A direct Subject Access Request (SAR) can be complex enough; when a third party gets involved, it only gets more so. They can feel overwhelming to deal with, but with our guidance, you’ll understand what a SAR from a third party is and how to handle it.   

The Basics: What Is a SAR from a Third Party?

A SAR from a third party, or a third-party SAR, is a Subject Access Request made on behalf of someone else with their consent. It could be made by a legal representative, a parent or guardian, someone with power of attorney or a family member or friend. 

The third party must provide evidence of their authority to act on the individual’s behalf, such as written consent. 

Note: Third-party SARs also refer to requests that include data about a third person, but for the purpose of this blog, we’ll refer to them as ‘SARs from third parties’. 

Key Legal Requirement: Authority to Act

As a business, you must verify that the third party has written authority to act on behalf of the data subject before doing anything else. This could be:

• Signed letter of consent
• Power of attorney
• Solicitor’s letter confirming representation

If you need clarification, ask before proceeding. 

If there isn’t any evidence that the third party has the relevant authority to make a SAR, then you aren’t required to comply, but you should respond and explain this to them.

Types of Third-Party Requests (and How to Handle Them)

Solicitors

When solicitors make subject access requests, it is usually related to legal claims, such as employment disputes or personal injury claims. 

You should:

• Confirm the identity of their client
• Specify what data is being requested

SARs used for litigation disclosure purposes may still be valid SARs. Unfortunately, you can’t reject them just because they’re tactical. When can you refuse a SAR? If you’re unsure, then we can help support you.

Parents Requesting On Behalf Of Children

A parent might make a SAR for their child’s school attendance or performance, or for information that social services keep. 

When parents request on behalf of their child, you should check the age and capacity of the child. If they are younger than 13, parents can usually make a request. If they are 13 or older, check whether the child can understand and exercise their rights themselves—you should usually get the child’s permission first. 

You should always prioritise the child’s interests over the parent’s.

Power of Attorney or Legal Guardianship

There are lots of reasons why someone might use a Power of Attorney to make a SAR on their behalf, but the main reason is that they lack mental capacity or are otherwise unable to manage their own affairs. For example, a Power of Attorney can make a Subject Access Request to the NHS for health reasons.

As a business, you must request a copy of the legal document that authorises them to make a SAR.

Verifying Identity and Authority

You are responsible for protecting the data, so you shouldn’t release anything until:

• You have confirmed the identity of the data subject AND;
• You have confirmed the third party’s right to act on their behalf.

Acceptable forms of ID include a passport, driver’s licence, etc. If you’re not sure, you can ‘pause the SAR clock’ by requesting more information, which pauses the one-month response deadline until the requester provides adequate details.

Best Practices for Handling SARs from Third Parties

SARs from third parties are valid, but you must conduct due diligence to ensure the requester has the proper authority. Businesses must strike a balance between the data subject’s rights and safeguarding others.

For best practice when handling these SARs:

• • Have a SAR policy that includes handling third-party requests. 
  • Train staff to recognise valid vs invalid requests.
  • Create a SAR verification checklist to ensure proper procedures are followed.

• Keep a record of all decisions, especially refusals or redactions.

Need Help with Complex SARs? 

From creating strategies for your request processes to reviewing and redacting data, our team of experts can support you every step of the way. Get support today.