As individuals, we have a right to use a Subject Access Request (SAR) to access any personal data an organisation holds about us. We can also use a SAR to restrict or object to the use of our personal data, or have it deleted.
As an organisation, when we receive a SAR we have 30 days to respond.
The types of SARs we can receive are as follows:
- To have access to our own personal data – this is an absolute right, and unless there is an overriding law which prevents us disclosing the data, we must comply within 30 days.
- To object or restrict the use of our personal data – this is not an absolute right, but unless we have a legal reason to continue with processing, we have to comply
- To request personal data be deleted – again, unless we have a legal reason to continue processing, we must delete the personal data
- To request that personal data be rectified – this means that a data subject can ask that their own personal data is updated or corrected where there are inaccuracies
- To request the personal data to be ported (moved from one place to another, perhaps one organisation to another)
- To withdraw consent – if consent is used as your legal basis for processing, the processing must stop once consent has been withdrawn
Underpinning all of this, we have the right to accountability – this is holding an organisation legally responsible when they process our personal data illegally.
A subject access request is used to exercise data subject rights.
A SAR can come in ANY form, word of mouth, a call, an email or letter – it is advisable to make sure that the request is documented though, so if you get one it’s in your best interest to record the SAR so that it can be referred to at any time.
Key points to remember when answering a SAR:
- A data subject is only entitled to their own personal data – this means that if we are disclosing email content or other documents, we must consider whether we need to redact or obfuscate the personal data of others
- We should confirm the identification of the requester to ensure that we are disclosing the correct personal data – the ICO recommends checking a photo ID
- Do we share the personal data with third parties who may also need to delete / restrict / rectify the personal data – are they able to do so? Does our contract / agreement with them address this activity?
- Do we know where the personal data is? (consider email, paper, devices, backups, social media, website and third parties)
- Is the personal data of others entwined in documentation with the personal data of the requester? Do we need to remove or redact data before disclosing?
- Are any electronic documents carrying meta data even after redaction? (meta data is the source data contained within electronic documents and can often be transferred from one
Subject Access Requests – What you need to know.
document to another, even though it cannot be seen by the naked eye, those with IT knowledge are likely to be able to find it
Meta data can appear in any kind of digital document – for example, digital photographs will often have additional data within them which shows the date, location, and time the picture was taken.
Subject Access Requests may be rejected in some circumstances, in their entirety or parts of a SAR, for example if a SAR is deemed “manifestly unfounded or excessive” – this could mean that multiple SAR’s have been submitted, and they overlap each other, or a SAR is asking for data already disclosed to them or they are using a SAR to bully or harass, or to intentionally cause disruption. Rejecting a SAR can be messy business, so it is always best to get advice before you consider rejecting a SAR.
When making a disclosure, you must tell the data subject about any redactions, obfuscation or anonymisation which you have applied and why.
If you are rejecting a SAR you must also give the data subject the reason why.
In every response to a SAR, you must let the data subject know they have the right to complain to the ICO and provide the link / telephone number in order for them to do so.