The ICO provided some helpful guidance in February 2021 to share some examples of good practice by organisations responding to Freedom of Information requests.   Here are some of their tips; we look at how they might be applied to organisations responding to Subject Access Requests (SARs).

Engage senior management to champion Information Governance compliance at the highest organisational level.

How are your Board members kept up to date on the status of your organisation’s compliance? Is it a separate agenda item, discussed regularly or is there a separate meeting? If you don’t have a system to regularly update Board members on data protection issues in the business, there is unlikely to be a realistic budget for dealing with the challenges that compliance can present.

We recommend documenting your organisation’s compliance framework, to illustrate how the board is kept up to date with data protection issues, and how a sound compliance culture is cascaded down through the whole organisation. A simple spreadsheet showing roles and responsibilities throughout the organisation relating to data protection, recording training required and undertaken is a good start. By revisiting this record on a regular basis progress on data protection issues can be tracked and monitored.

The record should show how responsibility flows from the Board through each level of management to those whose daily activities involve handling personal data. If you have a risk or compliance committee, this should be documented as another party with responsibilities for data protection.  Everyone in the organisation who handles or takes decisions about personal data has a part to play in the company compliance programme.

Promptly and vigorously pursue outstanding information from relevant service areas through dedicated contacts in those areas.

Do you have robust procedures to guide staff through the process of responding to a subject access request? You have just one month to respond to the request and the data could be spread across multiple systems and departments, so it needs to be managed. The areas need to be identified quickly and the response co-ordinated. Make sure your staff receive training on how to respond, what exemptions must be considered and where information cannot be disclosed, how to redact it. Progress on the response needs to be monitored; where responses are likely to overrun, these should be escalated to Managers if necessary, and if you are really going to miss the deadline, be sure to engage with the data subject and let them know when you expect to be able to respond; under certain circumstances, you can apply to extend the time limit.

Ensure continuing availability of Information Governance staff and resources during periods of leave and sickness.

Is there a sufficient number of trained staff in your company who know how to respond to a request or do you rely on one or two individuals?

Provide specific training for staff including those who don’t specialise in the area to ensure requests are identified and passed to appropriate colleagues at the earliest opportunity.

All staff who have dealings with the data subjects such as customers or staff, need to be able to recognise when a subject access request is being made. The requests can be verbal and do not have to specify the term ‘subject access request’; a statement that someone wants to see their ‘file’ or ‘the information you have on me’ are equally valid.

Consider organising ‘advice surgeries’ where experienced Information Governance staff can advise less-experienced colleagues from other departments on challenging cases.

Data protection issues vary from sector to sector so this type of training is highly effective and ensures the points covered are all relevant.

Streamline sign-off and approval processes where appropriate, particularly where the authorising person is busy or routinely unavailable.

Finally, to avoid security breaches when responding:

• Consider metadata when redacting information.
• Check all data has been redacted and is not reversible before releasing.
• Get someone to double check redactions.

To see further guidance from the ICO on how to respond to a SAR you can find it here. If you would like help implementing any of these suggestions get in touch with us at Data Protection Consulting.