It’s only one part of GDPR and data protection, but a subject access request (SAR) shouldn’t be ignored. As more people become aware of their personal rights, the number of requests continues to increase.
We show you how to deal with SARs, both as a small business owner and as an employer.
What is a subject access request?
An organisation will have a certain amount of personal data on users which they use and/or store. These people may ask for a copy of their data to check that what is being held on them is in keeping with the law.
Subject access requests existed as a right under the Data Protection Act 1998, but the rules have changed with the introduction of GDPR.
Requests can be made verbally, electronically (including social media) or in writing. If you have received it in writing, make sure you can verify the identity of the sender.
How long can I take with requests?
You have one month from when you receive the SAR. You can be given an extra two months if the request is complicated or there are numerous requests. You should let the person asking for the information know about this extension within one month.
What do I need to provide?
As much as you can based on the request. It could include:
- Copies of statements held under their account number
- What you’re using their data for
- Who you are sharing it with
- Information on where their data comes from
- Information on their rights to challenge the accuracy of data, have it deleted or object to its use
Note that it doesn’t need to have the words ‘subject access’ or refer to the Data Protection Act to constitute an SAR.
You need to provide the info in a commonly used format, such as an electronic document. However, you don’t need to present it this way if it’s not possible, if it takes ‘disproportionate effort’ or if the applicant agrees to another format, like seeing it on screen.
One last thing: you need to ensure that a layperson can understand it, so go easy on the business jargon and acronyms.
Miscommunications can be avoided if your business has a subject access request policy in place. Include information like how you’ll confirm the enquirer’s identity, how you’ll gather their data, how you’ll issue your response and when you can refuse a request. These ones from Professional Standards Authority and Insolvency Practitioners Direct are good examples.
Can I withhold information?
In certain circumstances, yes. If the information they’re requesting could identify another person and it’s not reasonable to disclose that information to them, then you can refuse.
If the enquirer is being investigated for a crime, or for something connected with taxes, and the investigation would be compromised if you gave away that information, then you don’t have to fulfil the request.
You can also refuse a request if it is ‘manifestly unfounded or excessive’, depending on whether the request is repetitive by nature.
Again, staying ahead and having template responses to SARs will save you hassle. This template response letter from Halborns is helpful if you’re stuck.
Can I charge a fee?
You should be providing the data free under GDPR (under the Data Protection Act 1998 you could charge £10). The only situation where you can charge a ‘reasonable fee’ for administrative costs is if the request is unfounded or excessive.
Will it end there?
Not necessarily. You may receive a follow-up if the complainant isn’t satisfied with the outcome of the request. They may also say that they’re going to complain to the Information Commissioner’s Office (ICO) or even take it to an employment tribunal.
What if an employee files a subject access request?
Employees will file subject access requests for various different reasons. Some might want to check that their data is accurate while others may be concerned about how their personal information is held and processed.
‘It could also be part of an existing employment dispute with a current or ex-employee’
It could also be part of an existing dispute with a current or ex-employee including unfair dismissal, whistle-blowing, discrimination cases or a pay review discussion.
Information they request can include:
- Contract of employment
- A note of sickness absences
- Their personnel file
- Emails or any form of messaging between [names] (including personal emails used for work purposes)
- CCTV footage of the person
Employers don’t have to grant requests if they contain confidential references, personnel data which relates to management forecasting or settlement negotiations or data which is covered by legal professional privilege.
In terms of process, the same applies here – a subject access request must be dealt with within one month of receipt. It can be extended to two months if a lot of redactions have to be made – large and numerous parts of emails need to be blocked out, for example.
Speak to your HR department about how long your retention policy for data is. There is no set limit under GDPR, but the ICO says data should be kept for ‘no longer than is necessary’.
Make sure you know where you keep the information on your staff and how to access the content that’s more difficult like email addresses and minutes from meetings.
More on personal data
Customer databases: how to deal with the effects of GDPR