The Data Protection Act 2018 (GDPR) requires organisations to let customers, clients, associates and users of their services know what information is held about themselves, whether it is on computers or on paper.

 

A person may request to access this information through whatever means they determine appropriate eg a request can be made via letter, email, social media, telephone, verbally. There are no restrictions on how they request a SAR.

​

Users of an organisations services can make a subject access request to find out

• What personal information an organisation holds about them

• How the organisation is using that data/information

• Who that organisation shares that data with

• Where the organisation got their data from

​

Until 2018, a fee was chargeable for all SARs; since changes were made to GDPR regulations, it is no longer appropriate to charge a fee. Organisations however, can indicate a fee if the request has an impact on administration time, but the fee must be fair and justifiable. 

​

Once a SAR is received, it is always best to check the latest legal guidance with the Information Commissioners Office (ICO) https://ico.org.uk/

 

At present, an organisation must follow the steps outlined:

1. Reply to the requestor without delay and at the latest within one month, starting from the day SAR is received

2. Organisations can extend the period of compliance by a further two months where requests are complex or numerous, but it must inform the requestor within one month of the receipt of the request and explain why an extension is necessary.

3. It must provide the requestor with a copy of the personal data requested in the SAR free of charge (unless a justifiable and agreed fee is arranged, see point 4)

4. It can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

5. Organisations may charge a reasonable fee for requests of further copies of the same information, but this doesn’t mean it can charge the requestor for all subsequent access requests.

6. Information should be given in a commonly used format, but it need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen.

​

Companies are allowed to withhold certain information from requestors, for example:

• If the information could identify someone else, and it would not be reasonable to disclose that information to you.

• If you are being investigated for a crime, or in connection with taxes, and the investigation would be prejudiced if you had access to the information

• Do not share anyone else’s data in the SAR response eg Only provide data on the named person, you can redact any reference to other people in your reply to a SAR (their names/what they said or did/their telephone details/their address/their financial information/their email address/their profiles) 

 

Best Practice approaches

1. Check ICO for most up to date guidance

2. See support of a DPO (Data Protection Officer)

3. Record all SAR requests; include request dates and response dates along with details of all information shared in the SAR

4. Seek advice from insurers on GDPR related cover requirements for your organisation

5. If you are unsure on the information to provide in a SAR, seek professional advice. Failure to comply with GDPR regulations can result in huge fines.