How to deal with a subject access request

We've recently seen an increase in the number of advice firm requests we're getting on how to deal with subject access requests (SARs).

So how should you go about dealing with a request when you receive one, and just what are your firm’s obligations?

First things first, what is an SAR?

An SAR is a request from an individual to obtain a copy of their personal data and other supplementary information from you. This right of access is a fundamental right for individuals.

Briefly:

• Individuals can make SARs verbally or in writing, including via social media
• A third party can make an SAR on behalf of another person
• You cannot generally charge a fee to deal with a request
• Responses should be sent without delay and within one month of receiving the request
• The time limit can be extended by a further two months if the request is complex, or if you receive a number of requests from the individual
• You should perform a reasonable search for the requested information
• You should provide the information in an accessible, concise and intelligible format
• The information should be disclosed securely.
• You must provide the information unless an exemption or restriction applies, or if the request is ‘manifestly unfounded’ or ‘excessive’

(For more information on unfounded and excessive requests, the Information Commissioner's Office has put together this useful article: When can we refuse to comply with a request?)

What's expected of firms

The Information Commissioner's Office (ICO) expects firms to be prepared and to take a proactive approach so they can respond to requests in an effective and timely manner.

This means all staff in a client-facing role should be able to respond to an SAR when one is made. The ICO says by doing so this will help firms to:

• comply with legal obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 and show how they have done so
• streamline their processes for dealing with SARs, saving both time and effort
• increase levels of trust and confidence in their organisation by being open with individuals about the personal data held about them
• enable customers, employees and others to verify that the information the firm holds about them is accurate, and to tell them if it's not
• improve confidence in their information handling practices; and
• increase the transparency of what they do with individuals’ data.

If firms do want to take a proactive approach and get to a stage where they're ready to deal with an SAR, it may be worth role-playing a scenario where a client has made a request and testing your approach to dealing with this.

Some firms may also choose to appoint an SAR 'tzar' or 'champion', so that any client queries from any source may be channelled and dealt with efficiently.

The ICO has recently published detailed SARs guidance to help firms meet their legal requirements, and the guide offers comprehensive support as well as answers to common questions. 

Overall, the key things to consider when dealing with a request are:

• Verify the identity and/or the permission or authority provided by the person making the request
• Agree how the firm is going to present the data for a client; this could be sent securely via the post or online
• Does the client have any special requirements, for example, providing the data in larger print, braille or through an audio format?
• How long might the firm need to collect the data, and how easy is this to obtain?

Firms who have trained staff to recognise an SAR, and who have tested their response to such a request, will be in a better position to deal with a request when one is made.

Not only will this meet with ICO expectations, but it makes sense from a business perspective as well.
Start the discussion