How to deal with a Subject Access Request
A subject access request (SAR) is a request by an individual for their own personal data. This could include information about any grievances or disciplinary action, or any information derived through monitoring processes. SARs are also often used as a bargaining chip when employers and employees are in dispute.
The EU General Data Protection Regulation (GDPR) requires employers to respond to requests within one month. They must be processed without charge, unless the request is “manifestly unfounded or excessive.”
SARs can be a substantial administrative burden, particularly as they must all be treated individually. The Information Commissioner’s Office (ICO) has issued a Code of Practice for employers, which deals in detail with the required processes.
In summary employers are required to do the following.
- Identify the requester. Where requests are made on behalf of others, such as through a solicitor, it is necessary to ensure the third party making the request is authorised to act on behalf of the individual.
- Clarify with the individual what personal data they wish to receive.
- Identify the personal data to be disclosed.
- Consider any personal data exemptions — if, for example, it would adversely affect the rights of other individuals.
- Assemble and disclose the personal data securely.
- Keep a record of the request and the process followed.
Employers should act swiftly; the response must be made within one month. There is a threat of a hefty fine if failing to respond to the request or providing the information requested.