Your Subject Access Request questions answered
Receiving a Subject Access Request (SAR) can be quite daunting for companies. To help explain what you need to do, we have answered the five questions our clients ask us the most:
What is a SAR?
A SAR is a written request made by an individual for information an organisation holds about them. Individuals are only entitled to their own personal data; they are not entitled to any and all data belonging to the company simply because they may be interested in it.
Is there a time limit to respond to a SAR?
Yes, a company must reply promptly and in any event within 40 calendar days from the date the SAR was received.
Are there any exceptions to the 40 calendar day time limit?
A company can reply to the individual making a SAR within the 40 day time period with a request for:
- a fee of up to £10;
- information to verify the identity of the person making the request;
- information about the specifics of the search.
If a fee or more information is requested, the 40 day time period starts to run from when the company receives this further information.
What duties do we have towards the rest of our staff?
A company has a duty of privacy to its employees and any other third parties. Dealing with a SAR is a balancing act between the right to information for the person submitting the SAR, and the right to privacy of other employees and any other third parties. In practice, a company can comply with their obligations to their employees and third parties by redacting all of their personal information (name, identifying characteristics and so forth) and anything in the data itself which could identify them by inference.
What do we have to provide to the individual making the request?
There is no obligation to provide the individual with an original document in full (letter, note or email) containing their personal data. It is the information constituting the personal data contained in the document which must be supplied. If there are numerous emails/notes etc. rather than printing them all off, it may be easier to create a new word document just setting out the information which relates to the individual. This approach may be appropriate where the documents contain lots of personal data relating to third parties and includes information which is not relevant to the individual.