GDPR: Managing SARs over Summer
GDPR: Managing SARs over Summer
The session was centred on a refresher of Subject Access Requests (SARs) and dealing with them over Summer.
What is a SAR and what is the legal position on it?
Subject Access Requests fall under one of the many individual rights you have to data (you also have the right to be informed, right to rectification and right to object). This specific right is called the right of access / right of subject access.
Thus, the right is that the individual has a right to obtain a copy of their personal data, as well as other supplementary information.
Supplementary information is defined as:
- Your purposes for processing;
- Categories of personal data you’re processing;
- Recipients / categories of recipient you have or will be disclosing the personal data to (including recipients / categories of recipients in third countries or international organisations);
- Your retention period for storing the personal data or, where this is not possible, the criteria for determining how long you will store it;
- The individual’s right to request rectification, erasure or restriction or to object to processing;
- The individual’s right to lodge a complaint with the Information Commissioner’s Office (ICO);
- Information about the source of the data, if you did not obtain it directly from the individual;
- Whether or not you use automated decision-making, including profiling, and information about the logic involved, as well as the significance and envisaged consequences of the processing for the individual;
- The safeguards you have provided where personal data has or will be transferred to a third country or international organisation.
This largely mirrors data you would provide as part of a privacy notice.
The right also extends to confirming whether you process a particular type of data. So, even if an exemption exists you should at least inform the individual if you are holding any data.
This right has always existed but has definitely become more common practice over the last few years. The intention is that individuals can:a) know that you are using their data,
b) know why and how this is done and
c) to clarify that you are using their data correctly.
What is needed for a valid SAR?
Just for clarification purposes, there are a couple of key differences between a SAR and a FOI request. The first being that SARs can be made in writing or verbally.
NB: In writing can be in the form of a letter, email, a form, or could even be done via your Twitter or Facebook account.
The main factor for the request is that it has to be clear that the individual is are asking for their data, or an individual’s data who they are authorised to act on behalf of. It also doesn’t need to be titled “Subject Access Request”, as there have been previous cases where it has been titled “Freedom of Information”. Either way, it does not make the request any less valid.
The request also doesn’t have to go to a specific contact or use a specific form. Whilst you may direct the individual to do so, which helps as it ensures the majority of the requests go to the right places. However, if an individual doesn’t do as you requested, it also doesn’t make it less valid.
Once all of the above is in place the request is valid, however, there are a couple of additional considerations which may make the request not valid:
- Is it clear what the individual is asking for? If their request is unclear, you can clarify with the individual and the time period doesn’t start until they clarify.
- Do you know the requester? If not, you may need further proof of identity. The time period doesn’t start until you receive this proof.
- If the request has been made on behalf of an individual, do they have authorisation to do so? For example, a solicitor doing so on behalf of their client. The onus is on them to prove this to you sufficiently. Again, the time period doesn’t start until you receive this proof.
Top tips for dealing with SARs?
- Be careful asking about motive - Whilst knowing reasoning can be important to a degree, for example to know exactly what the individual is seeking, you shouldn’t be getting involved in asking why they would want the data. You can however refuse to comply with a request if the request itself is manifestly unfounded or vexatious, but this will likely depend on the request itself.
- Initial awareness is key – Requests can be made verbally, and no buzz words have to be used in the request. They can also be made to any member of your staff. Thus, it’s important staff know what they look like and report them upwards. For Judicium’s clients there are CPD eLearning training sessions on SAR requests which can be used to evidence this. Details can be found below.
- Day-to-day staff awareness is important too – Thinking carefully what staff put in writing, for example, opinions about parents as this could be disclosed. It’s also important for staff to be aware that their accounts / devices may need to be searched at any time. Making clear that staff shouldn’t be saving personal data on their own personal devices or in private email accounts and that they need to save documents in the correct areas.
- Act quickly – The time period is one calendar month. Delays happen where staff take too long to pass the request on to the correct person. Whilst there can be grounds to extend the time, generally “sitting” on the request for a bit, won’t be sufficient justification to extend the time. Similarly, extensions or delay to the start of timeframe due to asking for ID, are only likely to be upheld by the ICO if it’s done promptly.
- Preparation is key – At the beginning it is important to know what the individual is asking for. If you are not sure, ask them to clarify. You will likely have data in many different places, your MIS system, emails, social media, CCTV, tracker tools, physical files, on phones, memory sticks, etc. You can clarify the request if you process a large amount of information about the individual, to narrow down / specify the information their request relates to. At this point, the clock stops until you get this clarification.
However, if you don’t get clarification, it’s important to detail what you will be searching and what you feel constitutes a reasonable search. Do be aware this clarification shouldn’t be used all the time as you would likely be picked up on by the ICO if you did. You should only use it if you genuinely need to ask, as you process a lot of information about the individual. For example, if a new parent makes a request 3 months in, you have had little interaction with them, so it’s unlikely you can rely on clarification.
- Final considerations - Once data has been collected the final thing to consider is exemptions and redaction. Also, do be aware that companies offering redaction services aren’t necessarily 100% reliable. There are a few out there and it might be worth testing the data to see if it has been redacted accordingly. For example, some examples check with Adobe if they might have just put a text box over the data. The requester can just remove the box and see the data it was meant to cover. Judicium do have a guide on redaction for clients if this is needed.
- Just because an employee gives you search terms doesn’t mean you have to use them if they are too broad - For example, asking you to check initials for AB, but that will include references to any word with that sequence in (such as absolutely). If it’s too broad you can say that that term can’t be used.
Pointers for dealing with SARs during school holidays:
As mentioned before don’t focus on motive as much. Just because the requests were made at this time doesn’t make it manifestly unfounded or excessive. The important thing to consider is being transparent with the requester straight away. Although the legal position is one calendar month and doesn’t factor in working days, if you can’t comply due to the school being closed, then you just need to communicate that.
The ICO don’t consider a school-wide approach as some schools may be open over the summer and deal with requests, but if not then just let the requester know straight away:
- Why you can’t deal with the request straight away,
- The length of the delay,
- When you expect to have a response by,
- Also seek whether there is anything you can get to them sooner.
This should be done promptly and before finishing for summer to avoid any ambiguity.
Other important practical steps to consider include:
- Whether there are field staff in and direct individuals to that contact – not just for SARs but any questions over the holiday period.
- Set an out of office. You may get it in summer when you aren’t in but the requester doesn’t know that. Set an out of office stating when you are away till, if the box is monitored and, where applicable, a relevant alternative contact. This means it won’t be a surprise if you come back with a bigger delay.
- Put update your policies on dealing with requests during the summer – Judicium have this built in the data policies.
As part of Judicium’s GDPR service, we offer support on dealing with SARs on behalf of clients. If you would like more information of how we can support you, please see details of the service here. We are available for support 52 weeksof the year so are able to help with SARs even over the summer.
For more information on Judicium's Subject Access Request Training on offer, please see details below.
If you require any support in any of these steps, or would like to talk to someone surrounding some support for your school please do not hesitate to call us on 0203 326 9174 or email email@example.com.