What Is A Subject Access Request?


What Is A Subject Access Request

What is meant by subject access requests?

At a glance –

Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a subject access request or ‘SAR’. Individuals can make SARs verbally or in writing, including via social media. A third party can also make a SAR on behalf of another person. In most circumstances, you cannot charge a fee to deal with a request. You should respond without delay and within one month of receipt of the request. You may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the individual. You should perform a reasonable search for the requested information. You should provide the information in an accessible, concise and intelligible format. The information should be disclosed securely. You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.

What should be included in a subject access request?

What should my request say? – Do include:

a clear label for your request (eg use ‘subject access request’ as your email subject line or a heading for your letter); the date of your request; your name (including any aliases, if relevant); any other information used by the organisation to identify or distinguish you from other individuals (eg customer account number or employee number); your up-to-date contact details; a comprehensive list of what personal data you want to access, based on what you need; any details, relevant dates, or search criteria that will help the organisation identify what you want; and how you would like to receive the information (eg by email or printed out).

Don’t include:

other information with your request, such as details about a wider customer service complaint; a request for all the information the organisation holds on you, unless that is what you want (if an organisation holds a lot of information about you, it could take them longer to respond, or make it more difficult for you to locate the specific information you need in their response); or threatening or offensive language,

Where possible, send your request directly to the individual or team who deal with subject access requests, such as the data protection officer.

Is a subject access request the same as GDPR?

What is a subject access request (SAR)? – A SAR is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR.

What if you receive a subject access request?

Can we ask for ID? – Yes. To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, you need to be satisfied that:

you know the identity of the requester (or the person the request is made on behalf of); and the data you hold relates to the individual in question (eg when an individual has similar identifying details to another person).

You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you.

This is particularly the case when you have an ongoing relationship with the individual. Example You have received a written SAR from a current employee. You know this employee personally and have even had a phone conversation with them about the request. Although your organisation’s policy is to verify identity by asking for a copy of a utility bill, it is unreasonable to do so in this case since you know the person making the request.

You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password.

  • However, you should not assume that on every occasion the requester is who they say they are.
  • In some cases, it is reasonable to ask the requester to verify their identity before sending them information.
  • How you receive the SAR might affect your decision about whether you need to confirm the requester’s identity.

Example An online retailer receives a SAR by email from a customer. The customer has not used the site for some time and although the email address matches the company’s records, the postal address given by the customer does not. In this situation, before responding to the request it is reasonable to gather further information, which could simply be to ask the customer to confirm other account details, such as a customer reference number.

The level of checks you make may depend on the possible harm and distress that inappropriate disclosure of the information could cause to the individual concerned. Example A GP practice receives a SAR from someone claiming to be a former patient. The name on the request matches a record held by the practice, but there is nothing else in the request to enable the practice to be confident that the requester is the right patient.

You might be interested:  What Is Cluster Feeding?

In this situation, it is reasonable for the practice to ask for more information before responding to the request. The potential risk to the former patient of sending their health records to the wrong person is high, so the practice is right to be cautious.

They could ask the requester to provide more information, such as a passport or driving licence or another document confirming their identity. When you receive a SAR, you should determine what information you require to verify identity and explain to the individual what they need to provide. You will sometimes need to request more information than usual, depending on the circumstances.

You should not request ID documents if you are aware that it might not be sufficient, or if you believe that you will need to request further proof at a later stage. Example A local authority is aware that a father and son living at the same address have the same name – John Smith.

When they receive a request from a John Smith at this address, it is reasonable for them to request proof of identity that reveals the requester’s date of birth, even if they would not usually ask for ID which confirms date of birth. The timescale for responding to a SAR does not begin until you have received the requested information.

However, you should request ID documents promptly. This means you must request the documents as soon as possible. You must not unnecessarily delay requesting the documents until the end of the one month time limit. If the requested information is not sufficient and you need to take further steps to verify the individual’s identity, the timescale for responding begins once you have completed the verification.

