• 04 Sep 2024
• •
• 4 min read

What steps does my organisation need to take to respond to a data subject access request (SAR)?

The UK GDPR requires organisations to make “reasonable efforts” to locate personal data requested by an individual in a data subject access request (SAR). The Information Commissioner’s Office (ICO) has explained that the following can be taken into account when looking at what amounts to “reasonable efforts”:

• The circumstances of the request.
• Any difficulties involved in finding the information.
• The fundamental nature of the right of access.

Organisations do not have to carry out searches which are “unreasonable” or “disproportionate” to the importance of providing the individual which access to the information requested. However, the onus is on the organisation to demonstrate that it has made reasonable efforts to find the individual’s personal data and that any further efforts would be unreasonable or disproportionate. In case of any future dispute as to whether “reasonable efforts” were made to locate personal data, organisations should document their search criteria and the reasons for using those criteria.

Taking a worst case scenario, if your organisation receives a SAR asking for “all the personal data you hold about me”, then as a starting point, it is likely that you are going to have to look in the following locations for the individual’s personal data:

1. Your organisation’s IT system – personal data may be held in emails (including in deleted folders, if they are still accessible), word documents, pdf documents, excel spreadsheets, internet logs, automated door entry systems (such as swipe cards), databases and so on.
2. Telephones – personal data may be held in text messages, messaging apps like WhatsApp, in telephone call recordings or records.
   • If your organisation allows staff to hold work/business related personal data (such as HR information or customer personal data) on their personal devices (this includes computers, laptops and mobile telephones, and again any messaging apps would come within scope), then this will need to be potentially reviewed too. This may be problematic if staff are reluctant to share their personal devices, hence why it is important to have policies in place which cover the use of personal devices at or for work.
3. CCTV records (if applicable).
4. Manual records, if stored in an organised, structured manner (for example, employee paper files stored alphabetically in filing cabinets). With the rise in employees working from time this could include personal data at your organisation’s business premises and also at employees’ homes.

If personal data is held by your organisation’s third party data processor, such as an outsourced payroll company, then this information will also potentially come within the scope of the search.

In terms of search criteria, you may be asked by an individual to make searches using particular search terms. An organisation is not obliged to do so; it is for the organisation to determine what is a “reasonable” search. An organisation should, however, try to search using the individual’s name in a reasonable format and any other identifiers (such as an employee number or nickname). Issues can arise when the requestor shares a first or surname with others within the organisation or has a popular surname such as “Smith”. In these circumstances, searches which are not refined in some way can produce a vast amount of personal data that has nothing to do with the requestor and are arguably therefore “unreasonable” or “disproportionate” to the importance of providing the individual access to the information requested. When faced with this situation, the organisation will need to work out what search criteria are most likely to produce the requestor’s information and record this.

Even if some of the searches you could make are unreasonable or disproportionate, there may still be some information which is easier to search for, for example HR records. Organisations may also consider asking the individual to clarify their request to help with searching for the information requested.

Another issue that can arise is when routine use of personal data results in it being amended or deleted whilst you are dealing with a SAR. The ICO’s guidance says “It is our view that a SAR relates to the data you held at the time you received the request. However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it is reasonable for you to supply the information you hold when you respond, even if this is different to what you held when you received the request.” What organisations or their staff must not do is amend or delete personal data after receipt of a SAR, if they would not otherwise have done so, as this is a criminal offence when done with the intention of preventing disclosure of the personal data.

Finally, generally complying with the following two key principles of data protection law should make the process of dealing with a SAR easier:

1. Your organisation should only collect personal data that it needs – holding excessive data just means having more data to search and review as part of a SAR.
2. Your organisation should retain personal data only for so long as is necessary – holding data which is no longer required (including in back-ups and archives) also means there could be more data to deal with.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421. 

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].