How to deal with a Subject Access Request (SAR)
Published: Monday, 20 March 2023
GDPR: The right to access
The 'right to access' created a flurry of requests in 2018. Staff may be less used to dealing with them now.
What is a Subject Access Request (SAR)?
Introduced under the Data Protection Act 1998 and further enhanced by GDPR, a subject access request gives individuals the right to obtain a copy of their personal data as well as other supplementary information held by an organisation.
Who can make a subject access request?
An individual can make a SAR either verbally or in writing for access to their own personal data. It does not need to take a specific form or refer to any legislation. A third party may also make a SAR on behalf of an individual (e.g. a solicitor or relative), if they can provide evidence that they have authority from the individual to do so.
What is personal data?
Personal data is information that can directly or indirectly identify a living person. This could be anything from their name, address, email, national insurance number, passport number, driver’s licence – anything that can identify or locate an individual. With the advances of technology, GDPR has gone on to add further types of data such as IP addresses, location data and cookie identifiers.
How should I respond to a subject access request?
You have 30 days to respond to a SAR, starting from the day the request was received. But before you do so you must confirm the identity of the requester making sure that you are not supplying information to the wrong person, as this could result in a data breach. If you are unsure about the identity of the requester, you can ask for information or ID documents to help verify their identity. Once you have identified the requester and are happy that they are entitled to the data, make sure that the personal data is handed over securely. Keep an audit trial of the request.
Can I ask for extended time to respond?
Yes, you can if the request is a complex one or if you have received a number of requests from the individual. Your response time can be extended by a further two months.
Can I charge for it?
In most cases no. However, if the information requested is manifestly unfounded or excessive, or there has been a request for further copies, then you can ask for a ‘reasonable fee’ for the administrative costs.
Can you refuse a request for information?
There may be legitimate reasons why you cannot comply with an SAR and this is recognised by GDPR and DPA 2018, who have set out some exemptions. If any of these exemptions apply, then you can refuse all or part of the information requested. You can also refuse an SAR if the information requested is manifestly unfounded or excessive. If you do refuse a request, you must inform the individual of the reason why, their right to make a complaint to the ICO and their ability to seek enforcement through the courts.
Rosie Ali
Account Executive, Ntegrity
rosie.ali@ntegrity.co.uk