Subject access requests or a SAR refers to the right of an individual to request full details of the personal data held about them by an organisation. You may never have heard of a subject access request. But if your organisation receives one you have one month to respond. Here is some helpful, basic information about them.
How should subject access requests be submitted?
There is no specific rule on how a person can submit a SAR. They can make a request by:
- sending an email
- writing you a letter
- submitting a form on your website
- and more.
However, you can choose to use a subject access request form. This makes the process clear and simpler for your organisation. This will request all the information you need in order to process the request.
What personal data are you required to provide?
The information you are required to provide in a subject access request can be very wide ranging. The volume will depend on the complexity of your relationship with the individual. For example, if they are on your marketing list then the data you hold will be more limited than if they were a client, patient, or student. The data you hold could include emails, video, photographs, or voice recordings. In addition you will also need to confirm:
- That you are processing the individual’s data
- What categories of personal data you are processing
- The purpose for processing the data
- Any recipients of the data (third parties to whom the data has been disclosed)
- The data retention time period
You will also need to inform the individual about:
- Their right to object to: the processing of their data, correction requests, right to erasure, and restricting processing
- Information on how the data was obtained (if not obtained from the individual directly)
- Any automated decision making regarding their data
- Their right to complain to the ICO
- Information on how you keep the data safe if sending it outside the EEA
Can you charge for dealing with a subject access request?
In most cases, no, you cannot charge. Fulfilling a subject access request must be free of charge. However if an individual repeatedly requests information, you are permitted to charge a ‘reasonable fee’. This fee must only represent the administrative cost of making the request. You must also explain why you are making the charge.
Multiple subject access requests can be very time consuming and thus expensive. This is particularly apparent if your organisation holds a large quantity of data on individuals. It is even more so if that data includes Special Category Personal Data.
As such, it is advisable to ensure the personal data you store is well organised and easily accessible. It is advisable to have good policies, procedures and checklists for dealing with data protection matters.
If you need assistance with policies, procedures or training for dealing with subject access requests then we can help, just get in touch.