Subject Access Request – Do You Know Your Responsibilities?

Understanding where your organisation stands when it comes to a subject access request is vital.  Businesses must respond to a request within a month of the request, failure to do so can mean involvement from the Information Commissioners Office (ICO) or in extreme circumstances, legal action is taken.

What is a Subject Access Request

A subject access request (SAR), also known as the right of access, gives individuals the right to obtain a copy of all the personal data your organisation holds on them.  This can be from anyone your organisation holds data on including clients and employees. This personal data may include various identifiers, such as:

• Name
• Identification numbers
• Location data
• Online identifiers

However, it is important to note that personal data includes all the information you hold on that individual, not just the identifiers which single them out.

Subject Access Request Overview

There are a variety of reasons an individual can ask for a subject access request, whether it's to understand how and why their data is being used - and check it's being used lawfully, through to whether a decision about a job position has been given fairly.

Below is an overview of the entire process:

• Individuals have the right to access and receive a copy of their personal data, and other supplementary information.  This is commonly referred to as a subject access request or ‘SAR’
• Individuals can make SARs verbally or in writing, including via social media
• A third party can also make a SAR on behalf of another person
• In most circumstances, organisations cannot charge a fee to deal with a request
• Businesses should respond without delay and within one month of receipt of the request
• The time limit may be extended by a further two months if the request is complex or if repeated requests are received from the individual
• Organisations should perform a reasonable search for the requested information
• The information provided should be in an accessible, concise and intelligible format
• The information should be disclosed securely
• Information can only be refused if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
  

A subject access request can be made verbally, in writing or via social media, and a business has one month to deal with the request.  The request can be made to any employee, therefore it is a good idea to ensure that your business has a documented process for managing SARs.  It's also important that all staff, especially those who are client facing or with HR responsibilities, are trained on the process.

Individuals have the right to obtain information such as:

• Confirmation that your business is processing their personal data
• A copy of their personal data
• Why their data is being processed
• The retention period for storing their information
• Information on the source of the data
• The safeguards provided if you transfer their personal data outside of the UK.

In effect this means that you need to supply a copy of their personal data, together with copies of the applicable privacy notices which describe the processing.

Subject Access Requests and Document Management

Documentation may account for a large portion of the information you hold on an individual, whether that be their CV, contract, training records or disciplinary meeting notes.

How easily would your business cope with a request for all this information?  Would you need to search across your server, other software, paper files or even desks?

Document management software keeps confidential information in a secure, central location.  A simple text search for the name of the individual making the access request can be carried out with results brought back in seconds.  These documents can then be downloaded by a user with download rights, and presented to the individual who made the request.

Document management software also puts retention rules in place to comply with UK GDPR and other legal requirements.  An individual may also want to know how long your business is legally allowed to keep their data and with retention rules applied, this can be easily provided.

Access can be restricted to authorised users and the system can provide a full audit trail of who has accessed what document when, as well as any changes that have been made.

SAR Processing - 10 Advantages of having Document Management Software:

There are a variety of advantages to having a document management system in place when managing a subject access request.  The tools that are part and parcel of the software offer a number of benefits:

1. Data retrieval and search capabilities are simplified, making it quick and easy to collate the required information.
2. Centralised data storage means there is only one location to find information.
3. Version control provides a clear version history whilst only allowing the current version of a document to be edited.
4. Access control and security protocols are enforced restricting users from editing, viewing or downloading documents, dependent on their role within the organisation.
5. Audit trails and logging features mean edits, changes or downloads are clearly tracked.
6. Automation and workflow tools enable the process behind obtaining the required information is clearly shown, with tasks in place and defined timelines to prove compliance has been adhered to
7. Redaction and Anonymisation allows documents to be sent out with data anonymised if required.
8. Reporting and compliance features ensure you're ready to go should a request come in, along with the confidence that information cannot be missed.
9. Time and cost efficiency are greatly improved with a system that takes care of data searches, meaning time and money aren't wasted looking through archives or storage facilities.
10. Integration with other systems means any data held on an individual in third-party applications such as employee management software or finance packages can also be easily found.

While DocTech can support your organisation with secure document management and efficient data handling, there are still three important responsibilities you need to remember:

1. Avoid inappropriate disclosure of personal information - have policies in place and train your staff
2. Respond to information access requests on time
3. Implement a data protection by design and default approach - which means there are appropriate technical and organisational measures in place to provide effective data protection principles and safeguard individual rights.

You can find the full guidance on handling subject access requests on the ICO's website.

Seek Independent Advice

You might also want to consider an independent GDPR consultant to engage with your business and give you advice on all aspects of GDPR.

Paul Strout, MD of GDPR Assist UK Ltd also points out that:

“There is usually something which has prompted the SAR, such as a customer service failure, so make sure that you also own and address that issue as well.  It is also worth pointing out that there may well be a difference between what the individual believes they are entitled to and what you are actually obligated to provide – so if in any doubt seek professional advice”.

Get in touch with us to discuss any subject access requests, data security or document management requirements you may have.