Subject access requests (SARs) refer to a request that can be made by an individual to access any personal information held by an organisation. Requests might include: what personal information the organisation is holding about the individual, how the organisation is using it, where the information came from and who the information is being shared with.

Under the UK GDPR, individuals have the right to ask a company if they’re utilising their personal information. This means that any organisation that is ‘subject to GDPR’ has a responsibility to handle and respond to SARs in compliance with the law.

It’s the responsibility of an organisation to ensure the person requesting data is who they say they are. If they are unsure, they should ask for ID confirmation such as passport or driving license. However, it’s not considered acceptable to ask a long-standing customer for proof of identity.

What Counts as Personal Data Under GDPR?

Any information that relates to an identified or identifiable individual is considered as ‘personal data’. This could be anything from a name or number, ID number to initials, an IP address or even any recorded opinion of an individual. This data can come in several forms, not just written. This means the system where data may be held must be thoroughly searched to ensure all information relating to the requester is found.

What’s Included in a SAR?

SARs don’t need to follow a specific format, and they also aren’t required to be in writing. If the individual is clearly requesting their personal data, they aren’t required to mention UK GDPR or even the phrase ‘subject access request’. This can make it difficult for staff to recognise the request, which is why training on this matter is important.

Staff should be equipped with the knowledge to deal with verbal SARs and to make subsequent records of these. Even though individuals aren’t required to make the SAR in writing, staff should ask if the verbal request can be followed up in writing to keep with Information Commissioner’s Office (ICO) guidance. As a business, you might find it more efficient to refer the requester to a SAR form, which can make it easier to locate the data they want and keep a record of the request.

How to Document a SAR

When a member of staff has identified a subject access request, it’s imperative that they document and date this, so the company has a record of the time limit they have to respond in. SARs should be responded to within a month of the request, and this time limit can only be extended in certain circumstances.

It’s important to ensure that no information relating to the individual who made the request is deleted when awaiting your compliance with the SAR. It can be considered a criminal offence to modify data with the intention of undermining a SAR.

How to Respond to a SAR

According to UK GDPR, information should be provided transparently, concisely and in an easily accessible form, using clear and plain language. There aren’t set regulations on how you should disclose requested information from a SAR. However, organisations typically ask the individual how they would like the information to be disclosed to them. This is important to ask, especially if the information is highly sensitive.

SAR Exemptions

Some categories of information are exempt from being disclosed from a subject access request. This includes if the information requested is subject to legal professional privilege, or if any information might result in self-incrimination.

A SAR can also be refused by an organisation if the requester is acting maliciously or if it has been indicated that the request has been made to cause disruption. Additionally, if the request is seen to target or harass an employee at the company, it can be refused. Repeat or excessive requests can also be denied.

With subject access requests, it’s important to understand that each case may be different, so should be assessed on an individual basis. However, if you do decide to refuse a SAR, you should be able to justify why you are choosing to not comply if the ICO requests you to do so.

At Premier Legal we offer legal support on employment matters. So, if you’re an employer seeking guidance through a difficult matter, or an employee looking for advice on an employment matter, we’re here to help.

 Get in touch with our experts today to find out more about our legal services.