Your guide to Subject Access Requests
Individuals have several rights under the UK GDPR, one of these being the right of access. This gives individuals the right to obtain a copy of their personal data, as well as other supplementary information.
What is a SAR?
Any individual can send a Subject Access Request (SAR) to an organisation that may hold their data, e.g., customers that have purchased something from a company, or employees sending one to their employer. It can be made verbally or in writing, including on social media and it can be made by a third party on behalf of the individual. You need to be satisfied that you know the identity of the requester and so you can ask for information to very their identity but only if this is necessary, as the timescale for responding to a SAR does not begin until you have received the information you ask for. For example, if the request came from an employee, it wouldn’t be necessary to ask for their ID for example.
Do you have to respond?
All organisations are legally obligated to respond to a SAR without undue delay and at the latest within one month of receiving the request, unless the request is complex or you have received several requests from the same individual, in which case you can extend the time to respond by a further two months. An exemption may apply that allows you to refuse to provide all or some of the requested information and you can also refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive, but this is a very high threshold. In the majority of cases, you must respond to the SAR and provide all of the information requested.
Obviously, you can only provide them with the information they have requested if you have it as it may have been deleted in accordance with your retention policy. You cannot delete the information after you have received the request.
If you refuse to comply with a request, you must respond to the SAR and explain why, point out their right to complain to the ICO and to enforce the SAR through the courts.
How do you respond?
You must respond with all the information the individual has requested unless an exemption applies. There are several exemptions but the most common are if the information contains personal data of someone else that you should not disclose without consent, if it comprises of/includes communications with your solicitor as it is protected by legal privilege and shouldn’t be disclosed, or the information is confidential business data you would not want in the public domain.
If exemptions apply to some parts of the information requested, you must still comply with the request but redact any information that is exempt.
If the individual requests a large amount of information, you may respond and ask them to clarify their request, but you are not able to ask them to limit their request.
What other information is an individual entitled to?
As well as the information requested, individuals have the right to receive information such as your purposes for processing, the categories of personal data you’re processing, who you disclose the personal data to, and the retention period, just to name a few. The supplementary information you must provide largely corresponds with the information you should have in your privacy policy.
If you have received a SAR and need some advice on how to respond, whether exemptions apply or what to redact, please contact sophiebrazier@schofieldsweeney.co.uk.