The Bank of England has warned that the UK is facing its longest recession since records began, with the unemployment rate predicted to nearly double by 2025. Due to the combination of increasing awareness of data protection rights, the continuation of economic pressures, and a probable increase in the number of redundancies, businesses can expect to see a rise in the number of Subject Access Requests made by individuals.
What is a Subject Access Request (SAR)?
Under the UK Data Protection regime (UK GDPR and DPA 2018), individuals have the right to access any personal data which is held about them by any organisation. By making a Subject Access Request (SAR), an individual (i.e. data subject) may not only find out what personal information is being held about them but also how the information is being used, how long it will be kept for, with whom it is being shared, and where the organisation obtained the information from (if they had not collected it directly from the individual). There are no formal requirements for SARs - they may be made verbally or in writing, and they do not have to be directed to any particular person or contact point.
Upon receiving a SAR, what must businesses disclose?
Following receipt of a SAR, the recipient organisation must provide the individual with a copy of the personal data which they hold about them, as well as any other supplementary information included in the request and an explanation of the purposes for processing, how long the data is to be retained and to whom it may be disclosed.
What are the time limits for responding to a SAR?
Organisations must fulfil SARs without undue delay and at the latest within one month of receipt of the request. However, it is possible to extend this timeframe by a further two months if the request is complex or if the organisation has received a number of requests from the individual (e.g. if the individual has made a request to have their personal data erased, as well as a request to obtain and reuse their personal data for their own purposes, at the same time as the SAR).
Where the organisation processes a large amount of information about the individual and clarification about the information being sought is genuinely required in order to respond to the SAR, the extension is likely to be warranted.
Whether a request is complex will depend on the specific circumstances of the case, for example, the size and resources of the organisation. When relying on this justification, it is important to note that the organisation must be able to demonstrate why the request is complex in the particular circumstances.
How are SARs used against organisations?
SARs are often deployed as a legal tactic by employees who are planning to or who have already commenced litigation proceedings against their employer. By making a SAR, employees can obtain evidence ahead of their Employment Tribunal claim, whilst forcing their employers to undertake the costly and time-consuming exercise of processing their request. It is also important to note that in most cases, employers are unable to charge individuals for SARs, and can only charge reasonable fees for the administrative costs of complying with a request if the request is manifestly unfounded or excessive, or if an individual requests further copies of their data. In this way, employees may use SARs as a legal tactic to pressurise employers into agreeing early and higher settlements.
In what other ways are SARs used?
Similarly, other individuals may also raise SARs as the first step to making a claim, with the aim of seeking compensation from businesses. For example, they may try to request any CCTV footage of themselves as a precursor to a personal injury claim. In the business/consumer context, disgruntled consumers may also wish to cause inconvenience to a business, possibly even coordinating together as a group to flood a business with SARs.
What are the penalties for non-compliance?
As stipulated by guidelines issued by the Information Commissioner’s Office (ICO), SARs are generally “purpose-blind”. This means that organisations must comply with SARs regardless of the purpose for which an individual has raised the SAR. However, the organisation may refuse to comply with the SAR if they deem the request to be manifestly unfounded or excessive. On the other hand, those requesting the SAR can make a complaint to the ICO if they think the refusal is not justified. The ICO has various ways of taking action against organisations and may issue a warning, a reprimand, an enforcement notice or a penalty notice. Individuals can also seek compensation for non-compliance.
The courts can also be asked to step in. And bear in mind that it is also a criminal offence to prevent the disclosure of information under a SAR. Considering the risk of further aiding an individual’s claim by failing to comply with a SAR, it is vital that organisations respond to SARs swiftly and appropriately.
How 3CS can help
As any member of staff may receive a Subject Access Request via any channel and in any format, 3CS can help you prepare for these requests by providing staff training and preparing standard forms for these requests. We can also help you respond appropriately to requests by ensuring that you provide only the necessary information within the correct timeframe, and that you do not share any information to which the individual is not entitled, including the redaction of documents to avoid disclosing other individuals’ personal data and infringing their rights. Please get in touch with your usual 3CS contact for more information.