  • However, this only applies in exceptional circumstances, and generally the timescale for responding to a SAR begins once you receive the requested information.
  • Please see ‘ How long do we have to comply? ‘ for more information about timescales.
  • For example, the ID documents may not be sufficient if an individual supplies information which raises doubts about their identity, or you have reasonable concerns that the ID is fraudulent or the individual has obtained it fraudulently.

Example After a company has received a SAR, they ask for proof of ID. However, when this is provided the name on the ID document is different from the name they have on record for the individual concerned, and the company cannot be certain that they are the same person.

  1. In this situation, it is reasonable for the company to ask for further proof of the individual’s identity by asking for alternative ID or evidence that explains why the names are different.
  2. The timescale does not begin until they have received sufficient information to verify the requester’s identity.

Whilst you do not need to keep copies of ID documents, it might be helpful to keep a note of:

what ID documents the individual provided; the date you verified them; and details of who in your organisation verified them.

Before supplying any information in response to a SAR, you should also check that you have the correct details to send the response (eg the correct email address).

What is a GDPR subject access request?

What is the right of access? – You have the right to ask an organisation whether or not they are using or storing your personal information. You can also ask them for copies of your personal information, verbally or in writing. This is called the right of access and is commonly known as making a subject access request or SAR.

Can subject access request be refused?

Frequently asked questions – Am I entitled to receive copies of entire documents? No. Your right of access does not entitle you to receive full copies of original documents held by an organisation – only your personal information contained in the document.

  • Example You make a subject access request to your bank for full copies of your bank statements.
  • Your bank is not required to provide copies of the actual bank statements, but they must provide you with your personal data contained within them, for example, by providing you with a list of transactions.

By doing so, they have now complied with your subject access request without having to give you a full copy of the original bank statements. What does ‘manifestly unfounded or excessive’ mean? There is no set definition of what makes a subject access request ‘manifestly unfounded or excessive’.

it has been made with no real purpose except to cause them harassment or disruption; the person making the request has no genuine intention of accessing their information (eg they may offer to withdraw their request in return for some kind of benefit, such as a payment from the organisation); or it overlaps with a similar request they are still addressing.

To decide this, an organisation must consider each request on a case-by-case basis and be able to explain their reasoning to you. What is an exemption? An organisation may withhold some, or all, of your personal information because of an exemption in data protection law.

the other individual has agreed to the disclosure; or

it is reasonable to give you this information without the other individual’s consent.

In their decision-making, an organisation has to balance your right of access against the other individual’s rights over their own information. This may lead the organisation to refuse your subject access request. Alternatively, the organisation may attempt to remove (or edit out) the other individual’s information before sending your information to you.

tell you why they are not taking action; justify their decision; and explain how you can challenge this outcome.

See our guidance on exemptions for organisations for more detail on this topic. What happens if the organisation requires proof of ID? ID (identity) checks are usually required for security – they are part of an organisation’s measures to protect your personal data from unauthorised access.

information used for personal/household activity (eg friends writing letters to you or pictures of you taken by family members); images of you captured on a domestic CCTV system within the boundary of their domestic property; and information about a deceased relative’s medical records (as data protection law only applies to living individuals).

You might be interested:  What Is Flucloxacillin Used For?

Can I submit the same request again? Yes, you can ask an organisation for access to your information more than once. However, they may be able to refuse your request if:

they have not yet had the opportunity to address your earlier request; or not enough time has passed since your last request (eg your information has not changed since then).

Remember, you can also ask an organisation for further copies of your information following a request, but they can charge a reasonable fee for this.

Who is responsible for subject access request?

Who is responsible for responding to a subject access request? – An organisation’s data protection officer (DPO) will generally be responsible for fulfilling a DSAR, provided the organisation has appointed one. If you don’t have a DPO, the duty should fall to someone in your workforce with data protection knowledge.

Are emails included in a subject access request?

