A guide to dealing with subject access requests
In this guide we take a look at how to recognise, deal with and respond to a subject access request (SAR).
What is the right of access?
The right of access, gives individuals the right to obtain a copy of their personal data.
How do we know if it’s a SAR?
A SAR can be made verbally or in writing, including on social media. It does not need to be made to a specific person in the business or reference the data protection legislation. A request is valid if it is clear that the individual is asking for their own personal data.
How long do we have to respond to a SAR?
You must comply with a SAR without undue delay and at the latest within one month of receiving the request. The period to respond can be extended by a further two months if the request is complex or you have received a number of requests from the individual.
If you process a large amount of information about an individual, you may be able to ask them to specify the information their request relates to. In such circumstances, the time limit for responding to the request is paused until you receive clarification.
Can we charge a fee?
In most cases you cannot charge a fee to comply with a SAR. However, you can charge a ’reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data.
What should we consider before responding to a request?
You are responsible for taking all reasonable steps to ensure the information you provide to an individual is provided securely. The ICO has provided detailed guidance on how to ensure information security, which can be accessed HERE.
In addition to the above, you should consider the following:
1. You should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.
2. If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise. When deciding what format to use, you should consider both the circumstances of the particular request and whether the individual has the ability to access the data you provide in that format.
3. You should take care to ensure that you are providing the information in a clear and transparent manner so that the information can be understood and plain language is used.
Can we refuse to comply with a request?
In some circumstances, yes.
You can refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive or, if an exemption applies. The ICO has provided detailed guidance on what the exemptions are and, how to ascertain whether a request is manifestly unfounded or excessive. The guidance is available HERE.
It is important to note that you must still respond to the individual even if you decide not to disclose the requested information. Where you decide to withhold the information you must explain you reasons why and inform the individual of their right to complain to the ICO.
If you require any further advice on responding to a SAR, please get in touch with the Commercial Team who would be happy to help.