• Contact
  • Accountants: +44 (0) 1753 551111
  • Solicitors: +44 (0) 20 7067 4300

The Joy of the Subject Access Request

Posted on: 18 Jul, 19

Responding to Subject Access Requests is time-critical (and time-consuming) so it’s important you are able to deal with these quickly and efficiently.

Do you ever have those days/weeks/months where you are working at full throttle and still can’t seem to get everything done?

Clark says...
Oury says...

Welcome to my life.

Well, to add to my workload, I received a Subject Access Request today…and have no idea what to do with it.

Clark says...
Oury says...

Oh how fun! A SAR!

Huzzah?

Clark says...
Oury says...

No, a subject access request is often called a SAR. It is a request made by an individual to find out what personal data is held about them by a business and how it is used. You are most likely to receive a SAR from current and former customers, clients and employees.

I half-expected it would be from clients or customers but employees too?!

Clark says...
Oury says...

More and more businesses are seeing SARs from disgruntled ex-employees. It is a useful tool an ex-employee can use to gather information particularly where they have some dispute with the ex-employer or just have an axe to grind.

Hmm … clever tactic … well I’m busy enough as it is so this SAR will just have go in the “to deal with when I have chance to breathe pile”.

Clark says...
Oury says...

It’s going to have to go pretty near the top of the urgent pile, Clark. Under the new data protection laws - good old GDPR - you have to respond within one calendar month of receiving the SAR.

Whoa. That’s quick – a month goes by like a weekend these days – I’ll just have to charge whoever has sent this request (I reckon it’s Mike) for the time I spend sorting it out.

Clark says...
Oury says...

You can’t do that, Clark. With some very limited exceptions, you have to provide a copy of Mike’s personal data for free.

Right. Well it can’t be that onerous then if I have to get this done quickly and without charge. What do I have to do? Send him a copy of his HR file with all his personal details?

Clark says...
Oury says...

Now…as the doctor says…this is going to hurt a bit…so take a deep breath and count to…

Let’s hear it, Oury.

Clark says...
Oury says...

You’re going to have to search:

  • Information held on email about Mike.
    • This isn’t just emails to/from him but any emails containing his name, as well as any known nicknames or abbreviations, and don’t forget to search the “Deleted Items” folder.
    • Microsoft have some good advice here on searching Outlook but utilise your IT team if you have one.
  • Information held other than in email about Mike
    • Shared network folders and recycle bins, CRM systems, databases, back-up files, devices used for work purposes by staff.
    • Paper records, HR records, CCTV, internet logs, telephone records…

And every reference to or about Mike has to be kept and given to him? What about that time I called him a lazy b****** and that I never liked him anyway in an email to HR?

Clark says...
Oury says...

Not every reference has to be given. You don’t have to disclose all information that simply refers to Mike, you only have to provide information that is about him in some way….so yes, the lazy swearing comment is going to have to go in there I’m afraid.

“About him”? Let’s not speak in riddles Oury … I’m stressed enough as it is…

Clark says...
Oury says...

So, basically, it means any information that is (or has been) used to:

  • Learn or record something about him e.g. productivity, sales, performance at work
  • Make decisions about him
  • Have an impact on him
  • Give information or an opinion about him
  • Determine/influence the way in which he is treated

Anything else…?

Clark says...
Oury says...

You need to make sure you do not reveal the information of other individuals without their consent as that would be a breach of their privacy rights, so you need to ensure you go through all the documents you plan to disclose and redact … blank out … the personal data of any other identifiable individual.

I feel there’s another “and” here…

Clark says...
Oury says...

And… when you provide the information to Mike, you will need to clearly set out the personal data in an understandable format and detail the: purposes for processing personal data; categories of personal data retained; recipients of personal data; safeguards in place where data is transferred outside the EEA; and retention periods and policies which should be stated in your Privacy Notice.

This is the gift that keeps on giving…

Clark says...
Oury says...

Just two more things…you can’t delete or amend Mike’s personal data (even the embarrassing swearing bit) and you must keep a record of all the searches made.

... right … not a small job then …

Clark says...
Oury says...

