SARs: “Subject Access Request” or “Subtracting from Annual Revenue”

The right for a data subject to have access to their personal data is a key principle of data protection law, and one which generally entitles individuals to submit a data subject access request (“SAR”) in order to receive copies of the personal data held about them, usually within one month and usually without being required to pay.

However, just because exercising the right is (usually) free does not mean that there is no cost.

 

Dealing with one SAR can potentially cost the controller thousands of pounds and can take many hours of staff time (including that of senior management); possibly diverting from their usual roles. It is therefore worth refreshing on steps that controllers can take in advance to limit both the chances of receiving a SAR and the time that may be required to deal with and respond to a SAR if one is received:

1. Accurate Privacy Notices – it is not uncommon for a SAR to follow situations where the individual is frustrated at how their data has been used, apparently without the individual being aware of such use. The concern usually centres on the thought: “if my data has been used in that way, what else are they using it for?”.
By ensuring that privacy notices are comprehensive and up-to-date, and that people are aware of how controllers intend to use their data, controllers can avoid miscommunication issues like this arising and thereby hopefully avoid scenarios in which individuals instead rely on SARs to access this information.

2. Correct Technical Resources – it is widely understood now that SARs can apply to personal data stored in documents [note: not necessarily the entire document].

However, controllers must understand that individuals also have the right to receive photos, video footage and audio recordings of them. Balancing this right against the requirement to not share information which identifies third parties means that controllers will usually have to take steps to isolate the images or recordings which relate only to the requester (which could include blurring-out third parties or redacting third parties from audio recordings and/or transcripts).

Controllers should ensure that they have adequate systems and training in place for this to be done, and should not be left spending time trying to equip themselves with the necessary skills when the one-month time limit is already ticking.

3. Following Retention Timelines – not only is “storage limitation” a principle of data protection law (meaning personal data is only retained for as long as is necessary), it also operates to limit the amount of data that controllers would have to sift through in order to respond to a SAR.

For example, 30 days is the usual retention period for CCTV footage, following which footage should be deleted. However, if that deletion is not carried out (either because of a rule or because it was unintentionally archived), then more work will be required to respond to the request. Questions may also follow as to why it was not deleted when it had otherwise fulfilled its purpose.

4. Manageable Filing System – the Information Commissioner’s Office expects all controllers to be able to demonstrate that they have good records management practices in place, which permit all files that contain personal data to be located, secured and destroyed when appropriate.

One of the record management approaches we see that commonly leads to issues (with SARs and other aspects of data protection law compliance) is where data storage is not centralised. This can lead to various problems, including difficulties in trying to locate and/or access information which is actually only held in a silo – like one employee’s laptop.

Improving records management practices should ensure that data is available to those authorised personnel who need to access it.

 

Like many elements of data protection compliance, dealing with SARs is an unavoidable cost of doing business. Ensuring you are ready to deal with SARs now (rather than waiting for one to land before beginning to think about or test your systems) should, however, be seen as an investment in comparison to the cost of failing to properly deal with the SAR and it being escalated to involve the Information Commissioner’s Office.

If you would like more advice on this or other data protection related issues please feel free to contact Paul Eastwood or another member of Tughans’ Contracts & Technology team.

While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.