Help! I’ve received a subject access request – what should I do?

Sponsored
Claire Hall
Claire Hall

Accessing one’s personal information, or making a subject access request (SAR), has become a popular mechanism for individuals to find out exactly what information an organisation holds about them.

Often used in the context of a dispute, complaint or grievance, getting it right or wrong can have important legal and reputational consequences for your organisation. Understanding how to recognise a request and deal with it effectively could save your organisation time, money and resources.

Initial Points to Consider

  • Are you satisfied that this request is genuine?

If the request comes from someone who you are unfamiliar with then it is sensible to make enquiries to ensure that the request has not been made fraudulently. You shouldn’t ask for more information than you need to verify their identity but better safe than sorry!

  • What information have they requested?

It is important to remember that individuals are entitled to their personal data, which is information from which they can be identified and which relates to them. For example, an email between staff discussing a customer’s behaviour would likely include that customer’s personal data. You should make sure you understand what the requester is entitled to, and take steps to locate the information on your systems.  If there is a huge amount of material which needs to be reviewed, software is available to assist.

  • Do you require any further information from the requester to locate the personal data?

You are permitted to ask requesters for information to assist you in locating the requested personal data if they request a large amount. This should be focussed on obtaining useful information that will assist with your searches, such as a date range or identifying individual mailboxes.

  • How long do we have to respond?

You must provide a response to the requester within one calendar month of having received the request. This time limit can be extended by an additional two months where the request is complex or where a number of requests have been made.

When calculating the deadline for response you should be aware:

  • that the clock does not start to run until you have received any information requested to satisfy yourself of the requester’s identity; and
  • if you have asked for clarification information to locate the personal data, the clock will pause while you are waiting for a response.

Myth-busting SARs

Myth Bust
SARs only apply to information held electronically. This is incorrect. Personal data which is caught by the UK GDPR may also be found in a paper filing system.

If your organisation is covered by the Freedom of Information Act then the scope of the paper records potentially caught is even wider.

The requester must provide a reason for their request. Requesters do not need to provide a reason for their request.
The request must be in writing. Requests can be made over the phone or in person. There is no requirement for them to be in writing.
If we hold information received from a third party we don’t need to provide it. If the information is held by your organisation (regardless of its origin) then you may need to provide it, even if it came from a third party.
Only factual information about someone is disclosable. Personal data includes opinions about people. It is important to note that there is no exemption for information which it would be embarrassing to disclose. Train your staff to keep written comments professional.
The requester has asked for everything we hold and it is going to take us a really long time to find it all, so we can just refuse to comply. Your obligation is to make reasonable and proportionate searches. There is no right to refuse a request on the basis that it will take up a lot of time. You can seek clarification to assist in reducing the amount of time that needs to be spent.

If a request is either “manifestly unfounded” or “manifestly excessive” you are allowed to refuse to respond. However, the threshold is high and you must be able to justify.

Information which is also about someone else is not disclosable. This depends on the circumstances of the case. Where information is about both the requester and a third party, the information is mixed personal data and may be exempt or disclosable, depending on the circumstances.  It may be the case that you must not disclose some information.
We have to provide copies of documents redacted if necessary. The requester is entitled to a copy of their personal data but not to a copy of the document containing that personal data. You can place their personal data in a new document if you prefer.

For further information and advice about SARs, please contact Bronwen Jones or Claire Hall at national law firm VWV.  Bronwen can be contacted on 07818 018 215 or at bjones@vwv.co.uk.  Claire can be contacted on  07467 148 750 or at chall@vwv.co.uk.

Did you enjoy reading this content?  To get more great content like this subscribe to our magazine

Reader's Comments

Comments related to the current article

Leave a comment

Your email address will not be published. Required fields are marked *