Telephone +44(0)1524 64544

Data Protection - Subject Access Requests 04

Responding to the Request

Mon Feb 15 15:45:01 2021

SAR on key on a keyboard

Recently (October 2020) there was new guidance, which dictates their ruling, issued by the Information Commissioner's Office regarding Subject Access Requests. In this series of blogs I will be taking a look at what this means for individuals rights and businesses' responsibilities.

How Do I Supply Data?

Information requests are usually provided in an electronic file. As detailed in the UKGDPR this should be a common, easy to read format. You must supply their personal data and any other supplementary information. This information should match what you provide in a privacy notice.

The individual may ask for the data to be supplied in another format and you should respond to any reasonable request. This may take the form of a speciofic file format, written, remote file download or a verbal response. You should ensure that you correctly identify the individual and make a record of the dates the request was made and of any responses given.

You must take all reasonable steps to ensure the data is delivered securely and to the correct individual.

Can we refuse a request?

There are a few circumstances in which you can refuse a SAR. If it is part of a legal exemption, if it is unfounded or excessive. Note that in judging a request to be unfounded or excessive the ICO considers that it must be 'manifestly' so. Further guidance can be found on the ICO's website

If there is an exemption you may refuse to provide all, or some, of the requested information. Ensure that you follow a privacy notice and supply good reason to the requestor. You must also inform them of their right to complain to the ICO or to seek restitution through appropriate legal challenges.

What do we do if data about other individuals is part of the request?

Always attempt to respond to the request without disclosing the details of any other individual. If this is not possible consider how you might respond without disclosing information. The only exception is when the other individuals involved give their consent for the information to be shared. You must respond to the request and give reasons for your actions. Always keep a dated record.

Can we be forced to comply?

If you fail to take action on a SAR the ICO can decide to force you to comply. In extreme cases a court case may be taken whereby you can be legally challenged and forced to comply with a SAR. The best advice is to avoid such a situation from occurring by attempting to be responsive and helpful to any SAR.

Can an individual be forced to make a SAR?

It is a criminal offence to force an individual to make a SAR or to force them to give personal details about themselves that are held by others.

For detailed guidance on SAR visit the ICO website. There are detailed guides on: how to supply information. There is also a detailed guide to a request involving other persons. If you need more information on refusing a request study the detailed guide.

[Don't forget that you can join in this conversation by tweeting at @shadowcat_mdk].