Dealing with Data Subject Access Requests (SARs) and UK GDPR Compliance

The UK GDPR provides individuals with several rights that they can exercise in respect of personal data held by organisations. This article will focus on the ‘right of access’, more commonly referred to as a data subject access request or ‘SAR’. Dealing with SARS effectively remains a challenge for many organisations.

Requests come from a wide array of individuals including customers, employees, complainants and others. The volume of information that organisations typically hold on individuals continues to increase and it is unlikely that this will change in the future.

Who can make a SAR?

An individual can make a SAR requesting access to, and a copy of, the personal data that an organisation holds about them. There is no prescribed form that a SAR should take – they can be made verbally or in writing and will be valid as long as the individual is asking for their own personal data.

An individual can also ask a third party to make a SAR on their behalf. In this case, the organisation receiving the SAR must be satisfied that the third party is authorised to act on behalf of the individual that the SAR relates to.

Identity confirmation and response timeframes

Organisations need to be able to satisfy themselves, and the Information Commissioner’s Office (if so required), that they know the identity of the requester, or the person the request is made on behalf of. If there’s any doubt as to the identity, then an organisation can ask for further information to verify.

It is important to be aware that a request for identification documents should be made as soon as possible after receiving the SAR.

Organisations should respond in full, without delay, and within one month of receipt of the SAR. The only exceptions to this timeframe are (i) where the request is complex, or (ii) where multiple requests have been received from the individual. In these circumstances an organisation may extend the time limit to respond by a maximum of a further two months.

The restrictive response timescales can put many organisations under significant pressure given the time it can take for them to identify the relevant information, apply exemptions (if applicable) and, in many cases, seek legal advice which can come at a cost.

Clarifying a request

If an organisation processes a large amount of information about the requester, then organisations can ask the requester to specify the information that their request relates to.

If an organisation requests clarification, then this ‘stops the clock’ on the timeframe to respond until the organisation has received the relevant information. The effect of this is that the organisation does not need to provide the requester with the information, or any other supplementary information, until they have received the clarification response.

Clarifications should not be a standard part of dealing with a SAR. They should only be used where the clarification is required to respond to a SAR and the organisation processes a large amount of information about the individual.

For the avoidance of doubt, clarifications should be requested as soon as practicably possible.

Finding and supplying the requested information

Organisations need to make reasonable efforts to find and retrieve information that is the subject of a SAR. What is reasonable for one organisation may not be for another.

Organisations are not required to conduct searches which would be unreasonable or disproportionate to the importance of providing access to the information. Factors to consider when deciding whether a search may be unreasonable or disproportionate include:

• the circumstances of the request;
• difficulties involved in finding the information; and
• the fundamental nature of the right of access.

Organisations should be aware that they bear the burden of proof to justify why a search is unreasonable and/or disproportionate.

How to approach the search and response

Organisations should establish at the outset what searches they may be required to make to find and retrieve the relevant information.

This allows organisations to:

• understand what resources may be required to gather the information to enable them to respond to a SAR fully; and
• assess whether any of the information sought would involve unreasonable efforts to find and retrieve.

We also recommend that organisations record their justifications for why a search may be, or is, unreasonable and/or disproportionate in writing. This is because if the disgruntled requester complains to the Information Commissioner’s Office, they will undoubtedly ask to see this record.

Generally, the format of the organisation’s response to the SAR should be the same format as the SAR itself (e.g. if the SAR was received electronically then the response should be made in a commonly used electronic format).

However, organisations should avoid responding verbally to a SAR that has been submitted (even where the SAR was made verbally) unless the requester specifically asks for a verbal response. If a verbal response is given, the response should also be documented in writing so that there is a clear record in place.

It’s always good practice to ask the requester what format they would like the information in prior to finalising the SAR response.

Exemptions

There are a host of different exemptions that may apply to information which is the subject of a SAR. Exemptions can be technical and require to be carefully applied, but some useful ones include:

• Where the request is manifestly unfounded or excessive
• Where the request seeks information about other individuals’ personal data
• Legal professional privilege
• Management information
• Negotiations with the requester
• Confidential references
• Exam scripts and marks

More information about exemptions can be found on the Information Commissioner’s website (Exemptions | ICO).

Current trends

We are seeing an increasing number of individuals submitting SARs to organisations for the purposes of litigation and/or grievance matters. These types of SARs are often framed extremely widely, usually as requests for “all of my personal data held”, and dealing with these sorts of SARs can often be daunting for any organisation regardless of its size.

Anderson Strathern is well placed to help organisations of any size manage and deal with SARs, including providing advice and assistance with specific queries that organisations have. Our experience tells us that the earlier an organisation gets in touch with us to provide advice or assistance in respect of a SAR, the less likely that organisation is to spend excessive (or unnecessary) time and money dealing with the SAR and the less likely it is that deadlines will be missed.

This allows organisations to get on with their usual business knowing that they have taken expert advice.

If you are an organisation that requires assistance with a SAR, or assistance with any other data protection or UK GDPR compliance matter (including any training needs you may have), please do not hesitate to get in touch with our Data and Technology team.

In addition to providing assistance with data protection matters, we have specialists who can also provide advice to organisations that are subject to the Freedom of Information (Scotland) Act 2002 (and the Environmental Information (Scotland) Regulations 2004) or to individuals who have made requests under the Freedom of Information (Scotland) Act 2002.

For further information on how we can assist, please contact Douglas McLachlan, Lorraine Currie, or your usual Anderson Strathern contact.

Legal Disclaimer