Under the General Data Protection Regulation (GDPR), individuals have the right to access their personal data and supplementary information held by organisations. This process, referred to as a Subject Access Request (SAR), is central to ensuring data transparency and compliance. In this guide, we will explain what SARs are, how organisations should manage them, and the key considerations for ensuring compliance.
What Is a Subject Access Request?
A Subject Access Request (SAR) allows individuals to:
Obtain a copy of their personal data.
Understand how their data is being used.
Verify that their data is being processed lawfully.
SARs can be made verbally or in writing, including via social media, and do not need specific wording. Additionally, third parties, such as solicitors or family members, can submit SARs on behalf of individuals. In such cases, organisations must verify the third party’s authority to act.
Preparing for SARs
To effectively manage SARs, organisations should:
Recognise SARs: Ensure all staff can identify valid requests.
Record Requests: Develop a system for documenting verbal or written SARs.
Verify Identity: Confirm the requester’s identity if necessary.
Clarify Ambiguities: Pause the response timeline to request clarification if required.
Understand Refusals: Familiarise yourself with valid reasons to deny a request and the necessary justifications.
Locate Data: Use efficient information management systems to retrieve data promptly.
Complying with SARs
Timely Response
Respond to SARs without undue delay and within one month of receipt. Extensions of up to two months are permissible for complex requests or multiple submissions from the same individual.
Reasonable Search
Conduct a thorough but proportionate search to locate the requested information.
Third-Party Requests
When SARs involve third-party information, organisations must balance disclosure with protecting the rights of all individuals involved.
Child Requests
Assess whether the child is mature enough to understand their rights. If they are competent, respond directly to the child unless acting otherwise serves their best interests.
Providing the Information
Organisations must supply information in an accessible, concise, and intelligible format. For electronic requests, use commonly used digital formats unless otherwise specified. Secure delivery methods, such as remote access or encrypted files, are crucial to safeguarding data.
Security
Ensure all disclosed data is secure and maintain detailed records of the request and your response to demonstrate compliance.
When Can a SAR Be Refused?
SARs may be refused if:
The request is manifestly unfounded or excessive.
An exemption applies, such as those related to legal privilege, crime prevention, or public interest archiving.
In these cases, organisations must inform the requester of:
The reasons for refusal.
Their right to complain to the Information Commissioner’s Office (ICO).
Their right to seek legal enforcement.
Key Exemptions and Special Cases
The Data Protection Act 2018 outlines exemptions that may apply to SARs, including:
Crime and taxation.
Legal professional privilege.
Journalism, research, or public interest archiving.
Child protection data.
Special rules apply to certain data categories, such as health or educational records. For detailed guidance, consult the ICO’s resources.
Enforcing the Right of Access
Individuals who believe their SAR has been mishandled can escalate the issue to the ICO or seek legal remedies through the courts. Organisations that fail to comply with SAR requirements risk enforcement action and reputational damage.
Further Reading and Resources
To deepen your understanding of GDPR Subject Access Requests, explore the following resources:
Final Thoughts
Handling SARs efficiently is not only a regulatory obligation but also a way to foster trust with customers and stakeholders. By implementing clear processes and providing staff with adequate training, organisations can ensure compliance and uphold individuals’ rights under GDPR.
Comments