GDPR – how to respond to subject access requests

aat comment

Subject Access Requests (SAR) are probably the most misunderstood part of the Data Protection Act (DPA) and when I talk to people about the changes as a result of GDPR, it often becomes apparent that I need to give them a refresher of the current requirements.

Subject Access Requests are written requests from an individual or their representative for access to the personal information that you are processing (using and storing) about them. The DPA allows you to charge £10 for handling the SAR.

Your initial task is to confirm the requester’s identity to avoid a data breach. There is no automatic right to access personal data of a relative; however requests can be made on behalf of others with consent, power of attorney or where the subject is a minor and the requester has parental responsibility. You may occasionally get a request from a legal representative with a letter of authority attached, you will still need to confirm their identity. Once you’ve confirmed that it’s a valid request, the clock starts ticking and you have 40 calendar days to provide their data. They have the right to know:

  • What data is being processed
  • The reason(s) it’s being processed
  • The identity of all sources and recipients of their personal data

The copy information provided to them must be in an intelligible form with an explanation of terms which are not understandable without an explanation, for example abbreviations or internal codes.

To minimise the time and effort needed to respond to the request, you can:

  • Refuse to provide any information if you are unable to confirm their identity
  • Seek details from the requester to help locate the information
  • Refuse to comply if you have previously complied with an ‘identical or similar request’.

Only personal information is covered so that if an individual asks for all emails sent by them, received by them or sent by other members of staff; they will not receive any ‘business emails’ just those that mention a personal aspect, for example “I’m off sick today with a splitting headache”, “X is off sick today again, I’m beginning not to believe them as it always seems to be Mondays”, “Y is a liability their performance is way below the rest of the team”.

Another important thing to remember is that it’s not only electronic records that are covered, this includes all personal information held, so written records, texts and even Post It notes if they are in an organised filing system. Records of one to one’s with staff and your manager will be covered so it’s important that they are completed in a professional manner at all times.

You may find you get a request because you have dismissed an individual and they are ‘fishing’ to see if their SAR reveals grounds for discrimination or similar to support an unfair dismissal claim.

All data held must be disclosed and nothing deleted even if it might prove their case or be embarrassing; failure to do so is a breach of the DPA and can result in significant penalties and fines.

There are however some grounds on which some information can be withheld. These include instances where it would breach the rights of someone else, where it is the subject of an ongoing legal case and so on.

So what’s different from 25th May 2018 when GDPR applies?

  • An organisation will not be able to charge for complying with a SAR unless the request is ‘manifestly unfounded or excessive’.
  • If a request is ‘manifestly unfounded or excessive’ a fee can be charged or an organisation can refuse to respond. However you will need to be able to provide evidence of how the conclusion that the request is ‘manifestly unfounded or excessive’ was reached.
  • It must be possible to make requests electronically (e.g. by email). Where a request is made electronically, the information should be provided in a commonly-used electronic form, unless otherwise requested by the individual.
  • The response time is reduced to 30 calendar days.

Due to the complexity and pitfalls of dealing with Subject Access Requests, I would recommend having a formal process in place to deal with SARs, and make sure that all staff understand how this will work and do not provide information outside the policy.

It is usually easier to nominate an individual to deal with the requests and provide them with appropriate training and support. There are predictions that as more people become aware of their rights under GDPR, the number of SAR’s will increase so make sure that you’re prepared.

We regularly provide advice on SAR’s and find that no two requests are the same and therefore we would highly recommend that if a subject access request is not straightforward that you seek appropriate expert advice.

Ian Cooley GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK.

Related articles