Simplifying subject access requests – a step by step guide and top tips
A Subject Access Request (SAR) is an important aspect of the UK GDPR, it allows individuals to access and receive a copy of the personal data that an organisation has about them.
As a result of the proposed Data Protection Reform Bill, it is expected that significant changes will be made to the UK GDPR and the Data Protection Act 2018, including changes to handling SARs.
The Data Reform Bill proposes the introduction of a cost limit to avoid organisations being overburdened by requests, similar to the Freedom of Information Act. Additionally, there are proposals to change the threshold of ‘manifestly unfounded’ to ‘likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation’. These proposals should provide greater assistance to organisations dealing with difficult, repeat requestors.
Whilst we await the outcome of the consultation process let’s look at how to simplify a SAR as they currently stand under the UK GDPR.
1. Recognise that a subject access request (SAR) has been made
Any individual has the right to make a SAR to an organisation to request a copy of personal data that an organisation holds about them. Personal data can be held in many different formats (electronic or hardcopy), including, but not limited to, the following:
• Documents
• Handwritten notes
• Emails
• Videos
• Audio recordings
• Images
• Communication platforms such as Microsoft Teams, Skype, and instant messaging apps
• Within software products (CRM, HMS, databases) or manual filing systems
• Visitor logs
A request is valid if it is clear that the individual is asking for their personal data. There is no requirement for the individual to specify that the request is a subject access request or quote any legislation when making the request.
An individual can submit a SAR to any employee within the organisation, it is therefore important that all employees receive training on how to recognise a SAR and where to send the request to be processed.
Individuals can make a SAR verbally or in writing (including on social media). If a request is made verbally, it is important that the recipient notes down what is being requested, the contact details for the requestor and the date that the request was made. It is also beneficial to reiterate this back to the requestor by email or letter for clarity purposes and to manage the requester’s expectations.
2. Set the clock
You must comply with a SAR without undue delay and at the latest within one calendar month of receiving the request. If a request is received on the 15th of July, the request should be completed and sent to the data subject by the 15th of August (if the end date falls on a weekend or bank holiday, the calendar month will end on the next working day).
You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual, eg other types of requests relating to individuals’ rights. If you require extra time to respond to a request, you should notify the individual within one month that the time frame is going to be extended, and the reasons for this.
The time limit for responding to the request can be paused if:
• You have requested clarification of their request from the data subject and are awaiting their response, or
• You have requested ID from the data subject and are awaiting these documents.
This is referred to as ‘stopping the clock’. The clock is only stopped for the duration that it takes the requester to respond. For example, if the requester responds by clarifying their request within 2 days, the clock is only stopped for these two days.
3. Establish the identity of the individual
Before processing the SAR, you should be satisfied that you know the identity of the requestor, you can do this by asking for proof of identity, such as a passport, driving licence or proof of address.
Whether ID is required will depend on the nature of the request and the individual making the request. For example, it would be reasonable to request proof of identity from an unknown customer but not an employee whom you know personally.
A request can also be made on behalf of another individual, for example, by a solicitor or relative. You will need to ensure that you are satisfied that they have the appropriate authority to make the request on the data subjects’ behalf. You can do this by asking for a signed letter of authority if this was not received as part of the initial request.
If in doubt, always ask for ID!
4. Clarify the scope
It is strongly recommended that organisations communicate with requestors to clarify the SAR as early as possible. Asking for clarification will ensure that the data subject receives relevant information, and prevents unnecessary work from being conducted by the organisation. However, an individual is not obliged to refine their request and the SAR will still need to be complied with.
It may also help to identify with the requester, at this point, if the information they are requesting would not be obtainable under a SAR. For example, a request to a local council for information in relation to bin collection dates does not relate to their personal data and should not be treated as a SAR.
5. Acknowledge the request
Once you are satisfied that you have verified the identity of the requestor, you should formally acknowledge the request by contacting the individual (usually via email or letter). It is beneficial to manage the expectations of the data subject at the outset, highlighting that they are only entitled to copies of their own personal data and that the output file may contain redactions along with a brief explanation as to the types of redactions that may be applied.
6. Gather the requested personal data
The most time-consuming part of responding to a subject access request is gathering the requested data. As the individual has the right to request access to or a copy of their personal data, you may find yourself manually trawling through thousands of emails, Whatsapp messages or hours of CCTV footage or audio calls. It is therefore important that organisations know where personal data is stored, and how to search and extract data from these systems efficiently. Having an inefficient records management system is not an excuse to refuse a request!
You should make reasonable efforts to retrieve all personal data that is relevant to the request. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.
For example, Ian Smith submits a SAR and requests that an email search is carried out using his initials, ‘IS’. As the initials are a commonly used word, this would bring back a vast number of results, to check these emails may be considered disproportionate to the importance of providing access to the information. In this case, it would be advisable to conduct other searches, such as ‘Ian Smith’, or ‘Smithy’ if a nickname is used.
The request is for access to copies of data, and not the documents themselves. Therefore, how the information is presented back to the requestor may not be in the same format as it is held by your organisation. Although the easiest way to provide the information is often to supply redacted copies of original documents, you are not obliged to do so.
It is advisable to place the collated data into one centralised folder. You should also document all searches that have been conducted, including the keywords and date ranges searched.
7. Consider exemptions
Data Protection legislation permits the application of exemptions to legally withhold personal data. The range of applicable exemptions can be found within Schedule 2, 3 and 4 of the Data Protection Act 2018.
Though the law allows data to be withheld, this should be done so on a case-by-case basis and organisations should not apply for a blanket exemption.
You are not obliged to provide data that would adversely affect the rights and freedoms of another individual. Consideration should be given to whether a third party has consented to disclose the information, or whether it is reasonable to disclose without their consent. This issue will commonly arise when reviewing emails that contain the personal data of the data subject and other recipients. There is no strict rule for third-party data, you should always consider the information on a case-by-case basis.
Click here for further information on exemptions.
8. Sending the SAR to the data subject
The final response should include:
• The provisions contained in Article 15(1) UK GDPR
• The exemptions that have been applied (unless this would undermine the purpose of the exemption)
The SAR should be sent to the individual in the same format that it was requested unless requested otherwise by the data subject. So, if a requester requests the information electronically, the information should be sent electronically.
And most importantly, always send the data via secure means!
TOP TIPS
1. Have a clear policy for processing SARs
2. Ensure that all staff can recognise when a SAR has been made, and know where to send it if they receive one
3. Prepare template letters such as acknowledgement and response letters to speed up the process
4. Know where your personal data is stored and how to search and retrieve data from the systems
5. Keep a central record of all SARs for audit and accountability purposes, including:
• All communication with the data subject
• A copy of the information sent to the data subject is in a redacted and unredacted format
• The exemptions applied, and rationale for applying for the exemptions
• The date the SAR was received, and the date responded
If you would like more information on subject access requests, why not connect with the author of this blog Eleanor Green on LinkedIn or visit our SAR Bureau to discuss outsourcing any area of handling a request.