07 December, 2019
As the Christmas period approaches, now is good time to review existing processes and procedures to see if any improvements can be made to ensure you deal with Subject Access Requests (SARs) efficiently and within the statutory timescales.
Over the past 12 months, our clients have seen a real increase in the numbers of SARs being requested particularly where there is an ongoing dispute between the organisation and the individual making the request. The ICO's Annual Report (published in July 2019) stated that almost 40% of all complaints made to the ICO related solely to the issue of SARs and how these were being handled by data controllers under the new GDPR regime.
First and foremost it is important that all staff know how to recognise a SAR, even if they would not be the one handling the request. Staff need to be aware that a SAR can be made via any form of communication, it does not necessarily need to be made in writing. Therefore, it could be made over the phone or over social media. The SAR may not even include the phrase 'subject access request' or refer to the GDPR or the Data Protection Act 2018. All staff should therefore receive training about how to recognise a SAR and to forward it to the relevant person or department as soon as possible. This will help ensure you are able to respond to the SAR with a 1 month period.
SARs are commonly made when there is an ongoing dispute between the data controller and the individual making the request. This means that SARs are often time-consuming, complicated and expensive. You should have a documented process in place for handling SARs, including template response letters and checklists, which will help you go through each SAR you receive in a methodical manner and help you in responding to the SAR within a 1 month period.
Once you have been through all the necessary documents and you are ready to disclose the results of the SAR to the individual, do not forget your data security obligations. The individual making the request has already engaged their rights under the GDPR and will be likely to make a complaint if you send the SAR to the wrong e-mail address or the results get lost in the post. If you are sending the results to the individual via e-mail, password protect the document and make sure the password is sent to the individual separately. For paper documents, couriers or signed-for delivery may be the most appropriate method of sending the results securely. Remember that higher risk information (such as results containing medical information or other confidential information) will require higher levels of security.
Finally, a key consideration to reducing the scale of results in a SAR is to consider your retention periods for particular documents such as e-mails. The GDPR states that personal data should not be kept for "longer than necessary" but there are many legal or regulatory requirements which means that information will often need to be kept for a number of years.
A complicating factor in SARs is often the vast amount of personal data held in e-mail systems. An individual may request access to personal data held in e-mails, particularly where the SAR is being made by a member of staff. If your organisation holds onto e-mails for years then you are going to have to review potentially tens of thousands of e-mails if a member of staff makes a SAR, particularly if the member of staff has been in position for a number of years. Additionally, the fact that the search results are so large is not a legitimate reason for withholding a response to a SAR. Therefore, limiting the retention periods for communication systems such as e-mails may assist you in reducing the length of time and resources it takes to handle a SAR.
SARs are time consuming, complicated and can be expensive but ensuring your procedure is up to date and sets out a methodical way of handling SARs, will help you to streamline the process.
For more information contact Daniel Milnes in our Governance, Procurement & Information department via email or phone on 01254 222313. Alternatively send any question through to Forbes Solicitors via our online Contact Form.