A subject access request or SAR refers to the right of an individual to request full details of the personal data held about them by an organisation. You may never have heard of a subject access request, but if your organisation receives one you have one month to respond, so I thought it would be helpful to share some basic information about them.
How should subject access requests be submitted?
There is no specific rule on how SARs should be submitted. A person could make a request by calling, by sending an email, by writing you a letter, by submitting a form on your website – however they like. However, to make the process clear and simpler for your organisation you may wish to utilise a subject access request form, which will request all the information you will need in order to process the request.
What personal data are you required to provide?
The information you are required to provide in a subject access request could be very wide ranging, the volume will really depend on the complexity of your relationship with the individual. If they were on your marketing list then the data you hold will be much more limited than if they were a client, patient or student. As well as the data you hold on them which could include; emails, video, photographs, voice recordings you will also need to:
· Confirm that you are processing the individual’s data
· Confirm what categories of personal data you are processing
· Confirm the purpose for processing the data
· Confirm any recipients of the data (third parties to whom the data has been disclosed)
· Confirm the period for which the data will be retained
· Inform the individual that they have a right to object to the processing of their data, a right to request corrections to their data, a right to erasure and a right to restrict the processing of their personal data
· Provide information about how the data was obtained (if not obtained from the individual directly)
· Provide information about any automated decision making regarding their data
· Inform the individual that they have a right to complain to the ICO
· Provide information about how you keep the data safe if sending it outside the EEA
Can you charge for dealing with a subject access request?
In most cases, no, you cannot charge. Fulfilling a subject access request must be free of charge. However, if an individual makes repeated or excessive requests you are permitted to charge a ‘reasonable fee’. This fee must only represent the administrative cost of making the request and you must explain why you are making the charge.
If your organisation holds a large quantity of data on individuals and particularly if that data includes Special Category Personal Data you can see how multiple subject access requests could be very time consuming and thus expensive.
As such, it is advisable to ensure the personal data you store is well organised and easily accessible. It will advisable to have good policies, procedures and checklists for dealing with data protection matters.
If you need help with policies, procedures or training for dealing with subject access requests then the Data Privacy Advisory Service can help, just get in touch.