Subject access requests or ‘SARs’ are an extremely important right under the UK GDPR, allowing individuals the right to ask a company if they are using their personal information, to request copies of the information held about them and other supplementary information.
Businesses – whatever their size – sometimes find themselves on the back foot when dealing with the increasing UK GDPR compliance obligations. And it’s not surprising. UK GDPR has the protection of the rights of individuals at its core. The law is all about giving all individuals (including staff and clients alike) greater control over how their personal data is used. One example of this is the right to a SAR, which companies often struggle with.
Any organisation that’s subject to GDPR should have a framework in place to handle SARs and ensure that all responses are made in accordance with the law. Dealing with SARs and other aspects of data protection law can be a burden on company resources. Part of our role as data protection lawyers is to advise you on procedures and protocols you can implement to ensure compliance in a proportionate, cost-effective and transparent way.
We discuss the main issues around SARs below. The ICO also recently issued specific guidance for employers, which we have commented on and would urge employers to carefully consider. This topic is particularly important for employers, as SARs can unfortunately often be used by disgruntled employees for tactical purposes and are often used as a tool in employment disputes.
- What is a subject access request?
- What's included in a subject access request?
- Documenting a subject access request
- What if a subject access request is verbal?
- Do subject access requests have to be in writing?
- Confirming a data subject's identity
- How long do you have to respond to an SAR?
- What is personal data under GDPR?
- Are there any subject access request exemptions?
- Refusing a subject access request and repeat requests
- How to respond to a data subject access request
- Recording your response
- Impacts on any data processors your business uses
- Can an organisation charge for a subject access request?
- How long do you need to hold data for?
- Designing a sensible data retention policy
- Designing an efficient process and using templates
- What happens if you get this wrong?
- The ICO’s Q&A Update on SARs for Employers – Key Lessons
What is a subject access request?
A SAR is a request made by an individual to access their personal information that is held by an organisation.
It’s essential that your employees are always alert to the possibility that any request from an individual could be a subject access request. An SAR may ask some or all of the following:
- What personal information an organisation holds about the individual
- How the organisation uses it
- Who the information is being shared with
- Where the information came from
What's included in a subject access request?
SARs don’t need to follow any particular format and they don’t need to be in writing. So long as it’s clear that the requester is asking for their personal data there is no need for him or her to mention UK GDPR or the phrase ‘subject access request’. This can be challenging so it’s important to train your staff so they can recognise requests.
Documenting a subject access request
When you have identified an SAR you should document it and date it. That way, you know when the time limit for responding expires. Remember, you only have one month to respond, and only in certain circumstances can the response time be extended. You should also make sure that no information relating to the individual who made the request is deleted pending your compliance with the SAR. It’s a criminal offence to modify data with the intention of undermining a subject access request.
What if a subject access request is verbal?
UK GDPR doesn’t oblige individuals to make SARs in writing. Staff should be equipped to deal with requests made verbally and to make appropriate records. However, you should ask the individual to follow up the verbal request in writing and point out that this is in keeping with Information Commissioner’s Office (ICO) guidance. Businesses may find it useful to refer the individual to a SAR form, which may make it easier for you to locate the data they want. They don’t have to complete the form, but it would make it easier for you to understand the background for the request, as well as include information that you may need to deal with it.
Do subject access requests have to be in writing?
There is no prescribed way for an individual to make a subject access request. This means SARs may come to your organisation via Facebook or another social media platform. It’s up to you to assess the likelihood of SARs being placed on your social media accounts and to have procedures in place to respond effectively.
Confirming a data subject's identity
Your organisation is entitled to be satisfied that the person making the SAR is who they say they are. If in doubt you can ask for confirmation of their identity (presentation of a passport for example) but you must let the requester know you need identification as soon as possible. In requesting identification you must act proportionately. It wouldn’t necessarily be reasonable to ask a long-standing customer for proof of identity. Time limits for responding only begin once the requesters identity has been confirmed.
How long do you have to respond to an SAR?
The ICO expects companies to respond to subject access requests without ‘undue delay’. However, under the rules you have one calendar month to respond to an SAR. Logistically, many organisations adopt a 28-day period in which to respond because of the variation in the number of days in each calendar month. This time limit may be extended in cases where you must establish the requester’s identity or where you are charging a fee to process the SAR (see below). In addition, you can extend the one-month limit by two more months in complex cases, but you must provide the requester with reasons for doing so. Lack of resources or dealing with the SAR late because you haven’t got round to it, are not justifiable reasons for an extension of time.
What is personal data under GDPR?
