It's vital to have a clear action plan for processing SARs
Since the introduction of the GDPR in May 2018, individuals have become much more aware of their rights of access to their personal data. It is therefore extremely important that you have a clear action plan in place to process subject access requests (SARs) within the short statutory timescale to avoid fines or censure.
The requirements
Article 15 of the GDPR sets out the legislative ‘Right of Access by the Data Subject’ as follows:
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
Art 15.3: the Controller shall provide a copy of the personal data undergoing processing.
See also the ICO guidance on subject access requests.
Can you extend the statutory time period for response?
Only if the request appears complex, or the data subject has made several requests. If so, you can extend the time for response to two months but you must notify the data subject if you intend to do this and be able to justify doing so (you may
have to explain this if the data subject complains to the ICO). As a rule you will need to reply to the vast majority of requests within one month.
What are data subjects entitled to?
Data subjects are entitled to obtain the following from you:
Personal data (as defined in the GDPR) will typically include name, address, telephone number, email address, and any other data which will be determined by the type of services you provide (e.g. national insurance numbers etc). You may also be processing special category data like criminal records and convictions data.
The ICO's guidance helps businesses determine what personal data they hold.
Do you have to send a full copy of everything on the file?
No, provided a copy of the personal data does not mean that you have to copy the entire file – just the actual personal data.
Remind employees to take care
It is really important to remind your employees that anything they record in writing, including in email or file may potentially be disclosable under a SAR. The general rule should be that you should not write down anything you would not want an individual to see.
What if the data includes information on other individuals?
The DPA 2018 says that you do not have to comply with the request if it would mean
disclosing information about another individual who can be identified from that information, except if:
In determining whether it is reasonable to disclose the information and what should be withheld (e.g. redacted), you must take into account all of the relevant circumstances, including:
If the other individual consents to the information being released then it would be unreasonable not to do so.
Can you refuse a request?
Yes, but only in very limited circumstances you must be able to show justification for doing so. You can refuse to comply with a request if it is ‘manifestly unfounded or excessive’, taking into account whether the request is repetitive in nature. In such cases you can request a ‘reasonable fee’, to be paid before dealing with the request (based on the cost of processing the request); or refuse to deal with the request. If
you intend to charge a fee you should notify the individual promptly.
Exemptions
The DPA 2018 contains a number of exemptions to the obligation to disclose, arguably the most relevant is where a duty of confidentiality is owed to clients. Other notable exemptions include references given in confidence, personal data processed
for the purposes of management forecasting or planning and negotiations between employer and employee.
See further information on exemptions.
What should you do when you refuse to comply with a request?
Inform the individual without undue delay and within one month of receipt of the request. Confirm your position and advise them of:
You should also provide this information if you request a reasonable fee or need additional information to identify the individual.
What if the client is deceased?
Data relating to deceased individuals is not personal data and is not subject to the requirements of the GDPR. You may, however, receive requests for information from others (such as relatives or executors of an estate). You will need to verify the identity of the individual requesting the data and the basis of the request before releasing information.
What form of response?
If requested electronically then you can respond electronically unless a specific format has been requested by the data subject. Be mindful of security – send information encrypted/password protected wherever possible – anything being sent by post should be sent by traceable delivery method.
The response
Your final response in whichever format must contain the following:
What if the data subject complains to the ICO regarding a SAR?
There may be occasions where an individual complains to the ICO, so you should always be ready to justify any decisions made. If an individual complains, you will receive an email from an ICO caseworker detailing the complaint and asking you to comment. Typically you will be given 14 days to respond. Your response should include:
Top tips
If you have any questions, please contact Roselin Ali or Catherine Davis at Lockton Companies on 0117 9065057 or ACCAaccountants@uk.lockton.com.