Contact us

Search

Hints and tips - how to deal with a subject access request

read time: 7 mins
06.11.24
Hugh Houlston

Subject access requests (SARs) are becoming an increasing area of concern for many organisations, with errors in dealing with requests potentially leading to serious consequences.

The Labour Party’s recent reprimand by the Information Commissioner’s Office (ICO) for not dealing with SARs within the required timescales, and fines imposed on trusts and councils for delays, highlight the ramifications of non-compliance. Additionally, the recent decision in Harrison v Cameron has added complexity around the treatment of third-party personal data, making it even more crucial for data controllers to manage SARs correctly.

In addition to errors relating to the timescales for responses, we also see mistakes occurring during the scoping, search, and review stages of SARs often leading to complaints from data subjects. However, by taking proactive steps to agree the scope of requests early in the process, the risk of complaints can be minimised. 

Ultimately if an organisation can demonstrate that the required timescales have been met and that all relevant data has been provided, following a reasonable search, the ICO considers that an organisation has complied with its obligations. In such cases, it will be incumbent on the data subject to pursue their rights through the courts.

SARs can also vary greatly in scale, ranging from requests involving fewer than 100 documents to complex cases with over 100,000 documents being identified from initial searches. Handling these effectively requires both careful preparation and a structured approach.

To minimise the risk, and consequences of mistakes, data controllers should establish and follow a robust process for receiving, processing, and responding to SARs. Below we set out some practical steps to minimise risks when dealing with SARs.

Receipt of a request

It is crucial that you have established processes for managing SARs. Upon receipt of a SAR, you should:

  1. Identify and direct SARs promptly – you should have a robust system in place to identify SARs and direct them to the correct person and/or team to deal with. This will usually be the data protection officer (DPO) or a dedicated data protection team. However, since SARs can be submitted to any part of a company, all staff should be trained to recognise and forward them immediately, even if a dedicated SAR mailbox is used. SARs sent to staff members are still valid and must be processed promptly to avoid delays. A good case in point is the Labour Party who had in place a dedicated ‘privacy inbox’ but this was not monitored correctly and many of the SARs sent to that mailbox were not responded to within the required timeframes, therefore resulting in them being reprimanded.It is therefore essential to ensure that you have a dedicated member of staff regularly monitoring any dedicated mailboxes you use.

  2. Review the scope and assess for extensions – upon receiving a SAR, you should promptly review the scope and determine whether an extension may be required. The UK GDPR allows a standard one-month response period, with a possible two-month extension if the request is complex. If an extension is required, you should notify the data subject as early as possible. If you do need to request an extension, you must do this as soon as possible and should not wait until the last day of the initial one month period.

  3. Seek clarification or narrow the scope when possible – if the scope of the SAR is overly broad, you can reach out to the data subject for clarification (which pauses the time to provide a response to the SAR until a reply to the request is received). Narrowing the scope can reduce processing time and costs, especially in cases where you suspect that the data subject is specifically interested in a particular document, or category of documents. Although requests to limit scope are often rejected it can be worthwhile, particularly if it means completing the response within one month rather than requiring the full three-month period. A focused scope enables a faster, more efficient response and may prevent unnecessary data processing.

Search

The review stage, which follows the search stage, is often the most costly part of SAR processing, so reducing the scope of data to be collected at the search stage is crucial (if possible). 

You should carefully consider which data custodians to include in the search process. However, if a request specifies certain custodians, you should consider if additional custodians might also hold relevant data and include those if necessary. 

Avoid an overly broad search if some listed custodians hold no unique data, as this can waste resources. Identify all relevant custodians at the outset and use precise keywords to capture only the data subject’s personal information. A strategic approach at the outset saves time and reduces costs.

Review

The review stage is often the most lengthy and costly stage of dealing with a SAR. When reviewing documentation in response to a SAR, following these steps can help filter out irrelevant data and apply exemptions consistently:

  1. Summarise non-personal data – you should exclude irrelevant information, such as routine business emails or internal updates, that contains only work contact details. You can summarise this information in the SAR response rather than including the documents.

  2. Apply key exemptions – there are a large number of exempted categories of data. The most commonly applied exemptions are:
    • Legal privilege: this applies to communications protected by both litigation privilege and legal advice privilege, such as lawyer-client interactions.
    • Negotiations with data subject: this applies to personal data that includes a record of your intentions in negotiations with the data subject. This is often relevant when a SAR is made whilst there is an ongoing dispute.
    • Third-Party Data (‘Rights of others’ exemption): although not a formal exemption, personal data containing a third party’s data may be excluded if disclosing it would pose a risk of harm to that third party or otherwise prejudice their data rights.
  3. Handle third-party data carefully –The approach in respect of third party data is a complex and developing area of law. The recent case of Harrison v Cameron (which we have written about in further detail here), has sought to clarify how organisations should approach third party data. Firstly, SARs must identify “recipients” of the data subject’s persona data. Further to the Harrison v Cameron case, this includes both internal and external recipients. In addition, when disclosing third-party personal data, you should consider if it is appropriate to seek consent from the third parties (if practical), but you will need to assess whether it can be freely given, especially in workplace contexts. Where the third-party does not consent, or seeking consent would not be possible, then you will need to consider whether it is reasonable to disclose their data without it.

    As demonstrated in the Harrison v Cameron case, in reaching a decision as to whether it is reasonable to disclose third party personal data without consent, it is incumbent on a data controller to undertake a balancing exercise, weighing up the rights of the requester against those of the relevant third parties. In making this assessment, as per paragraph 16(3) of Schedule 2 to the Data Protection Act 2018, the controller must have regard to the "all the relevant circumstances", including several mandatory considerations - including (but not limited to): the type of information to be disclosed, any duty of confidentiality owed to the third party and any steps taken by the controller to obtain consent.

    In Harrison v Cameron, it was held that data controllers have a wide margin of discretion when undertaking this assessment of reasonableness. As there is such a wide margin of discretion, this is often the issue which requires the most analysis, and can potentially lead to inconsistency during the review process.

  4. Use technology for large data volumes - For extensive SARs over a certain amount of data or documents, we would recommend using a disclosure platform. The dedicated software can simplify the process, helping with search, filtering, and data management. It will also help with automated or batch redactions being applied to any third party data which is being excluded. 

Conclusion

Managing SARs effectively requires a structured approach to ensure compliance and to minimise the risks. From promptly identifying and forwarding requests, to narrowing data collection and addressing complex issues like third-party data, each step is crucial. 

Errors such as missed deadlines or incorrectly excluding third-party information can lead to complaints, fines, and reputational damage. Organisations should therefore ensure ongoing training for staff, establish clear review processes, and utilise technology to handle large volumes of data efficiently. A well-planned SAR process ensures legal compliance, reduces costs, and establishes trust with data subjects, ultimately safeguarding the company from potential regulatory penalties.

If you have any questions about how to respond to a SAR, please get in contact with our privacy and data team.

Related services

Privacy & Data

Related news & insights

View all
Port Of Hull Harbour
Event (Starts Tuesday 12 Nov 2024)

Harbour Authorities: key data protection considerations

CCTV Camera On Building
Article

CCTV subject access requests: what do you need to think about?
Data Protection
Event (Starts Tuesday 05 Nov 2024)

Data protection webinar: subject access requests

Sign up for legal insights

We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.  

Sign up