In October 2020, the ICO issued an 81 page detailed guidance on Subject Access Requests. Most people will not engage with this until a Subject Access Request lands on their desk, so Rachael Eyre has picked out the key takeaways.
Key takeaways from the ICO’s detailed guidance
The individual has a right to access their personal information
You cannot restrict that by placing processes on applying or supplying the information. Subject Access Requests are purpose neutral; a person does not need a reason to ask and any reason does not matter (unless manifestly unfounded/excessive).
You need to ensure you comply with the Equalities Act and supply the information in an accessible and secure way.
Be prepared
- Train your staff to recognise a Subject Access Request. It does not matter if it is verbal, on social media, in a letter or email. They all count.
- Know where your data is held and how to access.
- Ensure staff know who to pass the request onto to deal with.
- Have policies and processes in place, including how you will calculate any fees charged (where you are allowed). That way you can avoid accusations of prejudice if applying them in a manifestly unfounded or excessive case.
Know the exceptions
You don’t have to comply with a request if it is manifestly unfounded or excessive (e.g. where someone offers to withdraw a SAR in exchange for compensation, or it is really clearly just a business disruption SAR). If you become aware someone has died before you respond, you don’t have to respond (GDPR is for living individuals).
Abide by the Subject Access Requests time limits (if you can)
- One calendar month (it is easier to think of 28 days) to respond.
- Ask for ID, further information and clarification as soon as possible. Waiting for ID or further information pauses the clock.
- If the SAR is unusually complicated you can take a further two months. You cannot use this as a blanket response or just because there is a lot of information. ‘Complicated’ may include redacting other peoples information from numerous documents). You must tell the individual in the original month you are doing this.
- If you can’t keep to the time limit, keep a note in your log of why. The ICO will be understanding of exceptional situations, such as an organisation with limited resources receiving 500 SARs on the same day from a Claims Management Company!
Keep Subject Access Requests records
Any decision you take relating to a SAR, record it. E.g.:
- asking for ID
- confirming third party authority
- deciding you do not have enough information to check whether it is the same individual and they have not responded to requests for clarification
That way, if there is a complaint, you can demonstrate the steps and decisions you took to the ICO.
Check it is the right person
Yes, you can ask for ID. Don’t keep a copy, just note what you saw and who checked in your log.
But is ID proportionate to check this is the right person? If someone is on your marketing list, you’ve probably never seen their ID or it would not help you confirm they are the right person.
Check the authority of third parties. An employer cannot make the request.
Key principles
- Be fair.
- Keep the data safe.
- Keep a log of actions and decision.