children online.

ICO enforcement action – key considerations for charities in the GDPR era

It is now more than two years since the Data Protection Act 2018 and GDPR came into force, significantly increasing the enforcement powers of the Information Commissioner’s Office (ICO). With the passing of the Act, the ICO gained the power to issue fines amounting to millions of pounds and increased powers to bring criminal prosecutions against organisations who fail to comply with the data protection regime.

The privacy dilemma surrounding the coronavirus contact tracing app

In late April we blogged about the NHSX developing a contact tracing app to help stop the spread of coronavirus and highlighted some of the privacy concerns that will need to be considered in the course of its development. Unfortunately, at the time of writing, the app is still yet to be released nationwide, although a beta version is being trialled on the Isle of Wight and development continues. In this blog we provide an update on the proposed functionality of the app and the privacy issues caused by that functionality which are delaying its release.

COVID-19 and contact tracing apps: A test of public confidence in data privacy?

Dominic Raab announced last week that the current UK lockdown would last for at least another three weeks. These restrictions are unlikely to be relaxed until a large scale plan is in place to track and restrict the spread of the virus. Part of this plan will involve the use of the NHS “contact tracing” app, which we have been told is in an advanced stage of development.

ICO enforcement – key considerations for businesses and organisations in 2020

On 23 May 2020, it will be two years since the Data Protection Act 2018 came in to force. The Act was brought in to compliment and supplement GDPR, and significantly increased the ICO’s enforcement powers. In the build-up to its commencement, there was a flurry of speculation about how these new powers would be used. We now look at the how the ICO has used its enforcements powers in 2019 and highlights key considerations for businesses and organisations in 2020.

An early Christmas present for the tech sector from the CMA?

The Competition and Markets Authority (“CMA”) has today (18 December 2019) given the tech sector an early Christmas present by publishing its interim report on its market study, commenced earlier this year, into online platforms and digital advertising.

Data protection for your business after a no-deal Brexit

At the time of writing, it is possible that the UK could exit the EU on 31 October 2019 (“exit date”) without a deal which means immediately leaving EU institutions such as the European Court of Justice without an agreement over what happens next.

“WhatsApp” with Dominic Grieve’s motion for Brexit communications?

Monday night’s marathon session in Parliament saw a number of issues debated into the small hours and further defeats for the government. While many raised important political and legal issues, one of particular interest to information lawyers, followers of Parliamentary procedure and journalists alike was the endorsement of a “Humble Address” motion brought by former Attorney General, Dominic Grieve.

Overhaul of SARS regime to be welcomed

The Law Commission has this week made an important intervention in the world of anti-money laundering with its report on the Suspicious Activity Report (SARs) regime, including an analysis of weaknesses of the current system and a series of recommendations to make things streamlined, clearer and above all more workable

WhatsApp messages: a treasure trove of evidence in team moves

The Court of Appeal’s judgement in Forse & ors v Secarma Ltd & ors is an important case on springboard injunction applications in employee competition and team move cases. It is also a prime example of how WhatsApp messages can provide crucial evidence in such cases.

How to respond to a subject access request: a step by step guide for organisations

Any individual dissatisfied with the speed or content of an organisation’s response to a SAR will find it quick and easy to complain to your organisation or the ICO. This guide is intended to make responding to SARs as straightforward as possible.

Innovation and data protection compliance: when opposites attract

Getting your black letter law data protection specialists to join your post-it wielding innovators on their bean bags might be challenging but it is important. Perhaps try breaking the ice with some table tennis and piano-led house music (a scientifically proven method).  

Our current Brexit options and the consequences for UK data protection law

EU leaders are due to meet today (1700 GMT) for an emergency summit dedicated to Brexit at which it is rumoured that they will grant an extension to the UK’s departure from the EU.  The infographic below sets out the possible Brexit options and what this might mean for UK data protection law. 

GDPR Compliance for US Companies

Focussing upon US companies considering their privacy policies and procedures in Silicon Valley and beyond, in this blog we consider the geographic scope of GDPR and the core business functions it impacts upon.

Brexit Update: EU-US Privacy Shield

On 20 December 2018, the US Department of Commerce issued updated standards of compliance for participants in the EU-US Privacy Shield Framework (“Privacy Shield”) to continue receiving personal data from the UK in reliance on the Privacy Shield after Brexit (which is due to take place on 29 March 2019). By way of a reminder, Privacy Shield is a framework for protecting the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.

GDPR for the UK: Brexit and international transfers of personal data

With the UK due to leave the EU on 29 March 2019, UK Parliament is working towards creating new regulations to ensure that the UK’s data protection standards will be equivalent to EU law post-Brexit. The UK would use this as the basis for securing an adequacy decision from the European Commission meaning that our legal framework is deemed to provide adequate protection for individuals’ rights and freedoms over their personal data. As discussed in our previous blog, this would facilitate cross-border transfers of personal data and business continuity as the UK aims to trade with the single market on equal terms.

Care homes take heed: if you have failed to pay the ICO data protection fee you could be breaking the law

The Information Commissioner’s Office (ICO) has commenced formal enforcement action against care homes that have failed to pay the data protection fee.

GDPR and Brexit: the draft withdrawal agreement and data transfers from the EU

International transfers of personal data are instantaneous and constant. Everyday business functions such as uploading data files to the cloud or sending emails potentially involve transferring personal data across international borders. This is particularly relevant in today’s global economy where business functions are often outsourced overseas for operational and cost efficiencies.

Disclosure of Suspicious Activity Reports may not amount to Tipping-off, says High Court

The High Court has held that suspicious activity reports may amount to “personal data” for the purposes of the Data Protection Act 1998 (“DPA 1998”) and are potentially disclosable following a subject access request.

Data Protection Act 2018 and law enforcement: an introduction

Two months ago, the introduction of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”) significantly changed our data protection landscape (see our related blogs). Reference to “GDPR” became a daily occurrence in shops and offices, and received daily attention on social media and in the press.

Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

Data Protection Insights

Close Load more

Contact our specialist Data Protection Lawyers

+44 (0)20 7814 1200

gdprenquiries@kingsleynapley.co.uk

Skip to content Home About Us Insights Services Contact Accessibility