Subject access request self serve
-
1. What is your question about?
Responding to a request (format, templates or how to send a response)
-
2. What is your question?
What format should I provide the information in?
The following information might help answer your question
As the controller of the information, you are responsible for taking all reasonable steps to ensure its security. Whilst there are many different ways to send the requested information to the individual, there are some basic steps that you can take to help you with this.
On an organisational level, you should try and safeguard against human error, for example:
- ensure that you have proper systems in place to record SARs;
- ensure that those responsible for responding to a request are properly trained; and
- have a system or procedure in place to check email or postal addresses before responding to a request.
For more on this see the ‘How should we prepare?’ section.
The method you use to provide the information to the individual will, in part, be guided by any request they have made about what format they would like to receive it (see In what format should we provide the information?).
If you have any concerns over the method that the individual has requested you use to send their information, you should contact them, explain your concerns and ask for an alternative address or method of providing the information.
If this is not possible, but you are seeking to provide the information electronically, you may wish to consider providing it in an encrypted form, followed up by sending the passphrase to the individual separately (eg via email). This depends on the nature and sensitivity of the information (in particular if it is special category or criminal offence data).
If the individual asks for you to provide the information in hard copy, in many circumstances the postal service is a secure method of sending the information. However, depending on the nature and sensitivity of the information, you may need to consider sending it by special delivery or via a courier service.
Providing remote access to a secure system can be one method to ensure you provide the information securely. You should however note that you need to apply appropriate technical measures to this system so that both it and any information it holds are secure. A good baseline may be the security measures you already apply to your existing systems. (See Do we need to provide remote access?).
Please see our guidance on security for more information on the security requirements of the UK GDPR, as well as our guidance on encryption for more details about how you can implement encryption effectively.