What steps does my organisation need to take to respond to a data subject access request (SAR)?
6 mins read

What steps does my organisation need to take to respond to a data subject access request (SAR)?

  • 4 minutes of reading

What steps does my organisation need to take to respond to a data subject access request (SAR)?

The UK GDPR requires organisations to make “reasonable efforts” to locate personal data requested by an individual in a data subject access request (SAR). The Information Commissioner’s Office (ICO) has explained that when determining what constitutes “reasonable efforts”, the following may be taken into account:

  • Circumstances of the application.
  • Any difficulties in finding information.
  • The fundamental nature of the right of access.

Organizations do not have to conduct searches that are “unreasonable” or “disproportionate” to the importance of providing an individual with access to the information requested. However, the responsibility rests with the organization to demonstrate that it has made reasonable efforts to locate an individual’s personal information and that any further efforts would be unreasonable or disproportionate. In the event of any future dispute as to whether “reasonable efforts” have been made to locate personal information, organizations should document their search criteria and the reasons for using them.

Assuming a worst-case scenario, if your organization receives a data access request (SAR) asking for “all the personal information you have about me,” you’ll likely need to look for that person’s personal information in the following places to start:

  1. Your organisation’s IT system – personal data may be stored in emails (including deleted folders if still available), Word documents, PDF documents, Excel spreadsheets, online records, automated access control systems (such as magnetic cards), databases, etc.
  2. Telephones – personal information may be stored in text messages, messaging applications such as WhatsApp, recordings or telephone call logs.
    • If your organisation allows employees to store work/business related personal data (such as HR information or customer personal data) on their personal devices (this includes computers, laptops and mobile phones, as well as any messaging apps which also fall under scope) then this will potentially need to be reviewed. This can be problematic if employees are reluctant to share their personal devices, so it is important to have a policy covering the use of personal devices at work or for work.
  3. Surveillance footage (if applicable).
  4. Manual records, if kept in an orderly and structured manner (for example, paper employee files stored alphabetically in filing cabinets). As the number of employees working remotely increases, this may include personal data at your organization’s headquarters as well as in employees’ homes.

If personal data is held by an external data processor within your organisation, such as an external payroll company, then this information will also potentially be subject to searches.

In terms of search criteria, an individual may ask you to conduct searches using specific search terms. The organization is not required to do so; it is up to the organization to determine what is a “reasonable” search. However, the organization should attempt to conduct a search using the individual’s name in a reasonable format and any other identifiers (such as an employee number or nickname). Problems may arise where the requester shares a name or surname with other individuals in the organization or has a common surname such as “Smith.” In such circumstances, searches that are not specified in any way can generate a huge amount of personal information that has nothing to do with the requester and may be considered “unreasonable” or “disproportionate” to the importance of providing the individual with access to the information requested. Faced with such a situation, the organization will need to determine what search criteria are most likely to generate information about the requester and record that.

Even if some of the searches you might make are unjustified or disproportionate, there may still be some information that is easier to search for, such as HR records. Organisations may also consider asking the person to explain their request to help them search for the information they want.

Another issue that may arise is where routine use of personal data results in it being changed or deleted during the processing of a SAR. The ICO guidance states:We believe that a SAR relates to the information you had at the time of the request. However, in many cases, routine use of data may result in it being changed or even deleted while the request is being processed. It is therefore reasonable for you to provide the information you have when responding to a request, even if it is different to the information you had at the time of the request..” Organisations and their employees must not change or delete personal data after receiving a request for access to classified information if they would not otherwise do so, as this is a criminal offence if doing so is intended to prevent disclosure of personal data.

Finally, it should be noted that compliance with two fundamental principles of data protection law should facilitate the process of dealing with a request for access to personal data:

  1. Your organization should only collect necessary personal data – collecting too much data simply means that more data will need to be searched and reviewed as part of the SAR investigation.
  2. Your organisation should only keep personal data for as long as necessary – keeping data that is no longer needed (including backups and archives) also means there may be more data to process.

Our Data Protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team, you can contact us here or call us on 0800 2800 421.

If you did not receive this article directly but would like to receive articles and data protection news from Trethowans, please send an email (email protected).