top of page
Search
rebeccap10

Understanding Subject Access Requests

The Role of The ICO

The Information Commissioner’s Office (ICO) enforces laws on data protection and information rights. It offers guidance on handling personal data, investigates complaints, and registers organisations that handle personal data.


What is a SAR

The (ICO) states “The right of access, commonly referred to as a subject access request (SAR), gives someone the right to obtain a copy of their personal information from your organisation. This includes where you got their information from, what you’re using it for and who you are sharing it with”.

SARs are often used by current or former employees to view information like performance reviews, disciplinary records, and relevant emails, sometimes as part of disputes.


Formal Request Requirements

  • SARs can be submitted verbally, in writing, or on social media.

  • No specific wording is required for a valid SAR, so requests can go to any department or person in your organisation.



How to Respond to a SAR


1.       Acknowledge the Request

Confirm receipt and clarify the scope if the request is broad. For example, if an employee requests 10 years of emails, ask if they’d like to narrow the timeframe.

 

2.       Verify Identity

Ensure the requestor’s identity is confirmed to protect data security.

 

3.       Gather Information

Collect all relevant personal data, ensuring compliance with data protection rules.

 

4.       Review Exemptions

Assess if any data is exempt from disclosure (e.g., third-party data, legal privilege).

 

5.       Provide Response

Supply the data in a clear format along with necessary information (processing purpose, rights).


Required Information in Response to a SAR

You must provide a copy of the individual’s personal data along with the following information:

  • Purposes of the processing.

  • Categories of personal data concerned.

  • Recipients or categories of recipients.

  • Retention period or criteria used to determine it.

  • Existence of the right to request rectification, erasure, or restriction.

  • Information on the source of the data if it was not collected directly from the individual.

 

Most of the above information will be included within an organisation's privacy notice, so this should be enclosed alongside the requested personal data.


Timeframe

SARs must be responded to within one calendar month from the date of receipt. If the request is complex, you may extend the deadline by an additional two months, provided you inform the requester of this extension within the initial month.

 

Can a SAR be refused?

Yes, SARs can be refused.


Examples of refusal include:

  • Manifestly Unfounded or Excessive Requests

  • Third Party Data

  • Legally Privileged

  • On-going Investigations

  • Crime Prevention and National Security

  • Vexatious or Harassment Requests

 

Consequences of Failing to Comply

Non-compliance with SARs can result in complaints to the ICO, investigations, potential fines, and damage to your organisation’s reputation. It’s essential to respond within the required timeframe and provide the requested data unless a valid exemption applies.


Best Practice Communication

  • Avoid writing anything in emails or social media that could later cause issues if requested in a SAR.

  • For sensitive discussions, consider using phone or video calls instead of text.


What Should Employers Do

  • Training - Train relevant staff, especially in HR and customer-facing roles, on how to identify and handle SARs.

  • Policy - Create a SAR policy and train staff on documenting and responding to requests. Confirm verbal requests in writing to prevent misunderstandings.

  • Retention - Regularly review and maintain data retention policies to avoid keeping data longer than necessary.

 


📢If you need advice, contact one of our team on 01935 411191 or email enquiries@rbhr.co.uk for a free initial consultation phone call. 📢



3 views

Recent Posts

See All

Comments


bottom of page