7 key considerations for subject access requests

Subject Access Requests (“SARs”), also referred to as data access requests or data subject access requests, grant individuals the right under data protection laws to access a copy of their data.

SARs help individuals understand how and why their data is being processed and verify whether its use complies with legal obligations.

7 Key Considerations for SARs

1. Timeliness

You must respond to SARs as quickly as possible and in any event, within one calendar month. The calendar month starts from the date of receipt of a SAR even if the request falls on a weekend or a public holiday and ends on the corresponding calendar date of the next month. However, if the end date falls on a public holiday or a weekend, the deadline for response will fall on the next working day.

For example, if a SAR is received on 10 May, you will have until 10 June to reply. If 10 June falls on a Saturday, you will have until the next working day, i.e., Monday 12 June to respond.

If a SAR is complex in nature, for example there are technical hurdles in retrieving the information, you may be able to extend the time by a further two calendar months.

The complexity of a SAR must be assessed on a case-by-case basis, taking into account factors such as the resources at your disposal and the size of your organisation.

Paragraphs 2 and 4 below outline circumstances in which the time limit specified in this paragraph 1 may be paused until the required information is received.

2. Identification

If the identity of the individual submitting a SAR is unclear, you will need to take steps to verify their identity. The response time limit set out in paragraph 1 will only commence once the verification process is complete.

3. Third-Party Data

Requests involving information about another individual can be challenging to handle. You must assess whether it is possible to comply with a SAR without disclosing information that identifies another individual, for example, by redacting details which are not relevant to the individual making the SAR. If this is not feasible, you will have to consider whether you can obtain the other individual’s consent to the disclosure or whether it is reasonable (see below for guidance) to provide the information without the other individual’s consent.

When determining whether it is reasonable to disclose another individual’s data without their consent to comply with a SAR, the Data Protection Act 2018 requires consideration of all relevant circumstances, including as set out by the Information Commissioner’s Office (“ICO”):

• the type of information that would be disclosed;
• any duty of confidentiality owed to the other individual (based on the content and context);
• steps taken to obtain the other individual’s consent;
• whether the other individual is capable of giving consent; and
• any reasons the other individual may have for refusing consent.

This list is not exhaustive, but it highlights some factors to evaluate in conjunction with the context of the information before determining whether to comply with the SAR.

4. Reasonable Search

Reasonable efforts should be made to locate and retrieve the requested information. However, searches that are unreasonable or disproportionate are not generally required. The guidance provided by the ICO requires that the following factors are taken into consideration when you are determining whether a search is unreasonable or disproportionate:

• the circumstances of the request;
• any difficulties involved in finding the information; and
• the fundamental nature of the right of access.

You will need to be able to justify why a search will be disproportionate or unreasonable.

If, for example, you process large amounts of information about an individual, you cannot simply rely on the quantity of information as a reason to avoid complying with the SAR. In such circumstance and taking into account the ICO’s factors to consider, you can ask the individual to clarify the request which relates to the SAR. Until such clarification is received, the timeline mentioned at paragraph 1 above is paused.

Seeking clarification should not be used as a tactic to delay the response timeline. A request for clarification should only be made if you genuinely require the information to respond to the SAR.

5. Exemptions

There are some circumstances in which you may be able to refuse to comply with a SAR. You can refuse to comply with a SAR if the request is manifestly unfounded or manifestly excessive.

Manifestly unfounded requests can cover situations where an individual has made a request with malicious intent e.g., the individual has made the request with no other intent other than to cause disruption to your business. You must evaluate the request within the context in which it is made. A request is unlikely to be considered manifestly unfounded if the individual genuinely intends to exercise their rights, even though the circumstances may seem to suggest that they are seeking to cause disruption, e.g. a disgruntled employee making a genuine SAR to review their data held by their employer and how it is being used would not typically be deemed manifestly unfounded.

The manifestly excessive exemption can apply in cases where the SAR is clearly unreasonable. A request is not automatically considered excessive just because the individual requests a large amount of information. The ICO’s guidance also suggests evaluating whether the request is proportionate, taking into account the burden and costs involved in fulfilling it. As with the "manifestly unfounded" exemption, it is essential to assess all circumstances surrounding the request, including the nature, context, and resources available to you.

You must ensure you have strong justifications for deeming a request manifestly unfounded or excessive and be ready to clearly explain these reasons to both the individual and the ICO.

Specific legal exemptions may also apply, such as but not limited to legal privilege or ongoing negotiations.

Each SAR must be assessed on a case-by-case basis if you intend to rely on an exemption, as the applicability and scope of exemptions can vary depending on the specific circumstances.

6. Contractual obligations

Under data protection laws, data controllers are responsible for complying with SARs. For example, if you are a supplier providing services to a client, you are likely acting as a processor or sub-processor of the data, while the client is likely the controller (although, in some cases, you may be considered a joint controller). It is essential to carefully review the agreements you have in place with your clients regarding your responsibilities as a processor. Typically, such agreements will include a clause stating that you will not respond to any SARs made directly to you (unless required by applicable law) but will promptly inform your client about the request and assist them in responding.

If you are a controller and you use a processor, even though processors have a legal obligation to assist you with SARs under data protection legislation, it is essential to establish clear contractual arrangements from the outset. These arrangements ensure that both parties understand their respective responsibilities, and that the processor effectively supports you in fulfilling your obligations to respond to SARs.

7. Internal procedures.

Predicting when you might receive a SAR is difficult, making it crucial to implement proactive measures from the outset to handle such requests effectively. Start by establishing clear policies and procedures for managing SARs, ensuring that staff members are well-versed in the process. Providing internal training can be particularly valuable, enabling your team to recognise a SAR promptly and act within the required timeframe. Furthermore, implementing and adhering to robust data retention and deletion policies can help you manage data effectively. These policies not only prevent you from holding onto information longer than necessary but also limit the scope of data you may need to provide in response to a SAR if the data has already been deleted in accordance with your policies.

If you require advice on responding to a 'SAR' or on the elements set out above, please contact our expert legal team at info@law365.co