No. And the Information Commissioner’s Office (ICO) can and will come down on you pretty hard for breaches of GDPR which include failing to properly respond to a SAR … they have the power to fine you up to a maximum of 4% of global annual turnover or €20million (whichever is higher). So it’s important that you don’t leave dealing with the SAR to the last minute as there is lots to get through.

Understood. It’s a good job I’ve had nothing else come through by email marked “SAR” or I would be struggling to get all this done.

Clark says...
Oury says...

Clark! You’ve got to be careful! SARs can be made both in writing and orally and they don’t have to take any specified form. This means a SAR could be submitted to you over the phone, via Facebook, Twitter or Instagram, or by workplace instant messaging like Slack.

Is there any light at the end of this SAR tunnel?

Surely there are steps businesses can take when dealing with SARs that gives them some breathing room. It really will be a struggle to do everything that needs doing.

Clark says...
Oury says...

There are a few options that may be available to help buy you some time in dealing with the SAR but you must use these legitimately or you risk Mike taking a complaint to the ICO who can impose those big old fines:

  • Have good systems in place
    • Adopt IT infrastructure and software that gives you greater control over the personal data you hold so you are able to access, track, isolate and disclose personal data in a secure and efficient manner whilst safeguarding individual rights.
    • Instruct lawyers to prepare relevant procedures, policies and template responses for you so that you are equipped to handle and respond to SARs
    • Train staff to identify SARs and ensure they go to the right people
    • Ensure that you observe the data protection principles so that you do not hold data longer than is necessary and to only gather what you need in the first place.
  • Ask for ID
    • Only where you have doubts over the requestor’s identity or the address the request comes from
    • The calendar month to respond to the SAR starts from the date the ID is received
  • Ask the individual to define the scope of request
    • For example, are they requesting all personal information held or just information relating to sales made in the past 6 months?
    • You cannot refuse to process the SAR if requestor doesn’t narrow the scope and simply wants all personal information held
    • The calendar month to respond to the SAR starts from the date confirmation on scope of request is received
  • Extend the time period to 3 months total if the request is complicated
    • You can legitimately extend the time period where the request is manifestly unfounded, excessive, complex or repetitive
    • Simply requesting all personal data you hold about the individual is not excessive
    • The ICO will look carefully at reasons given in the event of a complaint or failure to comply within 3 months
    • You must tell the requestor within one calendar month of original request that you plan to extend the time period to 3 months and provide legitimate reasons
  • You do not have to disclose certain exempt information – which includes:
    • Legal advice received
    • Employment references provided by/to your business
    • Commercially sensitive information being processed for management forecasting or management planning
    • Negotiations between you and the individual such as settlement negotiations

Ok. Some options at least. And how about just refusing the SAR completely?

Clark says...
Oury says...

There are very specific scenarios in which you can refuse SARs in their entirety but this only increases the risk of the ICO taking action and so it would be a good idea to take some legal advice before you do.

It still seems a lot to deal with in such a short space of time. How are businesses expected keep up and comply?

Clark says...
Oury says...

I know it might seem that way but the GDPR is there to protect the data rights of individuals and is here to stay, and so longer-term you could even consider setting up a ‘data subject access portal’ which can allow an individual to access their information quickly, easily and remotely.

Comments (0)

Add a new comment




Allowed tags: <b><i><br>Add a new comment:


We are but two fictitious characters throwing out ideas and comment to stimulate debate and collect information. As professional service firms, we are open minded people and think independent thought and debate is essential to help understand, as well as navigate, complex problems. By joves – doing business across Europe (and the world) is set to become a whole lot more complex in light of recent seismic political events. As businesses - we provide information and hopefully some wisdom - and we see this blog and its caricatures merely as a much more fun, perhaps slightly controversial way, of stimulating debate and collecting ideas. We’re searching for some true pearls of wisdom, and as we find them, we’ll share them with you.

Sign up to Our Monthy Newsletter

To recieve the latest blog posts straight to your inbox please sign up here

Need some help?

If your business is affected by issues raised in this blog post and you're looking for advice, please get in touch.

Get in touch
  • Member of London Partners
  • Member of London of Chamber Commerce and Industry
  • The Royal South Bucks Agricultural Association
  • The Association for UK Interactive Entertainment
  • Offical Xero Partner

Copyright © 2013 - Oury Clark.