Subject access requests – top tips

A Subject Access Request (SAR) is a request for all personal data held on a specific employee.

A SAR can be a difficult and time-consuming process, especially given that there is only one month to respond.

Nevertheless, it is important to make sure that you follow the correct procedure and meet your deadlines due to possible financial penalties.

A SAR requires that you provide all necessary information relating to the individual.

This can be extensive, ranging from basic personal data such as name and address to opinions and/or information disclosed about them to others on email, even if this isn’t addressed to the individual.

While there are some exemptions, it is risky to omit and/or change any data that falls under the scope of the SAR.

What are the main risks to consider with SARS?

There are difficulties when information about a third party is present alongside the individual’s personal data.

When this is the case, all information about others who have not given express consent should be redacted or blanked out of the SAR data.

While there are some exceptions to this, the best practice is to remove any identifying and/or sensitive information relating to any third parties.

There are many risks if you fail to carry out a SAR appropriately.

Similarly, there are only very specific circumstances in which you can outright refuse a SAR.

If you intend to refuse, then you must seek legal advice beforehand.

If the ICO rule your refusal as unjust, and you fail to complete the SAR appropriately, you will be liable to face financial penalties.

How can I improve and prepare for this process?

Consider the information that you communicate.

It can be embarrassing and upsetting for parties to witness some of the evidence presented in a SAR.

SAR’s are often used as a precursor to legal action and as such email chains that include negative opinions, judgements and decisions about the individual will not be helpful to you in litigation.

One way to avoid this situation is by revising the behaviour and correspondence in the workplace.

Make sure all correspondence is professional and don’t make inappropriate comments or put anything that could come back to bite you in writing.

Create systems that can help you organise, manage, and track personal data without comprising individuals’ rights.

This could be achieved in a number of ways.

You could set up a ‘data subject access portal’ or create a folder/file-naming plan.

You could create a manual and/or checklist for how to deal with a SAR from start to end.

And you could even keep records of SARs, with regular updates to check progress on requests and ensure that you are on track to reach the one-month deadline.

Consider the individuals who are likely to receive these requests.

In many cases, the HR staff will be likely to interact with staff, and employees, in particular, will look to HR staff when making a SAR.

Therefore, ensure that these staff have the training and procedures in place to deal with these requests, and this will allow the process to run much smoother.

Finally, and most importantly, don’t put off working on the SAR.

The one-month deadline can only be extended in very specific circumstances and given the mass of information you may be likely to have on the individual, it is important that you start the process as soon as possible.

Using clear and comprehensive records and having templates in place for how to deal with a SAR will certainly help to improve the efficiency of the process too.