Subject access requests (SARs) are an essential right for any individual, as stated under the UK General Data Protection (GDPR). As a business, no matter your industry, you may have to respond to a SAR request if you hold or process personal data.
Read on to find out more about subject access requests, including how to send one. Please note that this article is general public information, and is not legal advice. Use the jumplinks below to navigate to the different areas of this guide:
What is a subject access request?
A subject access request is a request an individual can make to an organisation to get a copy of any personal data the organisation may hold on them. This request for personal data is a right under GDPR, and can be made via a written, verbal or electronic request.
Visit the Information Commissioner’s Office guidance on subject access requests for a full definition and specific guidance.
What is included in a SAR?
When making a SAR request, you can find out a number of things about your personal data, including:
- A copy of the personal data the organisation holds about you
- Where they got your personal data
- How they’re using your personal data
- Third parties they’re sharing your personal data with
- How long they’ll keep your data
Who can make a request?
Any individual has the right to make a subject access request. Individuals may also nominate someone to be a representative to apply for a SAR on their behalf.
This representative should be someone the individual trusts, such as a solicitor, a relative or a trusted friend. In this case, there must be a valid consent signed by the individual who is authorising the release of information to the representative.
How do I make a subject access request?
For an individual to make a request, they must be as careful and as helpful as possible to gain the information they need. As stated previously, an individual can make a SAR verbally or in writing, which includes making the request on social media. In all situations, it needs to be unmistakably clear that the individual is asking for their own personal data.
To make a request, you must provide the following information:
- Your name (or any previous names)
- Your address
- Proof of identity
- Proof of address
- Enough information to identify your records
This is the bare minimum information you should provide, however you should research the organisation to see if they require additional information or documents to complete the request. Some larger organisations, such as your local council or the NHS, may have a specific subject access request form you need to fill out.
If there isn’t a specific form, you may want to use a subject access request template to ensure you cover all bases. This template from Mind is a good example. You may also want to have a trusted person to read your request before sending. Remember to include copies of information that confirm your identity.
What’s the subject access request timescale?
This is probably the most commonly asked question about subject access requests. The organisation you request information from is obligated to respond to your request “without undue delay,” and at least within one calendar month, starting from the day they receive the request.
However, if the organisation needs something (such as an identification document) to go through with the request, they must respond within a month of receiving this.
Additionally, if they receive complex or multiple subject access requests, the organisation can seek an extra two months to handle it. This gives them a total of three months to handle the request, but they must let you know within the first month that they will require additional time and why this is.How much does a SAR cost?
Subject access requests are free of charge. However, the ICO states that if the SAR becomes manifestly unfounded or excessive, or if someone requests further copies of their data following a previous request, then an organisation can charge a reasonable fee for administrative costs of processing the request.
As an organisation, if you decide to charge a fee, you should let the individual know as soon as possible.
How to manage subject access requests
As an organisation that processes or controls data, you will likely receive a subject access request. An organisation’s data protection officer (DPO) will generally be the one responsible for fulfilling the request. If you don’t have a DPO, the duty should fall to someone in your workforce with data protection knowledge, such as a compliance officer.
As time is critical to subject access requests, you should have a clear process and appointed data protection lead in place to ensure that all requests are met quickly and correctly. The process itself could look something like this:
- Verify the identity of the individual
- Check that the request is valid (i.e. has the person acting on the individual’s behalf got written permission?)
- Set reminders for final response to the SARs
- Ensure you’re both on the same page (i.e. clarify what data you’re searching for)
- Search for the data
- Check what you need to redact (i.e. ensure you’re protecting the data of other individuals)
- Choose an appropriate format for the data
- Prepare your reply
- Send your reply and keep a record of your responses
Refer to the ICO’s step by step guide on how to deal with SARs for a thorough understanding of the process.
Effortlessly manage SARs with Document Management Software
Dealing with subject access requests without a good data management system in place can be time-consuming and costly to the business. Failure to comply with a request can lead to complaints from the Information Commissioner's Office (ICO) which can have serious financial consequences.
Your organisation will save time and money by having a storage specialist in place to manage your documentation. At Shredall SDS Group, we offer secure off-site business document storage to help keep your important documents and historical data indexed, ready for when you need them for SARs.
We also offer a Document Management Software that lets you quickly locate, view and manage your electronic documents. Our software lets you find records and correspondence faster, reducing the risk of non-compliance when it comes to subject access requests.
Get in touch with us today to learn more about our document management services that can help you stay compliant.