The Joy of the Subject Access Request

Welcome to my life.

Oh how fun! A SAR!

No, a subject access request is often called a SAR. It is a request made by an individual to find out what personal data is held about them by a business and how it is used. You are most likely to receive a SAR from current and former customers, clients and employees.

More and more businesses are seeing SARs from disgruntled ex-employees. It is a useful tool an ex-employee can use to gather information particularly where they have some dispute with the ex-employer or just have an axe to grind.

It’s going to have to go pretty near the top of the urgent pile, Clark. Under the new data protection laws – good old GDPR – you have to respond within one calendar month of receiving the SAR.

You can’t do that, Clark. With some very limited exceptions, you have to provide a copy of Mike’s personal data for free.

Now…as the doctor says…this is going to hurt a bit…so take a deep breath and count to…

You’re going to have to search:

• Information held on email about Mike.
  • This isn’t just emails to/from him but any emails containing his name, as well as any known nicknames or abbreviations, and don’t forget to search the “Deleted Items” folder.
  • Microsoft have some good advice here on searching Outlook but utilise your IT team if you have one.
• Information held other than in email about Mike
  • Shared network folders and recycle bins, CRM systems, databases, back-up files, devices used for work purposes by staff.
  • Paper records, HR records, CCTV, internet logs, telephone records…

Not every reference has to be given. You don’t have to disclose all information that simply refers to Mike, you only have to provide information that is about him in some way….so yes, the lazy swearing comment is going to have to go in there I’m afraid.

So, basically, it means any information that is (or has been) used to:

• Learn or record something about him e.g. productivity, sales, performance at work
• Make decisions about him
• Have an impact on him
• Give information or an opinion about him
• Determine/influence the way in which he is treated

You need to make sure you do not reveal the information of other individuals without their consent as that would be a breach of their privacy rights, so you need to ensure you go through all the documents you plan to disclose and redact … blank out … the personal data of any other identifiable individual.

And… when you provide the information to Mike, you will need to clearly set out the personal data in an understandable format and detail the: purposes for processing personal data; categories of personal data retained; recipients of personal data; safeguards in place where data is transferred outside the EEA; and retention periods and policies which should be stated in your Privacy Notice.

Just two more things…you can’t delete or amend Mike’s personal data (even the embarrassing swearing bit) and you must keep a record of all the searches made.

No. And the Information Commissioner’s Office (ICO) can and will come down on you pretty hard for breaches of GDPR which include failing to properly respond to a SAR … they have the power to fine you up to a maximum of 4% of global annual turnover or €20million (whichever is higher). So it’s important that you don’t leave dealing with the SAR to the last minute as there is lots to get through.

Clark! You’ve got to be careful! SARs can be made both in writing and orally and they don’t have to take any specified form. This means a SAR could be submitted to you over the phone, via Facebook, Twitter or Instagram, or by workplace instant messaging like Slack.

There are a few options that may be available to help buy you some time in dealing with the SAR but you must use these legitimately or you risk Mike taking a complaint to the ICO who can impose those big old fines:

• Have good systems in place
  • Adopt IT infrastructure and software that gives you greater control over the personal data you hold so you are able to access, track, isolate and disclose personal data in a secure and efficient manner whilst safeguarding individual rights.
  • Instruct lawyers to prepare relevant procedures, policies and template responses for you so that you are equipped to handle and respond to SARs
  • Train staff to identify SARs and ensure they go to the right people
  • Ensure that you observe the data protection principles so that you do not hold data longer than is necessary and to only gather what you need in the first place.
• Ask for ID
  • Only where you have doubts over the requestor’s identity or the address the request comes from
  • The calendar month to respond to the SAR starts from the date the ID is received
• Ask the individual to define the scope of request
  • For example, are they requesting all personal information held or just information relating to sales made in the past 6 months?
  • You cannot refuse to process the SAR if requestor doesn’t narrow the scope and simply wants all personal information held
  • The calendar month to respond to the SAR is paused when you seek clarification from the employee
• Extend the time period to 3 months total if the request is complicated
  • You can legitimately extend the time period where the request is manifestly unfounded, excessive, complex or repetitive
  • Simply requesting all personal data you hold about the individual is not excessive
  • The ICO will look carefully at reasons given in the event of a complaint or failure to comply within 3 months
  • You must tell the requestor within one calendar month of original request that you plan to extend the time period to 3 months and provide legitimate reasons
• You do not have to disclose certain exempt information – which includes:
  • Legal advice received
  • Employment references provided by/to your business
  • Commercially sensitive information being processed for management forecasting or management planning
  • Negotiations between you and the individual such as settlement negotiations

There are very specific scenarios in which you can refuse SARs in their entirety but this only increases the risk of the ICO taking action and so it would be a good idea to take some legal advice before you do.

I know it might seem that way but the GDPR is there to protect the data rights of individuals and is here to stay, and so longer-term you could even consider setting up a ‘data subject access portal’ which can allow an individual to access their information quickly, easily and remotely.