As an employer, understanding how to handle a Subject Access Request SAR is crucial to ensure compliance with data protection laws. A SAR allows individuals to request access to their personal data held by your organisation, a right protected under laws such as the Data Protection Act 2018 in the UK and the General Data Protection Regulation GDPR in the European Union.

Employers must adeptly manage Subject Access Requests to comply with data protection laws and protect sensitive information

Responding to a SAR

Upon receiving a SAR, your organisation has one month to respond. This timeframe is a legal requirement and failing to meet it could result in a breach of data protection laws, unless an extension is justified. The Information Commissioner’s Office ICO outlines specific criteria for a potential two-month extension, but these are complex and not commonly applicable.

For most cases, the one-month deadline is non-negotiable. It’s imperative to act swiftly to meet this statutory requirement, as failure to do so may lead to complaints to the ICO. This could trigger inquiries into your SAR processing procedures, with potential demands for corrective actions. Consistent non-compliance could result in fines.

Recognising and Logging SARs

As an employer, it’s important to recognise a SAR, even if it’s not explicitly identified as such. Ensure that all requests are correctly logged and processed following an established procedure. Training employees to recognise SARs and understand the internal protocols is vital to ensure efficient handling.

To streamline the process, consider setting up a dedicated email address for receiving SARs. This should be clearly mentioned in your organisation’s privacy policy to direct all requests through this channel.

Establishing a Robust Process

Larger organisations often have well-established processes for handling SARs, but smaller or medium-sized enterprises might find themselves unprepared. A clear process is essential to comply with data protection regulations.

Begin by determining what information needs to be provided to the requester. This can depend on whether the individual specifies a search term or requests all data held about them. While you can ask for clarification on the timeframe or scope, the requester is not obliged to comply.

Conduct appropriate identity checks to verify the requester’s identity, pausing the one-month response period until this is confirmed.

Reviewing and Disclosing Information

The requested data may exist in various forms, such as emails or records from virtual platforms like Microsoft Teams. Identify the right tools and search terms based on the request’s nature. The search might return numerous documents, necessitating a thorough review to determine what must be disclosed.

A Three-Step Review Process

1. Personal Data Identification: Discard any information that is not the individual’s personal data. The right to information covers only personal data.
2. Third-Party Information: Remove details about third parties, like names or identifiable information, unless consent is given. This data is usually redacted.
3. Exemption Application: Evaluate whether any exemptions apply, which may require legal expertise. If applicable, redact or withhold information, providing an explanation for any withheld data, outlining the exemption used.

For instance, legally privileged information, such as lawyer-client communications, may be exempt. Consulting a privacy lawyer ensures correct application and prevents misapplications.

Delivering the Information

After gathering the necessary data, decide how to deliver it to the requester, typically done digitally. However, the requester can choose their preferred method of receipt.

Having a defined procedure for this stage aids in handling requests accurately, avoiding mistakes that could lead to data loss or unintentional disclosure. For example, sending information in a password-protected document via separate emails or using a courier for sensitive data sent by post are recommended practices.

With rising awareness of data protection rights, the frequency of SARs is increasing. Employers without a clear process may struggle to manage these requests effectively. Following these guidelines provides a solid foundation, but consulting data protection lawyers can offer further support, whether for advisory roles or managing SAR processes on your behalf.