If you’re anything like me, when I was working in-house doing Data Protection at a large Housing Association, you let out a sigh whenever a Subject Access Request (or SAR) hits your desk. Especially if it’s taken a number of days, or even weeks, to get to you, leaving you less time to deal with it within the legal timescale! In this post, I want to share some tips on responding to SARs efficiently and effectively, and most importantly how to make SARs less stressful.
Receiving a SAR always has me singing along to Cher in my head; “If I Could Turn Back Time”, because ideally, the first step when you receive a SAR would be to hop into a time machine. Go back in time and stop anyone writing any notes or emails they’re not happy to share with the person they’re about, your Data Subject. Or perhaps you would make sure the Data Subject didn’t have reason to be suspicious of the organisation, and no reason to make a SAR looking for evidence of a conspiracy or similar.
In the absence of a time machine, we can only put in place good records management practices which will benefit future SARs, but that won’t help us much with the one on your desk.
Once you’ve logged the request, and verified the identity of the Data Subject making the request, or the authority of the requestor to act on behalf of the Data Subject, now is the time to start managing the expectations of the requestor.
SAR acknowledgement letters should avoid over-promising what information will be provided, and should explain that exemptions may well be applied to the information in question. If appropriate, explain that some of the information requested isn’t within the scope of a SAR.
When searching for data to be reviewed and possibly included in the SAR response, you aren’t obliged to carry out searches the way the requestor may have instructed, and it’s not always ideal to start off the process with a huge e-discovery which often brings up an overwhelming amount of documents to sift through.
It can help cut down the number of redactions you need to make by considering what you can exclude in its entirety first; data that isn’t within the scope of a SAR, and duplicated data (remembering the right to access applies to data, not documents!) before moving to look at the Data Protection Act exemptions that cover redactions. The golden rule I go by here is “if in doubt, leave it out”.
When it comes to timescales, the rule I go by is “better late and right, than on time and wrong”, especially when Data Subjects are children or vulnerable adults. If you need to use the time extension, you can tell the requestor you’re using it, you don’t need to get their permission.
When you’re ready to send the information, ensure it’s sent securely and with the supplementary information, as required by the law. The supplementary information should be in your Privacy Notice, so you can simply refer to your Privacy Notice, or send a copy of it. Bonus tip – this is the ideal chance to check the contents of your Privacy Notice!
Even if you handle SARs every day of the week, I would recommend keeping a process to hand to keep you on track. Anything that can reduce the amount of detail you need to keep in your brain, makes everything less stressful. To help with that, we’ve created a FREE roadmap with a procedure and tips to make SARs less stressful, that you can download below.
We’ve also created a standard SAR procedure you can make your own, and share with your colleagues so they can recognise and support you in responding to SARs, for £95 (+VAT) or you can book onto our training, which actually includes that standard procedure worth £95, for £200(+VAT) per organisation. Up to 3 colleagues from your organisation can attend for just one price of £200. Click below for details.
Other posts you might find useful:
Clare draws on over 20 years of experience in risk management and quality assurance, including ten years in data protection, to provide clear and practical advice and training.
Don’t tell everyone (shh!) but Clare’s favourite sector is social housing, having worked in a large housing association for 12 years, although she loves to support all values-led organisations.
If you have any questions about data protection, either about SARs or anything else related to personal data, book a free call!