Handling subject access requests
- This brief guide focuses on the main points to consider and legal obligations relevant to employers who receive a subject access requests (SAR) and, where relevant, draws comparison to the old regime which pre-dates the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
- For a guide to employers' data protection obligations, see our separate guide.
- No fee is chargeable unless the request is ‘manifestly excessive or unfounded’ in which case a ‘reasonable’ fee can be charged to cover administrative costs.
- These terms are not defined but our understanding is that manifestly excessive or unfounded requests will include repetitive requests within a small window of time or requests for additional copies of the same information.
- You must respond ‘without undue delay’ and, at the latest, within one month of receipt of the request.
- This timeframe can be extended by up to two months if the request is complex and/or you have numerous requests from the same individual to deal with.
- Any such extensions, and the reason for it, should be confirmed to the applicant in writing before the initial one-month time limit expires.
- You can still ask the individual for additional information to confirm their identity and to clarify their request. Your timeframe to respond begins once you receive sufficient information to confirm their identity and/or identify which data falls into scope.
- You can refuse a request is if is manifestly excessive or unfounded although we recommend this is only done as a last resort.
- If you refuse the request, you should provide the applicant with the reason(s) for this decision.
- You will need to give the applicant specific information in your response:
- your retention period(s)
- the applicant’s right to have inaccurate data corrected
- the legal basis for processing personal data
- the applicant’s right to lodge a complaint with the Information Commissioner’s Office
- details of transfers of personal data outside the EEA including details of any relevant safeguards made
- The results of the SAR should be made available to the individual via the same method as their request, where possible.
- For example, you could send them the results electronically if they submitted their request by email or other electronic means, or you could make it available through an electronic portal or data room providing of course that adequate safeguards are taken.
- We don’t currently have any guidance on how long such an online portal should be available for but it would be reasonable and sensible to set a time limit on it, and to ensure the applicant is told of this and possibly, given the opportunity to receive a copy by CD or paper.
- It is a criminal offence to alter records with the intention of preventing disclosure following a SAR.
- This will be punishable by an unlimited fine. We recommend you remind managers of this and ensure they know to send any SARs to you, or a designated Data Protection Officer or Team, immediately upon receipt..
Q: I have just received a SAR. What do I do?
A: Respond openly and quickly.
- Contact the individual making the request:
- confirm their identity
- acknowledge the request, explain next steps and set expectations
- If necessary, seek to clarify the parameters of the request, and agree issues such as the search terms to be used, sources of data and the timeframe covered (the time limit to comply with the request will only start to run from the date of the clarified request).
Q: Do I have to have a SAR policy?
- There is no legal obligation to have a formal policy.
- However employees should be made aware of their right of access to personal data, and how to do so.
- One of the key principles of GDPR is accountability, and that data controllers should ‘implement appropriate technical and organisational measures to ensure’ compliance.
Q: This is the employee’s second SAR in a year, and they are just trying to be awkward. Can I reject the request as manifestly excessive or unfounded?
- ‘Manifestly excessive or unfounded’ is not defined in the legislation, but it will be a very high test for an employer to overcome.
- The employee’s real motivation for the request does not matter – the data subject has a right to make the request.
- Definitions or examples of when you will refuse to comply with a request clearly set out in an accessible policy will help. They will allow you to show that you have explained to employees when a request would and would not be accepted, but these will not be determinative to the ICO or a court.
Q: We do not have the time or resources to process the request, can I refuse to comply?
A: Probably not.
- No right to refuse request on the grounds that it is too onerous.
- However, ICO guidance states that it will not enforce requests that require disproportionate effort on your part.
- If you want to argue that costs would be disproportionate it is likely that you may have to demonstrate this to a court or the ICO.
- Engage with the employee, explain the position and seek to agree what you will provide.
Q: I do not think that I can comply with the time limit - what do I do?
A: Contact the requester.
- You can extend the 30-day time limit by an additional 2 months if the request is complex or numerous. You must provide notice of the extension within the initial 30-day limit.
- Contact the individual who made the request to explain why you cannot comply and look to agree an extension.
- If no agreement reached, provide what you can and explain that what information will follow and when.
Q: What do I need to provide?
A: All personal data - subject to discretion.
- In most cases, you should provide a copy of personal data being processed about and relating to the individual - this includes all emails which contain personal data about them, which can even include placing them at a particular meeting.
- However, the individual’s right to access to data must not compromise the rights of others. You are not required to disclose information that:
- is subject to privilege
- is a reference given in confidence for employment or training purposes
- is processed for management purposes and where disclosure would prejudice that business activity
- Any document containing third party material should be redacted or excluded.
- If any information is withheld, keep a record of what and why.
- When responding to the request, you must also provide details of
- how long you intend to retain the data and why
- the employee’s right to have inaccurate data corrected
- the employee’s right to lodge a complaint, and
- any transfers outside the EEA/UK and the safeguards made