Under UK GDPR, ‘personal data’ is information that relates to an identified or identifiable individual. This could be a name or a number or could be another identifier such as initials, an ID number or an IP address. Personal data also includes any recorded opinion of an individual.
When you receive an SAR and are satisfied as to the identity of the requester, you should search all company databases and systems where the data may be held to establish what personal data you hold on the individual. Data can be audio and visual as well as written documentation.
It does not matter that information does not refer to an individual by name, as long as they can be identified by other means, for example, their initials or ID number. Personal data may be known to the individual or within the public domain.
Are there any subject access request exemptions?
The data protection regime affords certain, extensive rights to individuals. But these rights are curtailed in specific situations so that categories of information are exempt from being disclosed. The right of access (under which SARs are made) has a number of relevant exemptions, including:
- information that’s subject to legal professional privilege
- information that might result in your self-incrimination (i.e. committed an offence)
Refusing a subject access request and repeat requests
In addition to the situation where an exemption applies, your organisation does not have to provide information requested under an SAR if it is:
- Manifestly unfounded – This could be where a requester is acting maliciously or has indicated he or she is only making the SAR to cause disruption. Similarly, an SAR could be regarded as manifestly unfounded if it is designed to target or harass an individual employee at your organisation
- Excessive – A SAR might be excessive if it is a repetition of a recent request or if it overlaps with other, similar requests
It’s important to consider each case on an individual basis and you must be able to explain your reasons for refusing to comply with an SAR if the ICO requests you to do so.
How to respond to a data subject access request
UK GDPR states that you should provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
There are no hard and fast rules about the format in which you disclose information in response to an SAR. However, the expectation would be that if the request is made by email, your response should also be by email. Some organisations make a point of asking the individual how they would like the information disclosed. This is particularly advisable if the response will include highly sensitive information.
It's important to note that a SAR is a right to personal data only, not to documents – companies sometimes misunderstand this and should take advice if they are unclear on the scope of what needs to be provided to a data subject.
Recording your response
You should always keep a record of your response to an SAR and retain details of your reasoning and decision-making process in relation to the information disclosed. There is always the possibility that the requester will be dissatisfied with your response and escalates the matter by contacting the ICO with his or her concerns.
Impacts on any data processors your business uses
If your organisation relies on outside companies to act as data processors of information you control, it’s your responsibility, as the data controller, to deal with SARs and the processor should provide support as required. You should have contractual terms in place with your processors, including terms around dealing with subject access requests. For an explanation of the difference between data controllers and data processors, please see our guide to personal data.
Can an organisation charge for a subject access request?
You can’t usually charge to respond to a subject access request. However, you can charge a reasonable fee if you agree to comply with an SAR that’s excessive or manifestly unfounded (remember you don’t have to comply with an SAR in these situations). You may also charge a fee if the individual asks for additional copies of their data. When charging a fee you must let the individual know. You aren’t required to comply with the SAR until you are in receipt of payment.
How long do you need to hold data for?
Under UK GDPR there is no specified time period for holding onto personal data of individuals. Under the storage limitation principle, you cannot retain data for longer than you need it. And the longer you hold onto data the more difficult it will be to establish a lawful basis for holding onto it.
From your point of view it makes sense to review the data you hold and to delete data you no longer need. This reduces the risk that the data will be used in error. It also reduces the amount of data you will have to sift through in response to an SAR. A data retention schedule would be helpful as it would trigger when data would need deleting.
Designing a sensible data retention policy
UK GDPR obliges you to develop sensible data retention policies where possible. You should set out:
- The types of records or information you hold
- What you use the information for
- How long you intend to keep it
Smaller organisations won’t necessarily need a formal data retention policy. However, even if you are not processing or controlling a lot of information you should still regularly review the information you hold and delete it if you no longer need it.
Designing an efficient process and using templates
SARs may be viewed as just another administrative burden on small and medium-sized companies. But under UK GDPR subject access to information is a fundamental right. By developing streamlined and proportionate procedures you can enhance the service you provide to customers and consumers. The ICO points out that many complaints it receives relating to SARs can be avoided if good practice is followed and straightforward, company-wide policies are implemented and followed. Some ways to develop an effective process include:
- Investing in staff training so that relevant staff understand how to handle SARs
- Producing templates for different types of response to ensure a consistency of approach to all SARs
- Providing guidance on subject access on your company’s intranet or in internal policy booklets. This should highlight the repercussions for the failure to respond appropriately to SARS, including adverse publicity and potential fines and regulatory scrutiny
- Putting in place a robust system of registering and monitoring SARS when they are received
- Create a dedicated team to handle SARs and other UK GDPR matters
- Ensure that data disclosed under an SAR does not contain data relating to another individual and all SAR
- Ensuring a senior employee is equipped to review an SAR response if the requester makes a complaint
- Monitoring SAR compliance and creating a fast-track procedure to escalate SARs that are not dealt with within prescribed time limits
- Implementing a data retention policy and limiting the data you hold, to make the process of dealing with SARs more manageable in practice
What happens if you get this wrong?