What about information contained in emails? – The contents of emails you store on your computer systems are a form of electronic record to which the general principles above apply. For the avoidance of doubt, you should not regard the contents of an email as deleted merely because a user has moved it to their ‘Deleted items’ folder.

  1. It may be particularly difficult to find information related to a SAR if it is contained in archived emails that you have removed from your ‘live’ systems.
  2. Nevertheless, the right of access is not limited to personal data that is easy for you to provide.
  3. You may, of course, ask the requester to give you some context that would help you find what they want, if you process a large amount of information about them.

It can sometimes be difficult to determine whether an email contains an individual’s personal data. This depends on the contents of the email, the context of the information it contains, and what it is being used for. Ultimately it is for you to determine whether any of the information in the email is the individual’s personal data.

The right of access only applies to the individual’s personal data contained in the email. This means you may need to disclose some or all of the email to comply with the SAR. Just because the contents of the email are about a business matter, this does not mean that it is not the individual’s personal data. This depends on the content of the email and whether it relates to the individual. Just because the individual receives the email, does not mean that the whole content of the email is their personal data. Again, the context of the information and what it is being used for is key to deciding this. However, their name and e-mail address is their personal data and you should disclose this information to them.

Example An employee makes a SAR for all of the information you hold about them. During your search for their personal data, you find 2000 emails which the employee is copied into as a recipient. Other than their name and email address, the content of the emails does not relate to the employee or contain the employee’s personal data.

You do not have to provide the employee with a copy of each email (with the personal information of third parties redacted). Since the only personal data which relates to them is their name and email address, it is sufficient to advise them that you identified their name and email address on 2000 emails and disclose to them the name contained on those emails, eg John Smith, and the email address contained on those emails, eg,

Alternatively you could provide one email with other details redacted as a sample of the 2000 emails you hold. You should also clearly explain to the individual why this is the only information they are entitled to under the UK GDPR, but remember to provide them with supplementary information concerning the processing, eg retention periods for the emails.

What happens if you fail to comply with SAR?

Can a court order be used to enforce a SAR? – If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply. It is a matter for the court to decide, in each particular case, whether to make such an order.

Can I make a subject access request to my employer?

Do people have to submit a request in a certain format? – No. The UK GDPR does not set out formal requirements for a valid request. Therefore, a worker can make a SAR verbally or in writing, including by social media. Workers can make requests to any part of your organisation, and they do not have to direct it to a specific person or contact point.

  1. However, you should have a designated person, team and email address for SARs.
  2. You should ensure that your staff are aware of what to do if they receive a SAR.
  3. It’s important to note that a request does not have to include the phrases ‘subject access request’, ‘right of access’ or ‘Article 15 of the UK GDPR’.

It just needs to be clear that they are asking for their own personal information. Examples of SARs ‘Please send me my HR file.’ ‘Can I have a copy of the notes from my last appraisal?’ ‘What information do you hold on me?’ ‘Can I have a copy of the emails sent by my manager to HR regarding my verbal warning’?

What can an employee ask for in a subject access request?

A subject access request is a request by an individual to access their personal information held by any data controller. This can be an employer or a company that holds their personal information because they provide a service to them. Someone has the right to be told whether or not personal data is being processed about them and, if it is, there’s a long list of information they should be told.

The process a business should follow if someone makes a subject access request is as follows Firstly, the business should always check the identity of the person making the request to make sure that it isn’t someone trying to commit fraud. If it’s an employee or someone the business knows personally you can speak to them to check the request came from them.

Otherwise, you can ask for ID, such as a passport, driver’s licence or copy of a bill, to check that the request is legitimate. Secondly, businesses should make sure to diarise the key dates. Since the introduction of the GDPR you have one month to process the request.

You might be interested:  What Colour Goes With Orange?

This can be extended by a further two months if the request is particularly large or complex. Thirdly, always check that the subject access request makes sense and that you understand what they’re asking for. If not, you can go back to clarify the request and ask for more information. The clock stops while you’re waiting to hear back from the person, which can be helpful when the request is very big.

