What is a Subject Access Request (SAR)?
Data protection legislation gives data subjects certain rights in relation to the processing of their personal data by organisations. A data subject may try to exercise those rights in relation to your organisation. This month’s article examines the Subject Access Request (SAR), one of the more commonly exercised rights, often used as a preparatory step before moving onto other rights.
How will I recognise it and how should I respond?
The Right of Access or Subject Access Request gives people the right to ask for a copy of any data you hold that relates to them. To exercise this right, they do not have to call it a subject access request, they may simply ask to “see their records” or “see what you wrote about me”. Neither does the request have to be in writing to be valid. In fact, the data protection regulator encourages providers of online services to give their users electronic access to their records. The request could also be verbal. Whichever media was used by the data subject to make the request, the response should preferably be made using the same media. Yes, this might mean scanning the relevant paper documents if the request was made electronically.
Can we collect additional details about the request?
Some organisations who process large amounts of personal information, find it easier to have the requestor (the data subject) fill in a predefined form to help them narrow down the information they are seeking. This is fine, but the information should not be withheld if the data subject refuses to complete it and you should acknowledge the request as soon as you receive it; don’t leave it until you’re ready to respond. You’ll also need to confirm their identity if you don’t know them and, if they’re acting on someone else’s behalf, check they have written authority to see the records, so written consent or a Power of Attorney, for example.
Time limit, no fee
There’s a time limit of one month for responding to a SAR and it is illegal to charge a fee, except in exceptional circumstances and it should be proportional to the actual administrative costs. The data subject should be informed of the fee prior to carrying out the search for their data, so that they have the opportunity to change their mind if they don’t want to pay it.
You can see how important it is to have a plan to handle subject access requests and a designated individual who is trained to process it quickly and without disclosing any information that shouldn’t be shared. Make sure a record of the process is kept with dates and key information. There’s detailed information on the ICO website about the steps to take to handle a SAR. Alternatively, if you want the peace of mind of having specialists help you set up your framework, why not check out our services here?
So that’s a quick overview of a Subject Access Request. Please don’t use it as detailed guidance on how to respond, there’s a lot more to it – just be aware that you need to have a plan. If your organisation has not yet received a SAR, we recommend holding a walkthrough session to test out your procedures before you need to use them in earnest.