Responding to a subject access request
12 January 2024
Data protection law provides a right to individuals to obtain confirmation as to whether their personal data is being processed. It also provides for access to the personal data, known as a subject access request (SAR) along with supplementary information.
Requests may be made in any format, including verbally, and responses must usually be provided free of charge and within a month.
Organisations are required to respond even where there is an ongoing dispute with the individual. There are however exemptions available, and it is recommended to seek legal advice where you are unsure.
Managing a request for personal information
– Put in place internal procedures for managing subject access and other rights’ requests.
– Appoint a person/s to manage responses on behalf of the organisation.
– Ensure all employees can recognise a subject access request and understand they need to act quickly.
Be certain what is being requested
– If you process a large amount of personal data about an individual and the request is unclear you may ask them to clarify the information or processing activities their request relates to.
– You cannot ask them to narrow their request.
– The clock for your response is paused until you receive clarification.
Complete your searches
– Think about where you store the personal data and make sure to search these locations thoroughly.
– Use search terms to search electronically to identify all relevant documents and correspondence.
– Consider social media platforms such as Facebook, WhatsApp, Twitter and chat channels on Microsoft Teams used for business purposes.
Complete your redactions
– Having identified all the potentially relevant documents from your searches, consider relevant exemptions and redactions.
– The data subject is only entitled to receive a copy of their personal data. You should redact third party personal data (unless you have their consent, or it is otherwise reasonable to disclose it) and information which is not the personal data of the data subject.
– There are additional exemptions which may permit you to redact further information (such as communications with solicitors where they are legally privileged). The application of exemptions is technical in nature and so it is recommended that legal advice is sought as to their applicability.
Provide your response
– If you received the request by email, and the data subject hasn’t instructed you to provide a response by any other means, you can provide your response by email.
– Your response should include the supplementary information required under Article 15 of the UK GDPR. If you have a privacy notice this can be attached to your response to satisfy some of this information.
If you have any queries regarding subject access requests or need help in implementing them do get in touch.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at January 2024.