Employee disputes are now almost inevitably accompanied by a subject access request (“SAR”) requesting significant volumes of the employee’s personal data. Complying with SARs generally requires extensive search exercises and cross-departmental working to gather and review the data requested. Ultimately, it can prove to be hugely time-consuming without the right approach. So today, we have summarised our top ten tips when it comes to handling SARs.

  1. Educate staff

    The ICO’s position is that any request where an individual is asking for their data should be treated as a SAR – regardless of the form the request takes. Given the timescales involved (see below), staff need to be able to quickly identify SARs and ensure that they are actioned. It can work well to set up a designated mailbox into which SARs can be quickly channelled.

  2. Know your timescales  

    Typically, SARs require to be responded to within one month of receipt. The timescale for responding can be extended to three months where necessary – however, the requester should be informed of any extension as soon as possible, as well as the reasons for this.

  3. Review the scope of request

    The requester is only entitled to submit a SAR to access their own personal data. Requests for information beyond that (e.g. requests for copies of company documentation or data relating to other named individuals) may be ignored.

  4. Consider whether there are grounds for refusing a SAR

    There are limited circumstances where a SAR may be refused – namely where the request is manifestly excessive or is unfounded (designed purely to cause disruption). However, we recommend taking legal advice before refusing any SAR entirely, as it is likely the requester will make a complaint about the refusal to the ICO.

  5. Identify the appropriate search parameters

    Consult with your IT team about the searches required to locate the requested data. Ask the requester to specify the personal data they have a particular interest in, to inform the search parameters to be used.

  6. Use technology to assist  

    After searches for the requested data have been carried out, consider using technological solutions, such as eDiscovery platforms, to more efficiently review the material that has been returned from those searches. As a firm we have partnered with software providers who have developed their own SAR specific tools that can be used to quickly “home in” on the material that is most relevant to what the requester has asked for.

  7. Keep exemptions in mind

    UK legislation contains a number of exemptions to the information which should be provided in response to a SAR - for example correspondence that is legally privileged. Ensure those involved in reviewing the SAR material, to assess what is / is not disclosable to the requester, are familiar with these exemptions.

  8. Limit the use of redaction

    It is common that the material that has been requested as part of a SAR will contain “mixed data” – the personal data of both the requester and of other third parties. Rather than redact all the third party data mentioned, the law requires that organisations either:

    - Check whether the third parties mentioned consent to their data being disclosed as part of the response to the SAR; or

    - Take a view as to whether it would be reasonable to disclose the “mixed data” material without the third party’s consent.

    9. Go paperless

    There is no requirement to compile a hard copy of the requested data to provide to the requester. In the event the requester insists on a paper copy being provided, a fee may be charged for that.

    10. Put a subject access request action plan in place

    Having a pre-prepared plan setting out the approach your organisation takes when a SAR is received can really help to streamline the process and significantly save time when responding to a SAR in practice.

Our team are well-placed to support you at all stages of the SAR process – from reviewing your internal SAR action plan to advising on the management of a SAR you have received. Please click here for more information on how we can assist you. Should you be interested in discussing further, please do not hesitate to get in touch.

Related Expertise