Once the business knows what is being asked for, the business must make reasonable efforts to find the information that was requested. They don’t have to conduct searches which would be unreasonable or disproportionate but will need to explain what searches they have done and why.

It might involve searching servers, databases, email folders and paper filing systems. Normally a business can’t charge someone if they make a subject access request. The only time a business can charge is if the request is manifestly unfounded or excessive. In which case a reasonable fee can be charged or the company can refuse to process the request.

The business doesn’t have to send everything to the individual that they find. Once the company has found all the documents containing the personal information requested, someone needs to go through it and identify any documents which don’t need to be disclosed.

There is a long list but some of the most common ones are documents which also identify other people, documents which are covered by legal professional privilege, references, documents for the purposes of management forecasting or business planning which would prejudice the business if the information got out (ie a planned redundancy programme) and documents about negotiations between the parties which could cause problems in the negotiations if they were shared.

Finally, the letter to the person is an important part of the process. The GDPR sets out what has to be in the letter and a copy of the documents have to be sent with it. The letter should tell the person why the personal data is being processed, what’s being processed, how long the data is being kept for and whether it’s being passed to any third parties.

  1. If the person doesn’t think the company has complied with the process properly they can complain to the ICO.
  2. This could lead to an investigation and if there are any potential issues with data protection in the company or the right documents aren’t in place this could lead to a wider review and fines.

Andrew Willshire is an employment law expert at Paris Smith solicitors

When should a subject access request be responded to?

What are the time limits? – If you exercise any of, the organisation you’re dealing with must respond as quickly as possible. This must be no later than one calendar month, starting from the day they receive the request. If the organisation needs something from you to be able to deal with your request (eg ID documents), the time limit will begin once they have received this.

What are the 7 principles of GDPR?

Short Summary: –

  • If your company handles personal data, it’s important to understand and comply with the 7 principles of the GDPR.
  • The principles are: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitations; Integrity and Confidentiality; and Accountability.
  • We take you through an example of creating an online newsletter to illustrate how each principle works.

What is the difference between DSAR and SAR?

A subject access request (SAR, also called a data subject access request (DSAR), is any request by a data subject for access to their personal data. Those with parental responsibility for students aged 18 and under can also request a copy of their child’s pupil record.

What are SAR regulations?

Suspicious activity reports This guide explains when and how to make a suspicious activity report (SAR), what to include, how to request a defence against money laundering (DAML) and what happens if you fail to report suspicious activity to the National Crime Agency (NCA).

Are text messages included in a SAR?

Control your communication channels – A SAR requires you to search all places where you might hold personal data about the requester including the mediums which your business uses to communicate, for example, WhatsApp messages, texts and emails. A casual comment to a colleague may, at best, be highly embarrassing to disclose.

What is the difference between foi and SAR?

Home Contact us Freedom of information

A Freedom of Information (FOI) request is asking for information about the organisation. A Subject Access Request (SAR) is a request for information, by a living person, about themselves. A SAR can also be made by a solicitor or Power of Attorney on behalf of a living person.

    How to submit a Freedom of Information (FOI) request

    What is the difference between DSAR and SAR?

    A subject access request (SAR, also called a data subject access request (DSAR), is any request by a data subject for access to their personal data. Those with parental responsibility for students aged 18 and under can also request a copy of their child’s pupil record.

    What is the difference between GDPR and DSAR?

    What are data subject access requests? – DSARs are the result of the GDPR’s right of access – one of eight data subject rights enshrined in the Regulation. When an individual submits a data subject access request (or SAR, as it was known under the Data Protection Act), organisations must provide them with a copy of any relevant information about them.

    Can I ignore a subject access request?

    Can a court order be used to enforce a SAR? – If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply. It is a matter for the court to decide, in each particular case, whether to make such an order.