The dreaded Subject Access Request strikes fear into the hearts of Data Compliance Officers and DPOs across the land. No SAR is the same, they must all be treated individually and often present multiple challenges within tight time constraints. The first and most crucial step is ensuring you properly identify a request as a SAR, because…
If an individual asks why you are holding and using their personal data, this doesn’t necessarily make it a SAR.
In many cases people will be more than satisfied with being told where their details were sourced from, and given assurances it won’t be processed in future (i.e. for direct marketing purposes). If, however, an individual formally requests in writing (via email, letter, fax or social media) to be provided with all the personal data you hold/process on them, you must treat it as a SAR and currently have 40 days to comply.
It’s worth noting a request doesn’t have to include the words Subject Access or refer to the Data Protection Act for it to constitute a SAR, it just needs to be clear they are asking for all their personal data.
It is also vital you verify that the individual submitting the SAR is who they say they are. The last thing you want is to inadvertently cause a data breach by sending personal information to the wrong person. You can ask for information from the individual to prove they are who they say they are, but you must be reasonable in what you ask for. Individuals do not have to give you their reasons for submitting a SAR, however you are also allowed to ask them for further information to enable you to locate the information they seek.
Just because a SAR ends up sitting in the wrong in-tray, doesn’t make it any less valid. It’s therefore essential to ensure all staff can recognise a SAR, and know who to pass it on to. Also if you use data processors, make sure you have contractual arrangements in place to guarantee that SARs are dealt with properly.
A key challenge in any SAR is being able to pull together all the relevant information, often from multiple electronic and paper sources. The DPA doesn’t permit you to leave information out because it’s difficult to access. Just because information is archived, backed-up or sitting in a “deleted emails” folder doesn’t mean it can be excluded: it is still information you have retained and you need to disclose it. You can’t, for example, use the “disproportionate effort” get out simply because it would be costly and time consuming to locate personal data held in archived emails.
It can be particularly time-consuming to find personal data contained within emails, and to work out what should be disclosed. Emails often include information related to third parties and other non-related information. Bear in mind that individuals are only entitled to personal data relating to them. This means you may need to assess what is actually personal data and ensure data relating to third parties is redacted, unless you have their consent.
Also, be mindful that data held on employees’ personal devices is still within the scope of a SAR. That said, the ICO say they wouldn’t expect you to instruct staff to search their private emails or personal devices in response to a SAR unless you had good reason for believing they may be holding relevant personal information.
And finally, with just two days to go before your 40-day deadline you’ve gathered all the information you need… but it’s not over yet. It will be littered with business / insider jargon and you’re required to ensure a lay-person can understand it. Creating a glossary of terms and standard explanations of processes, systems and products can be very helpful. Otherwise, the determined applicant will expect you to explain it again until they are satisfied.
A robust Data Retention Policy is an effective tool in minimising the issues caused by SARs. If you no longer hold information, you don’t have to disclose it. Only retaining what is appropriate can ensure your SAR process is more efficient. It can also potentially avoid embarrassment and damage to your organisation by having to disclose information that is old or inappropriate.
Under the new EU General Data Protection Regulation (GDPR) due to be implemented in May 2018 the SAR challenge is likely to grow, with new measures including a shorter time frame to respond and the removal of the £10 fee. It’s believed the latter will inevitably lead to an increase in SARs. The only caveat: will post-Brexit Britain opt for so-called GDPR-lite and not implement GDPR in full?
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.