Subject Access Request
A Comprehensive Guide for Employers: Handling Subject Access Requests (SARs)
1. Understanding Subject Access Requests (SARs)
A Subject Access Request (SAR) is a request made by an individual to an organisation, asking for access to personal data that the organisation holds about them. Under the General Data Protection Regulation (GDPR), employees and other individuals have the right to know what personal data is being processed, why it is being processed, and who it is shared with. Employers must be prepared to respond to these requests efficiently and within the legal time frame to ensure compliance and maintain trust with their workforce.
2. Receiving a Subject Access Request
SARs can be made verbally or in writing, including via email or other electronic communication. Employers cannot require a specific form or format for these requests, nor can they charge a fee for processing them, except in specific circumstances where the request is manifestly unfounded or excessive. It is crucial for employers to establish a clear internal process for recognising and handling SARs, ensuring that all staff are aware of these procedures and can direct requests to the appropriate department, usually HR or a dedicated data protection officer.
3. Verifying the Request
Once a SAR is received, the employer should verify the identity of the requester to ensure that personal data is not disclosed to the wrong person. This may involve asking for proof of identity, such as a passport or driving licence, especially if the request comes from an individual who is not currently an employee or is unknown to the organisation. The verification process must be handled promptly to avoid delays in responding to the request.
4. Gathering the Data
Employers must identify and collect all personal data related to the individual making the request. This includes data stored in various formats, such as electronic files, emails, printed documents, and any data held in manual filing systems. The data should cover information such as employment records, payroll data, performance reviews, and any correspondence that involves or refers to the individual. It is important to review the data thoroughly to ensure it is relevant to the request and to remove or redact any third-party information that should not be disclosed.
5. Responding to the Request & Subject Access Request Time Limit
Under GDPR, employers have one month to respond to a SAR, though this period can be extended by an additional two months for complex or numerous requests. The response should include:
- A copy of the personal data held.
- Information on the purposes of processing.
- Categories of personal data concerned.
- Recipients or categories of recipients to whom the data has been or will be disclosed.
- The period for which the data will be stored or the criteria used to determine that period.
- Information on the rights of the data subject, including the right to request rectification or erasure of data, or restriction of processing.
- Information on the right to lodge a complaint with a supervisory authority.
- Information on the source of the data, if it was not collected from the data subject.
- Information on any automated decision-making, including profiling, and the significance and consequences of such processing.
6. Managing Exemptions and Redactions
Certain data may be exempt from disclosure under GDPR, such as information that could infringe on the rights and freedoms of others, or data subject to legal privilege. Employers must carefully consider these exemptions and ensure that any redactions are justified and explained to the requester. It is advisable to seek legal counsel when dealing with complex cases or potential exemptions to avoid non-compliance.
7. Record-Keeping and Documentation
Employers should maintain records of SARs, including the details of the request, the data provided, any communications with the requester, and the justification for any redactions or exemptions applied. This documentation serves as evidence of compliance and can be crucial in the event of a dispute or investigation by the Information Commissioner’s Office (ICO).
8. Training and Awareness
Finally, employers must provide regular training to employees on data protection principles, including how to recognise and handle SARs. A well-informed workforce is essential for ensuring compliance and protecting the organisation from potential breaches of data protection laws.
By following these guidelines, employers can effectively manage Subject Access Requests, uphold the rights of individuals, and demonstrate a commitment to data protection and transparency.