Do’s
- Respond within 1 month (don’t get caught out by a shorter month in Feb) and holidays are no excuse!
- Learn about what information you can withhold before giving everything away. Just because an employee asks doesn’t mean you are required to give them everything.
- Take time to understand the definition of personal data before beginning to create your ‘bundle’ of documents to submit.
- Be aware you can reject a request if it is excessive or ask for an extension if the work is too great.
- Ensure you seek permission from other people (who aren’t the person the SAR relates to) named in various documents if the documents include personal data relating to them. They can withhold permission.
Don’ts
- Stick your head sand as one month whizzes by.
- Assume if information is deleted it can’t be retrieved from your IT system. You will be expected to seek to retrieve information where possible.
- Delete stuff to hide it.
- Ask for a fee. Fees for subject access requests were abolished in 2018.
- Think you can treat this is just an annoyance, you have a legal obligation to respond to SARs.
And finally…
- 5. Fines can be applied if you ignore an SAR: the fine can be up to 4% of turnover. Could you afford that?
How we can help
-
- If you have received a subject access request and need to ask an employee for clarification around what they are asking for, you can download our subject access request form.
- If you need support putting the bundles together, or advice or what you should include or leave out, our sister company Jaluch can provide advice on dealing with subject access requests. Jaluch offers contract free, pay-as-you-go support, so you will only pay for the advice time you actually use.