- 14 May 2024
- •
- 3 min read
What is a subject access request?
In a previous article we considered the data protection rights that an individual has. Probably the most well-known of these is the right to make a subject access request (also known as a SAR or DSAR) and in the next few articles we are going to focus on the thorny issues of dealing with SARs.
SARs tend to be a thorn in the side of those with data protection responsibility within organisations (particularly when received just before Christmas!). In our experience there are two main reasons for this, firstly, they take a lot of time and careful thought to deal with and, secondly, they are often raised in circumstances where there is a wider contentious issue between the individual and the organisation (we will pick up on this aspect in more detail in a later article).
What is a SAR?
An individual has the right in data protection law to ask an organisation if they are processing (for example, collecting, using or storing) the individual’s personal data and to request a copy of all such personal data. In addition, the organisation must provide certain information to the individual about how it handles their personal data. Any individual can make a SAR so SARs could be received, for example, from employees, ex-employees, job applicants, individual customers / service users etc.
The Information Commissioner’s Office (ICO) are vocal in promoting an individual’s right to make a SAR and there is even now a page on the ICO website through which individuals can submit SARs to organisations: Make a subject access request | ICO.
It is important that staff within organisations are trained to recognise when a SAR is made so that it is passed to the relevant person within the organisation to deal with promptly. The time for responding to a SAR starts to run from when it is first received by the organisation and vital time can be lost if staff are not aware of what to do with the SAR. A SAR doesn’t need to be in writing nor does it need to say it is a SAR and can be made in writing, verbally or via social media so they are not always easy to spot!
It is also useful to note that an individual can make a SAR for someone else, if they have authority to do so and can provide proof of such authority to the organisation. For example, a solicitor can make a SAR on behalf of their client.
How long do organisations have to respond to a SAR?
The starting point is that an organisation is required to respond to a SAR “without undue delay” and in any event within one month of receipt of the SAR (note that no extra time is given for bank holidays or short months hence the challenges of SARs received over Christmas!). If the deadline for responding to a SAR falls on a weekend, then the date for responding is the next working day. The one month period can be extended in certain circumstances which we will deal with in a later article.
Can you charge a fee?
Generally the answer to this is no. However, if an organisation considers the SAR to be “manifestly unfounded or excessive”, it can charge a reasonable fee to cover administrative costs or it can refuse to deal with it. The bar for establishing that a SAR is “manifestly unfounded or excessive” is high and if the organisation reaches that decision, then the burden will be on the organisation to justify its position. We will look at when you can refuse to comply with a SAR in a later article.
What information do you need to provide?
Individuals can ask for copies of all the personal data your organisation holds about them, but this is not an absolute right and invariably there is going to be information which the organisation can and should withhold. We will also look at this in more detail in a later article.
Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421.
If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].
