A gif of a cartoon character opening a filing cabinet and being knocked down by a comically long drawer, he then redacts a document, delivering it to someone who throws it straight in the bin

The Joy of the Subject Access Request

Posted on: 18 Jul, 19

Responding to Subject Access Requests is time-critical (and time-consuming) so it’s important you are able to deal with these quickly and efficiently.

clark worried

Do you ever have those days/weeks/months where you are working at full throttle and still can’t seem to get everything done?

oury normal

Welcome to my life.

clark confusion

Well, to add to my workload, I received a Subject Access Request today…and have no idea what to do with it.

oury excitement

Oh how fun! A SAR!

clark normal

Huzzah?

oury normal

No, a subject access request is often called a SAR. It is a request made by an individual to find out what personal data is held about them by a business and how it is used. You are most likely to receive a SAR from current and former customers, clients and employees.

clark normal

I half-expected it would be from clients or customers but employees too?!

oury normal

More and more businesses are seeing SARs from disgruntled ex-employees. It is a useful tool an ex-employee can use to gather information particularly where they have some dispute with the ex-employer or just have an axe to grind.

clark normal

Hmm … clever tactic … well I’m busy enough as it is so this SAR will just have go in the “to deal with when I have chance to breathe pile”.

oury normal

It’s going to have to go pretty near the top of the urgent pile, Clark. Under the new data protection laws – good old GDPR – you have to respond within one calendar month of receiving the SAR.

clark nervous

Whoa. That’s quick – a month goes by like a weekend these days – I’ll just have to charge whoever has sent this request (I reckon it’s Mike) for the time I spend sorting it out.

oury normal

You can’t do that, Clark. With some very limited exceptions, you have to provide a copy of Mike’s personal data for free.

clark angry

Right. Well it can’t be that onerous then if I have to get this done quickly and without charge. What do I have to do? Send him a copy of his HR file with all his personal details?

oury normal

Now…as the doctor says…this is going to hurt a bit…so take a deep breath and count to…

clark nervous

Let’s hear it, Oury.

oury normal

You’re going to have to search:

  • Information held on email about Mike.
    • This isn’t just emails to/from him but any emails containing his name, as well as any known nicknames or abbreviations, and don’t forget to search the “Deleted Items” folder.
    • Microsoft have some good advice here on searching Outlook but utilise your IT team if you have one.
  • Information held other than in email about Mike
    • Shared network folders and recycle bins, CRM systems, databases, back-up files, devices used for work purposes by staff.
    • Paper records, HR records, CCTV, internet logs, telephone records…
clark embarrassment

And every reference to or about Mike has to be kept and given to him? What about that time I called him a lazy b****** and that I never liked him anyway in an email to HR?

oury normal

Not every reference has to be given. You don’t have to disclose all information that simply refers to Mike, you only have to provide information that is about him in some way….so yes, the lazy swearing comment is going to have to go in there I’m afraid.

clark worried

“About him”? Let’s not speak in riddles Oury … I’m stressed enough as it is…

oury normal

So, basically, it means any information that is (or has been) used to:

  • Learn or record something about him e.g. productivity, sales, performance at work
  • Make decisions about him
  • Have an impact on him
  • Give information or an opinion about him
  • Determine/influence the way in which he is treated
clark normal

Anything else…?

oury normal

You need to make sure you do not reveal the information of other individuals without their consent as that would be a breach of their privacy rights, so you need to ensure you go through all the documents you plan to disclose and redact … blank out … the personal data of any other identifiable individual.

clark normal

I feel there’s another “and” here…

oury normal

And… when you provide the information to Mike, you will need to clearly set out the personal data in an understandable format and detail the: purposes for processing personal data; categories of personal data retained; recipients of personal data; safeguards in place where data is transferred outside the EEA; and retention periods and policies which should be stated in your Privacy Notice.

clark rolls_eyes

This is the gift that keeps on giving…

oury normal

Just two more things…you can’t delete or amend Mike’s personal data (even the embarrassing swearing bit) and you must keep a record of all the searches made.

