What is a subject access request?
A subject access request (SAR) is a written request made by or for an individual for the information which he or she is entitled to ask for under section 7 of the Data Protection Act 1998 (DPA). The request does not have to be in any particular form. People can make SARs verbally, in writing, or through social media.
Understanding The SAR Request
It is important to be able to recognize when a request for personal data has been made. When making the request, the individual is not required to use phrases such as ‘subject access request’, ‘right of access’, or ‘Article 15 of the GDPR’, which would make the request very clear. Businesses need to be aware and trained, in identifying when a legitimate request to access personal data has been made. Once the request is made, companies are legally responsible to deal with the request in the right way. One step businesses should take to prevent this issue, is ensuring there is enough staff trained who can identify when a SAR request has been made and is aware of the steps required to take to deal with the request. Some Important things to note with a SAR, it may be a valid SAR even if it refers to other legislation, such as the Freedom of Information Act 2000 (FOIA) or the Freedom of Information (Scotland) Act 2002 (FOISA). The most important thing to consider is that if an individual asks for their personal data, irrespective of the channel used to make the request, it constitutes a valid subject access request under the GDPR.
Are There Time limitations With A SAR Request?
In Short, yes. You must comply with a SAR within one month of receiving the request. However, this can be extended for up to three months if the request is complex, or if the same individual has made a high number of requests. In this case, you must inform said individual that more time is required within the 30 days or one month of the initial request.
How Businesses Should Respond To A SAR Request
Once a SAR request has been made and correctly identified by the business, the next step it must do is comply and process the request. A copy of the personal data must be supplied free of charge. Businesses can however charge a fee, when the individual’s request is deemed to be excessive, for example when said individual requests multiple copies of the same information. They made life as easy as possible, businesses should supply the information in the simplest format, such as an email, word document, etc.
Can Businesses refuse A SAR Request?
There are certain situations where businesses can refuse the SAR request. Businesses can refuse Subject Access Requests made with the intention of litigation. The High Court has ruled that a business that receives a Subject Access Request (“SAR”) can refuse to disclose the requested information in some cases if the main purpose of the SAR is litigation.
Another situation where a business can refuse a SAR request is when the information requested contains the personal data of another individual. The business will be required to receive consent from the 2nd individual that they are happy for their personal data to be shared, prior to processing the SAR request. On some occasions, businesses may find it reasonable to comply with the request without the consent of the individual. When deciding whether you disclose the information about the third party, you should balance the GDPR’s right of access against the third party’s rights.
If the business takes the decision to refuse a SAR request, it must be able to justify its decision and must send the requester a written refusal notice. The business will need to issue a refusal notice if they are either refusing to say whether they hold information at all or confirming that information is held but refusing to release it and why.
Can Businesses withhold information in a SAR request?
A business can withhold information if the information could identify someone else, and it would not be reasonable to disclose that information to you. A business may also withhold some information if the individual is being investigated for a crime, or in connection with taxes, and the investigation would be prejudiced if the individual had access to the information.
How to Send a Response to a SAR Request
Once businesses have everything, they need for the subject access request, the final step is to develop and send a response to the individual. As a best practice, Businesses should keep an audit trail of the request, including the sources of information, which was collated, the review was undertaken, key decisions made concerning whether information amounted to personal data and whether exemptions applied, the response provided and disclosure made, as well as all communications with the individual and other third parties. This will be essential if the individual seeks an internal review of the response or complaints to the ICO.
Businesses need to provide the following information to the requester:
- Legal basis for and purpose of processing the personal data of the individual.
- Third parties to whom the personal data has been disclosed.
- Existence of the requester’s rights to the information including the erasure of the personal data and restriction of the processing of the personal data.
- Expected period for which the personal data will be stored.
- Categories of personal data.
- Information about the origin of the personal data.
For sending out the response, the GDPR requires that you provide the information in a concise, intelligible, transparent, and easily accessible form that is understandable by the individual. The GDPR further suggests that the information should be delivered through a secure portal, but this is not a requirement.