Subject Access Requests give individuals the power to ask a company if they're using their personal information, and request copies of that information along with additional details.
Small business GDPR laws prioritise protecting the rights of individuals and giving everyone, including employees and clients, more control over their data. Part of this is the right to a Subject Access Request (SAR).
In this article, we'll take a closer look at SARs, focusing on the essential systems every organization, regardless of size, should have to manage Subject Access Requests and respond to them in compliance with the law.
Table of Contents
- What is a Subject Access Request?
- What should a Subject Access Request include?
- How should you handle a Subject Access Request?
- How long do you have to reply to a Subject Access Request?
- What counts as personal data for a Subject Access Request?
- When can you refuse a subject access request?
- Can you charge a fee for a Subject Access Request?
- How long should you keep data?
- What happens if you don't comply with a Subject Access Request?
- Can employees make a subject access request?
- How can Lawhive help?
What is a Subject Access Request?
A Subject Access Request is when someone asks to see the personal information a company has about them, including how it's used, who it's shared with, and where it came from. They are sometimes used by employees as part of settlement negotiations with employers in the course of employment disputes.
What should a Subject Access Request include?
Subject Access Requests don't have to be written down, nor do they need to follow a specific format.
All required for a valid Subject Access Request is for the individual to ask for their personal data.
That being said, if a company receives a verbal subject access request, it's best practice to ask them to follow up in writing so there is a record of it and the date it was received.
How should you handle a Subject Access Request?
In the first instance, you must ensure the person making the SAR is who they claim to be. If there's any doubt, you can ask for proof of their identity providing it's reasonable.
Once the requester's identity is confirmed, you should search all company databases, systems, and data processors where their data might be stored and collate it.
There are no rules on how to share the information (i.e. via email or letter) but it should be presented clearly, in a way the requester can understand.
Finally, you should record how you responded to the SAR, including why you provided certain information. If the requester isn't happy with your response, they might complain to the ICO, so it's important to document your decision-making process.
How long do you have to reply to a Subject Access Request?
You have one month to reply to a SAR, but you can extend it by two months with a valid reason. Lack of time or resources won't cut it, though. Confirming the requester's identity might be reasonable and justify an extension.
What counts as personal data for a Subject Access Request?
Personal data is any information relating to an identified or identifiable individual like:
Name
Telephone number
Email address
Initials
ID Number
IP Address
Recorded opinions about them.
It doesn't matter if the information directly names the individual. If you have data that could identify them, you must give it to them.
However, it's essential to know that while a subject access request allows access to personal data, companies don't have to give the entire document. They only need to provide the parts containing the requester's data.
When can you refuse a subject access request?
Information protected by legal professional privilege and data that could incriminate the company is exempt from disclosure in a Subject Access Request.
You can also refuse to provide information if the request is:
Unreasonable
Excessive.
If you refuse a Subject Access Request, you should be able to explain why.
Can you charge a fee for a Subject Access Request?
If a request seems excessive or unfounded, or the requester asks for extra copies of their data, you can ask for a reasonable fee.
However, you can't charge a fee for ordinary SARs.
How long should you keep data?
There's no fixed time limit on how long you should keep data, but you shouldn't keep personal data longer than necessary.
For practicality, it's a good idea to set aside time now and then to review and delete what you don't need.
What happens if you don't comply with a Subject Access Request?
If you don't respond properly to a SAR, the person who made it can complain to the ICO and claim compensation. The ICO can also legally enforce the SAR and may take action for non-compliance.
Can employees make a subject access request?
Employees can request access to their data, and employers must respond promptly. Even if an employee has signed a settlement agreement or there are ongoing tribunal proceedings or grievances, they can still make a SAR, and employers must comply.
In May 2023, the ICO provided guidance for employers on SARs. It included examples of valid SARs and additional details on whistleblowing, witness statements, withholding information, and refusing SARs.
How can Lawhive help?
If you're a business or employer seeking guidance on SARs, our network of expert small business lawyers is here to assist you.
Contact us for detailed advice and receive a free fixed-fee quote for the services of a skilled lawyer if you require help responding to an SAR.