Failing to respond to a subject access request (SAR) can result in a financial penalty from the ICO or an enforcement notice. So while it may seem daunting, and can be time consuming, it is in an organisation’s interest to comply.
A SAR occurs when an individual requests access to their personal data. If someone makes a SAR, follow these tips to ensure you provide the correct information quickly and efficiently.
- Be prepared. If you are reading this before you receive a SAR, put a team and policies in place to deal with them. Keep a list of all the systems and locations where personal data is stored. Remember it is not just emails, it can be text messages, spreadsheets, management information etc. Having contacts and processes established in advance will help you respond to a SAR more efficiently.
- Ensure you have all the right documents. This will include the request itself (which has to be in writing, and could be by email, for example) and confirmation of their identity (such as a driver’s licence or passport). They should also pay you a £10 fee, although this is not compulsory if you do not want to request it. The 40 day deadline only starts once you have all this.
- Consider asking for more information. You cannot require the requester to narrow the scope of their subject access request, but you do not have to comply with the SAR until you have received the information that you reasonably require in order to respond and locate the information sought. For example, can you identify the custodians of the data (i.e. the email accounts to be searched) and the search terms that should be used?
- Don’t delay! Do not underestimate how long it could take you to respond to a SAR. Once you do have all the required information, then make sure to act promptly and start locating the data as soon as possible.
- Do not forget hard copy data. You do not need to search through all papers, but you do need to search “relevant filing systems”, such as personnel files. A test to determine if hard copy documents are in a “relevant filing system” is 'would a temporary admin assistant be able to locate the information?'.
- Consider any cross border issues. Even though the Data Protection Act 1998 is derived from EU law, it is implemented differently in each member state. There can be even greater differences between other jurisdictions, such as the US. If information is held in another country, you will need to consider whether it is in breach of local laws to treat data stored in that location in accordance with UK principles.
- Remember, they are only entitled to their personal data. Remember to redact information relating to other individuals unless you have their consent or it is reasonable in all the circumstances to comply with the request without it. Otherwise, it may be in breach of your duties to those third parties. This requires careful consideration – there are circumstances in which it may be appropriate to disclose information about other individuals.
- Consider whether an exemption applies. Personal data can be exempt from disclosure. For example, if the information is legally privileged. If you have sought legal advice at any point, make sure to limit its dispersal. Legal privilege can be lost when forwarding an email widely, therefore making it disclosable.
- Think about how to present the data. They are entitled to a copy of their personal data, not the document that their personal data is contained in. This can be helpful. It allows your organisation to consider how best to provide the information. Is this via redacted documents, or a spreadsheet that contains all the personal data in one place?
- Take time and care when drafting the response letter. Keep a contemporaneous record of your searches and the steps that you have taken. This will make drafting your response easier, and make it less likely that you will forget to include a summary of a search you have undertaken or an exemption that you have relied upon. Comprehensive disclosure will leave little room for criticism.
Important note - Since this blog was published, the General Data Protection Regulation (‘GDPR’) has come into force and the content of this blog has not been updated to reflect the new regime.
Should you have any SAR, GDPR and Data Protection queries please contact our data protection team.