clark rolls_eyes

… right … not a small job then …

oury normal

No. And the Information Commissioner’s Office (ICO) can and will come down on you pretty hard for breaches of GDPR which include failing to properly respond to a SAR … they have the power to fine you up to a maximum of 4% of global annual turnover or €20million (whichever is higher). So it’s important that you don’t leave dealing with the SAR to the last minute as there is lots to get through.

clark excitement

Understood. It’s a good job I’ve had nothing else come through by email marked “SAR” or I would be struggling to get all this done.

oury angry

Clark! You’ve got to be careful! SARs can be made both in writing and orally and they don’t have to take any specified form. This means a SAR could be submitted to you over the phone, via Facebook, Twitter or Instagram, or by workplace instant messaging like Slack.

clark worried

Is there any light at the end of this SAR tunnel?

Surely there are steps businesses can take when dealing with SARs that gives them some breathing room. It really will be a struggle to do everything that needs doing.

oury normal

There are a few options that may be available to help buy you some time in dealing with the SAR but you must use these legitimately or you risk Mike taking a complaint to the ICO who can impose those big old fines:

  • Have good systems in place
    • Adopt IT infrastructure and software that gives you greater control over the personal data you hold so you are able to access, track, isolate and disclose personal data in a secure and efficient manner whilst safeguarding individual rights.
    • Instruct lawyers to prepare relevant procedures, policies and template responses for you so that you are equipped to handle and respond to SARs
    • Train staff to identify SARs and ensure they go to the right people
    • Ensure that you observe the data protection principles so that you do not hold data longer than is necessary and to only gather what you need in the first place.
  • Ask for ID
    • Only where you have doubts over the requestor’s identity or the address the request comes from
    • The calendar month to respond to the SAR starts from the date the ID is received
  • Ask the individual to define the scope of request
    • For example, are they requesting all personal information held or just information relating to sales made in the past 6 months?
    • You cannot refuse to process the SAR if requestor doesn’t narrow the scope and simply wants all personal information held
    • The calendar month to respond to the SAR is paused when you seek clarification from the employee
  • Extend the time period to 3 months total if the request is complicated
    • You can legitimately extend the time period where the request is manifestly unfounded, excessive, complex or repetitive
    • Simply requesting all personal data you hold about the individual is not excessive
    • The ICO will look carefully at reasons given in the event of a complaint or failure to comply within 3 months
    • You must tell the requestor within one calendar month of original request that you plan to extend the time period to 3 months and provide legitimate reasons
  • You do not have to disclose certain exempt information – which includes:
    • Legal advice received
    • Employment references provided by/to your business
    • Commercially sensitive information being processed for management forecasting or management planning
    • Negotiations between you and the individual such as settlement negotiations
clark normal

Ok. Some options at least. And how about just refusing the SAR completely?

oury normal

There are very specific scenarios in which you can refuse SARs in their entirety but this only increases the risk of the ICO taking action and so it would be a good idea to take some legal advice before you do.

clark normal

It still seems a lot to deal with in such a short space of time. How are businesses expected keep up and comply?

oury positive

I know it might seem that way but the GDPR is there to protect the data rights of individuals and is here to stay, and so longer-term you could even consider setting up a ‘data subject access portal’ which can allow an individual to access their information quickly, easily and remotely.

Disclaimer

We are but two fictitious characters throwing out ideas and comment to stimulate debate and collect information. As professional service firms, we are open-minded people and think independent thought and debate are essential to help us understand as well as navigate complex problems. By joves – doing business across Europe (and the world) is set to become a whole lot more complex in light of recent seismic political events. As businesses – we provide information and hopefully some wisdom – and we see this blog and its caricatures merely as a much more fun, perhaps slightly controversial, way of stimulating debate and collecting ideas. We’re searching for some true pearls of wisdom, and as we find them, we’ll share them with you.

Let us Introduce Ourselves

To find your nearest office or get in touch with one of our specialist advisors to see how we can help your business, please go to our contact page.

Contact us