The Role of The ICO
The Information Commissioner’s Office (ICO) enforces laws on data protection and information rights. It offers guidance on handling personal data, investigates complaints, and registers organisations that handle personal data.
What is a SAR
The (ICO) states “The right of access, commonly referred to as a subject access request (SAR), gives someone the right to obtain a copy of their personal information from your organisation. This includes where you got their information from, what you’re using it for and who you are sharing it with”.
SARs are often used by current or former employees to view information like performance reviews, disciplinary records, and relevant emails, sometimes as part of disputes.
Formal Request Requirements
SARs can be submitted verbally, in writing, or on social media.
No specific wording is required for a valid SAR, so requests can go to any department or person in your organisation.
How to Respond to a SAR
1. Acknowledge the Request
Confirm receipt and clarify the scope if the request is broad. For example, if an employee requests 10 years of emails, ask if they’d like to narrow the timeframe.
2. Verify Identity
Ensure the requestor’s identity is confirmed to protect data security.
3. Gather Information
Collect all relevant personal data, ensuring compliance with data protection rules.
4. Review Exemptions
Assess if any data is exempt from disclosure (e.g., third-party data, legal privilege).
5. Provide Response
Supply the data in a clear format along with necessary information (processing purpose, rights).
Required Information in Response to a SAR
You must provide a copy of the individual’s personal data along with the following information:
Purposes of the processing.
Categories of personal data concerned.
Recipients or categories of recipients.
Retention period or criteria used to determine it.
Existence of the right to request rectification, erasure, or restriction.
Information on the source of the data if it was not collected directly from the individual.
Most of the above information will be included within an organisation's privacy notice, so this should be enclosed alongside the requested personal data.
Timeframe
SARs must be responded to within one calendar month from the date of receipt. If the request is complex, you may extend the deadline by an additional two months, provided you inform the requester of this extension within the initial month.
Can a SAR be refused?
Yes, SARs can be refused.
Examples of refusal include:
Manifestly Unfounded or Excessive Requests
Third Party Data
Legally Privileged
On-going Investigations
Crime Prevention and National Security
Vexatious or Harassment Requests
Consequences of Failing to Comply
Non-compliance with SARs can result in complaints to the ICO, investigations, potential fines, and damage to your organisation’s reputation. It’s essential to respond within the required timeframe and provide the requested data unless a valid exemption applies.
Best Practice Communication
Avoid writing anything in emails or social media that could later cause issues if requested in a SAR.
For sensitive discussions, consider using phone or video calls instead of text.
What Should Employers Do
Training - Train relevant staff, especially in HR and customer-facing roles, on how to identify and handle SARs.
Policy - Create a SAR policy and train staff on documenting and responding to requests. Confirm verbal requests in writing to prevent misunderstandings.
Retention - Regularly review and maintain data retention policies to avoid keeping data longer than necessary.
📢If you need advice, contact one of our team on 01935 411191 or email enquiries@rbhr.co.uk for a free initial consultation phone call. 📢
Comments