What is a subject access request?
If you’re running a small business, group or charity, you’ve probably got information about people stored as contacts on your phone or computer, or in notes or other documents.
By law, people can ask you for a copy of any information that’s to do with them. It might be saved on your system, but if it’s about them, it’s their personal data, and they have a right to see it. If they ask you for a copy of it, by phone, in person, or in writing, they have made a ‘subject access request’ (SAR), and you need to take action.
Step one: Choose a data protection lead
If you haven’t already chosen a staff member (or volunteer) to lead on data protection, do this as soon as possible. If you’re a one-person band, then it’s your responsibility. If you’re a processor, you should have a contract in place with the controller which sets out how you handle data protection compliance. This should include how you handle SARs together.
Step two: Know who you’re dealing with
If you’re not sure the requester is who they say they are, you must check this quickly. You shouldn’t ask for formal ID unless it’s necessary and proportionate. Instead, you could ask questions that only they would know, about reference numbers or appointment details for example. Or you can ask for ID that you can actually verify. There’s little point insisting on photo ID if you don’t know what the requester looks like – it should be proportionate.
Step three: Check the request is valid
If the SAR is made by someone other than the person the data is about (such as a friend, relative or solicitor), check they’re allowed to have it. You’ll need to see that they have written authority to act on behalf of the person concerned, or a document showing general power of attorney.
Top tip: In most cases, children over 12 are capable of making their own SARs. If you’re asked for personal data about a 12-year-old by their parent or carer, you should usually get permission from the child first. Contact us if you’re not sure.
Step four: Set yourself some reminders
You’ve got one calendar month to get what you need together and send it to the relevant person. If you need to check their ID or ask for other information, you can wait until they reply before starting the clock on your one month time limit. But you should ask for any additional information you need as soon as possible.
There are three important things to know about the one calendar month timeframe:
- It doesn’t matter if the day you receive the request isn’t a working day. For example, if you receive a request on Saturday 7 March, you should respond by Tuesday 7 April.
- If the SAR’s due date falls on a weekend or a public holiday, you have until the next working day to respond. For example, if you receive a request on 25 November, you should respond by 27 December.
- You can’t add extra days when the calendar month is shorter. For example, if you receive a request on the 31 January, you should respond by the 28 February.
Top tip: You could set reminders to complete your SAR within 28 days. That way you’ll always be on time, regardless of the month.
If it’s a very complex request, or if the requester has made a lot of requests, you can take an extra two calendar months to respond. But you must let the requester know there will be a delay before the end of the first calendar month.
Step five: Check you’re on the same page about what they’ve asked to see
If you’ve got the request in writing, read it carefully. It would be easy to assume they’re asking for everything you’ve got, when in fact they’ve only asked for data relating to one particular thing. They might even be able to give you advice on how to find it. It’s okay to ask them. It could save you both some time.
Step six: Search for the relevant information
Use the search functions on your smartphone, computer (including archived files), and email folders to find information relating to the person, just as you’d normally do when looking for a particular file. You might need to think creatively about all the places where this information might be held. Depending on how you run your business, you might need to check external hard-drives, tablets, portable memory sticks, call recordings, social media posts and CCTV files, too. Keep looking until you’re satisfied there’s nowhere else to look.
Step seven: Check what you need to redact
Before you consider giving the requester their information, look through it carefully to make sure it really is their information.
For example, if you have an email that mentions a number of different people, you should ‘redact’ (black out) any information which doesn’t relate to the person making the SAR. This is important, because most of the time you should avoid disclosing information about other people. Another way of doing this is to copy and paste sections relevant to the SAR into a separate document and send them that instead.
Top tip: If you’re using a computer to redact information, make sure you get advice on how to save it as a new file. Otherwise there’s a risk that someone could delete your blacked-out sections and read the text underneath.
Step eight: Consider the impact of releasing data about other people
Most of the time, you should avoid disclosing information about other people in a SAR. But there may be occasions when the personal data you have pulled together includes information that is closely linked to someone else. In those situations, your aim should still be to release the personal data requested. But you also need to take into account that in doing so you may disclose data about someone else and, at the same time, consider the impact of that.
For example, Samira is an employee who has made a SAR for her personnel file. In her file is a complaint a colleague, Tom, made about Samira. Although the information in the complaint is about Samira, if you release it to her, it might identify Tom. You need to weigh up Samira’s right to her personal data, against giving out information about Tom without good reason.
There are three options here:
- If Samira knows all about the complaint, what was said and who said it; you could give her the information as it is, without redacting Tom’s details.
- If Samira doesn’t know about the complaint and wouldn’t guess that it came from Tom, you could supply the details of the complaint, but redact Tom’s name or any other identifying information.
- If Samira doesn’t know about the complaint but would guess that it came from Tom, whether his details were redacted or not; you may need to consider whether it’s necessary to get Tom’s consent.
It’s a balancing act between making sure Samira is given the data she’s entitled to, and not disclosing Tom’s details if you don’t have to.
If you think releasing the information to Samira may mean that there would be a negative impact on Tom, then you could consider withholding this piece of information altogether. If you do this, you should make a note of why you withheld it.
When responding to a SAR in these situations there can be lots to consider, but you can always contact us if you need help deciding what to do.
Step nine: Prepare your reply
If you got the SAR by email, you should reply by email, unless the requester has said otherwise. Check with them what format they’d like it sent in and give it a final check with steps seven and eight in mind.
Step ten: Send your reply securely and keep a record of what you’ve sent
As well as the requester’s personal data, you need to send your privacy information. They have a right to know why you hold their data, how you got it, how long you’re planning on keeping it, who you share it with, and how they can ask for it to be changed (such as updating their address) or deleted. Make sure you keep dated records of the information you send as you may need to refer to it again, for example if they’re unhappy with your response or make another request soon after.
- FAQs: Right of access/subject access requests and other rights
- Can I charge a fee for a subject access request?
- How long should I store data?
- Guidance on the right of access (for data protection officers and larger organisations)
- What should we do when we’ve received a subject access request for some CCTV footage?
We have updated step two of our guidance to clarify whether to ask for formal ID.