placeholder
Stuart Gentle Publisher at Onrec

How to respond to a subject access request

A legal expert’s tips on setting up the right process

The right of access, commonly known as a subject access request (SAR), gives individuals the right to access personal information held about them by an organisation under data protection law. A growing awareness of data protection rights is leading to an increase in SARs. Here, Clara Westbrook, a senior data privacy lawyer with corporate lawyers Arbor Law, explains the importance of having a clear process in places to handle SARs.

A SAR is a request made by an individual to an organisation for access to the personal data that the organisation holds about them. This is a right granted under data protection laws, such as the Data Protection Act 2018 in the UK, the General Data Protection Regulation (GDPR) in the European Union and various other data protection regulations globally.

When an organisation receives a SAR, there is a one-month deadline to respond, and it is a breach of data protection law if you do not respond within this timeframe, unless you meet the criteria for an extension. The Information Commissioner’s Office (ICO) sets out detailed criteria for when a two-month extension can be applied to this deadline, but these detailed criteria are complex.

In most instances, the one-month deadline applies and there is a need to respond quickly to meet this statutory time limit. Failure to do so may result in complaints to the ICO which could lead to correspondence from the ICO, enquiring into your organisation’s processes for handling SARs and requesting follow up action to remedy any shortcomings in your processes. Organisations that repeatedly fail to comply with data protection laws can face fines.

Recognising that you have received a SAR is important, as the request may not be formally identified as a subject access request. Requests need to be correctly logged and subject to an established process. Employees should therefore be trained in how to recognise SARs and understand what internal procedure to follow when they are received.

A common means of handling SARs is having an email address established for the purpose of receiving requests, to streamline the process. This will be identified in the organisation's privacy policy and all requests will be directed via this route.

Getting the process right

Larger organisations that are more accustomed to receiving SARs will typically have an established process for handling them. However, smaller or medium-sized enterprises might be caught off guard and without a clear process in place will be ill-equipped to comply with data protection regulations.

The first challenge is understanding what information you need to provide to the individual making the request. This will partly depend on the person making the SAR, as they may have a specific search term, or may broaden their request to include all the available data held about them. It is worth asking the individual if the timeframe of the search and/or the scope can be clarified, but you cannot put pressure on them to do this and they do not have to.

In addition to clarifying the timeframe and scope, effort should also be made to carry out appropriate identity checks to ensure the person making the request is who they claim they are. The one-month countdown would pause until this is confirmed and restart after the clarification is provided.

The information requested could be contained in one or more sources but will commonly include things such as emails or records of conversations from your virtual workplace, such as Microsoft Teams, for example. You need to identify the tools to search and pick the appropriate search terms, depending on the nature of the request. The search will likely return thousands of documents and the next step is to review this information to determine what you are required to disclose under the SAR.

The three-step process

This review process can be broken down into three key stages. During the first stage, you discard anything that is not personal data of the individual. It is important to understand that the right to information includes only personal data.

Step two involves the removal of information about third parties, for example other people’s names, or information that would easily identify other people, unless you have their consent. This information would usually be redacted.

The third step considers the possible application of exemptions. Determining whether these apply is something that requires technical legal expertise. If they do apply, you can redact or not supply the information, but you are required to provide an explanation of which information has been withheld and why you have determined the exemption applies.

Examples of this might includes situations where information is legally privileged, such as communication between a lawyer and their client. It is advisable for a privacy lawyer to determine whether these are applied correctly and rule out any misapplications.

Having followed this process and gathered the necessary information, you also need to consider how best to supply this information to the individual making the request. This is most often done digitally, but it is up to the applicant how they want to receive their data.

Having an established procedure for this stage of the process also helps companies handle the requests correctly and avoid common mistakes that might lead to loss or unintentional disclosure of sensitive information. For example, if you sent the information in a password protected document, you would send the document and the password via separate emails. If you were sending sensitive information by post, you would take extra precautions by sending it via a courier, for example and depending on the volume of data, you may divide it into several packages

A growing awareness of data protection rules has contributed to an increase in people filing subject access requests. For companies or organisations that do not have a clear process in place, handling these requests can be difficult. Following the guidance in this article will give you a good place to start, but data protection lawyers can assist you further, whether you are looking for a light touch advisory role, or someone managing the process of handling an SAR on your behalf.

Arbor Law is a team of experienced lawyers with specialist expertise in data protection. To find out more, visit https://arbor.law