If you don’t properly comply with a SAR request, the individual making the request has rights to complain to the ICO (after first complaining to you), and the ICO could take various enforcement actions against the company for failing to comply. In additions, SARs can be enforced in the courts and individuals could claim compensation in certain circumstances. The ICO has taken various enforcement action against companies, for failing to comply with SARs. Therefore, it’s important that companies spend time understanding the requirements around SARs and invest into getting this right.
The ICO’s Q&A Update on SARs for Employers – Key Lessons
The obligation to respond to SARs above apply to all data controllers. However, employers often struggle with these requests, and they can be particularly tricky given the very large amount of personal data they hold about staff.
In May 2023, the ICO published specific guidance for employers on SARs. The ICO noted that between April 2022 to March 2023, 15,848 complaints related to SARs were reported to the ICO. These figures show how important it is for employers to get SARs right.
Elanor McCombe, Policy Group Manager at the ICO, observed that:
‘What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests…It’s important to not get caught out, and that is why we are publishing this guidance today – to support employers in responding to subject access requests in a proper and timely manner, and to ensure that employees are able to access their personal data when desired.’
Indeed, the ICO’s guidance is a welcome development and highlights some key issues around SARs which will be very helpful for employers to consider.
The full ICO guidance is available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employers/sars-qa-for-employers/, and here are some useful highlights on more niche points for employers to note around SARs:
- How to make a SAR – The ICO’s guidance has clarified examples of valid SARs to include the following ‘Please send me my HR file’, ‘Can I have a copy of the notes from my last appraisal?’ and ‘Can I have a copy of the emails sent by manager to HR regarding my verbal warning’ – these are questions which employers and HR teams may not recognise as being SARs under the UK GDPR. It’s therefore important that employers read this guidance and understand how to recognise a SAR. They should also train their staff on how to identify and deal with SARs correctly.
- Settlement agreements and SARs – Regardless of whether or not they have signed a settlement agreement with an employer, individuals will still have the right to make a SAR and the employer must comply. Any attempt to waive data subject rights by a settlement agreement are likely to be unenforceable. Employers should note this, as they will still need to comply with SARs regardless of what they agree with an employee in a settlement agreement.
- Social media searches – Employers are required to carry out searches across their social media accounts if they use those channels for business purposes, since the employer would be deemed to be a data controller in connection with the personal data processed on those social media accounts.This might be a point companies were not aware of and could lead to SARs taking longer to deal with.
- Tribunal proceedings, grievance processes and SARs – Employers can’t refuse to respond to SARs because of upcoming employment tribunal proceedings, or if they are in a grievance process.
- CCTV is within scope – The ICO’s guidance reminds employers that CCTV footage can contain personal data and therefore it might be necessary to search CCTV as part of responding to a SAR. In practice, this could be very onerous for companies to comply with given the amount of CCTV data collected.
- Emails which data subjects are copied into – Employees are often copied into hundreds or thousands of emails and therefore this is a tricky point for employers when it comes to dealing with SARs and whether emails need to be disclosed. The ICO states that this will depend on the contents of the email and the context of the information in it, however it notes that just because the data subject making a SAR receives an email, that doesn’t necessarily mean that the whole content of the email is their personal data. Whether an email contains personal data can be difficult to determine and advice should be taken if an employer is unsure.
In addition to the points above, the ICO has included helpful guidance on a range of other issues relating to SARs such as whistleblowing, witness statements, withholding information and refusing requests. We would strongly advise that employers consider the guidance in full, to make sure they understand the ICO’s position on these issues and can apply the guidance when they are dealing with such requests. They should also review their policies and procedures to make sure that they are in line with this new guidance and that employers can fully comply with it.
Dealing with SARs can be extremely complicated, time consuming and costly. However, it is important to get this right and comply with your obligations as a data controller. In particular, employers should make sure they understand and implement the ICO’s guidance into their processes.
Please contact our team if you would like more detailed advice on this topic and implementing appropriate procedures, or if you require assistance with dealing with a SAR.