Table of Contents
What is a subject access request (SAR)?
A SAR is a request from a data subject for access to information that they believe the data controller may hold about them. A SAR will often follow a request for deletion of personal data.
A SAR will usually be in writing, but can also be sent by email. One SAR per individual data subject is allowed each year.
A response from the data controller must take one of the following responses:
• an acknowledgement of receipt;
• confirmation that no information has been found; or
• a refusal to provide access to the data requested and any relevant exemptions under GDPR.
There are three types of SARs: • Requests for access; • Requests for correction of information, and;
Why would you need to make a SAR?
It is likely that you will make a SAR if you have received a complaint from a data subject under the Data Protection Act 1998 (the Act). Under the Act, data subjects have rights to: (a) access any personal data that the data controller has in their possession; (b) correct any personal data that the data controller has in their possession; and (c) have any personal data that the data controller has in their possession deleted.
If the data controller receives a complaint from a data subject, and provides them with access to the data that they are complaining about, but they remain dissatisfied, they can make a SAR. The law requires us to keep data subjects informed of progress on their complaint. If we do not comply with this requirement then the Office of the Information Commissioner (ICO) may impose sanctions against us.
How do you make a SAR?
This section provides guidance on the different ways that you can make a SAR, it is not exhaustive. With each method of making a SAR, you will provide detail about the circumstances in which the SAR is being made and the complaint to which it relates. You may receive a SAR as a written request (e.g., letter or email), orally, electronically, by telephone or fax, or through your website.
If you are asked to make a SAR in relation to a complaint, you may find that the person making the request is not the same person who will be responsible for responding to it. SARs should be made by those working for the body concerned or are under a duty to do so. For example, if you receive questions from a student about their application for accommodation, you could direct them to their admissions tutor who is obliged to reply on behalf of the university.
What happens after you make a SAR?
Once you have made a SAR, the ICO will consult with the data subject to find out what information they want and any objections that they may have to supplying personal data. The ICO will then tell you what information the data subject has requested and inform you of any objections that the data subject may have. If a data subject has made a SAR, you must make a decision about what information you are going to supply. You may choose to supply some of the information requested, all of it or none of it.
Inform the data subject if you intend to withhold all or part of the requested information on the grounds of legitimate interests. This will be subject to consultation with the data subject, who has the right to object in writing, and may also be affected by their submissions during consultation. You should tell them about this.
Remember that information about a data subject’s religion, health or sexual orientation is not considered personal data for the purpose of this section.
You must respond to a SAR within 40 calendar days, unless the data subject challenges your decision to withhold information. If there is a challenge, you must respond within 40 calendar days of your receipt of the challenge.
What are the consequences of not complying with a SAR request?
If you do not comply with a SAR, the data subject may make an objection to the information that they have requested. If this happens then it is likely that the data subject will seek to enforce their right to obtain that information. If a data subject takes this step, you may become subject to an enforcement notice (i.e., a formal notice from the ICO) requiring you to comply with the SAR. An enforcement notice can require you to pay a financial penalty for each day that you do not comply with it.
You should also be aware that if you do not comply with a SAR then the data subject could seek a judicial review of your failure to comply. If this is the case, then you will remain under investigation by the ICO for up to 12 months from the date of the SAR.
