The Information Commissioner’s Office (ICO), can and does take action against organisations for failure to respond to Subject Access Requests (SARs) in an adequate timeframe. A SAR must be responded to within one month (and in some cases up to three months); however, the ICO has found that some organisations repeatedly fail to meet this legal deadline. Last year, the ICO fined several organisations for such failures.
Here, we take the opportunity to explore how to deal with a SAR.
What is a SAR and why is it important?
Under the Data Protection Act 2018 (DPA), individuals have the right to make a request to an organisation to have access to and receive a copy of their personal data. A SAR is simply a request to an organisation asking for copies of personal data (and other supplementary information) that the organisation holds in relation to the person making the request. The purpose of SARs is to enable people to understand how and why their data is being used by an organisation and to check that is it being used lawfully.
How to deal with a Subject Access Request
- Identify the SAR
A SAR is a request by an individual to see details of their personal data held by an organisation. SARs do not need to be in writing, though they often are. Identifying a SAR can be challenging because they do not follow a prescribed form. It is therefore important for you to train your staff to identify a SAR so it does not go unnoticed. This is key, as SAR’s must generally be responded to within 30 days of their receipt.
- Verify the identify of the individual making the request
You must be satisfied that the individual making the request is who they say they are and the steps you take must be reasonable in the circumstances. For example, it may be reasonable to seek proof of identity from an individual that is not immediately known to you, but this might be excessive if the SAR is made by an employee that you are in regular contact with.
- Identify the data that must be disclosed
Personal data is any information relating to an individual who can be identified, directly or indirectly, from that information. This includes, but is not limited to, names, identification numbers (e.g., Passport or Driving License numbers), location data, email addresses, and more. For further guidance on identifying personal data, see the ICO’s guidance note here.
- Other considerations
You should also think about any other considerations, such as whether any exemptions apply against the disclosure of certain information, whether there is any special category data to be disclosed or whether the 30-day timeframe can be extended. Any extension needs to be carefully considered on a case-by-case basis.
- Securely disclose the personal data
It is good practice to disclose the data in a manner that suits the individual, whether this is electronically, via a physical hard copy, or any other means. However, the data should always be disclosed securely, especially where sensitive or special category data is being disclosed.
- Keep a record of the SAR and your response
It is good practice to keep a record of the request, the steps that you have taken to accommodate the request and details of your reasoning and decision-making process. This may be useful if an individual seeks an internal review of the response or later makes a complaint.
Consequences of not dealing with a SAR properly
If someone has sent your company a SAR, you must ensure that it is responded to appropriately. Failure to comply is a criminal offence and the ICO may take action which could expose your organisation to significant penalties. The ICO has a range of enforcement tools available under the UK GDPR, including issuing warnings and public disapproval, ordering compliance and imposing fines.
As we saw last year, the ICO will, in certain cases, take action against organisations who fail to adequately deal with data protection responsibilities and irrespective of whether an organisation is in the public or private sector.
Common pitfalls and how to avoid them
- SARs do not follow a prescribed form and can be difficult to identify. Noticing a SAR late or not noticing it at all could compromise your obligation to deal with the SAR within the legal timeframe. You should therefore train your staff so SARs can be identified in a timely manner.
- Organisations often reveal too much and irrelevant data. This can occur where a full document is disclosed as opposed to a specific extract of the relevant data, or where excess information is not redacted. You should ensure SAR data is only disclosed to the extent required.
- You cannot charge a fee for providing SAR information. In rare cases, you may be able to charge a "reasonable fee" if the request is especially excessive or repetitive, however, you should assess this on a case-by-case basis. The starting point is that SAR data is freely accessible.
- Refusal to provide the information requested can only be made if an exemption or restriction applies or the request is manifestly unfounded or excessive. This should again be reviewed on a case-by-case basis, as the starting point is that SAR data is freely accessible. Any exemptions and restrictions should be thoroughly assessed to ensure information is not held unfairly. For further guidance on when you can refuse to comply with a SAR, please see the ICO guidance here.
Understanding how to deal with SARs is important for an organisation to ensure it is complying with the UK GDPR. If your organisation does not already have one in place, a process for handling SARs should be implemented and communicated to your team. If your organisation has already implemented a SAR process, it may be worth reviewing your internal policies and procedures and assessing whether you are satisfying your SAR obligations, or whether any changes need to be made to ensure compliance.
Should you have any queries in relation to answering a Subject Access Request, please contact a member of our Data Protection & Cyber Security team.
This article was co-written by Ussamah Nasar, Trainee Solicitor.