The Data Protection Act (DPA) provides a number of ‘rights’ to individuals, one of those rights is the ‘right of access’ or as it is more commonly referred to a Subject Access Request (SAR). This gives individuals the right to obtain a copy of their personal data, as well as other supplementary information.
How do we recognise a Subject Access Request (SAR)?
A person does not need to submit a SAR in a specific form, it can be:
- in writing
- verbal
- via social media
- addressed to any member of staff – yes, even you
- requested by a third party (relative, friend or solicitor).
A request is valid if it is clear that the individual is asking for their own personal data. If the request is from a third party, they must include evidence that they are entitled to act on behalf of that person (data subject).
It does not need to state it is a SAR or even refer to the DPA or General Data Protection Regulation (GDPR), if someone requests their data in any form we should treat it as a SAR.
What can a person request?
A person may request specific information, or they may request all data that relates to them. This could include:
- Their personnel/HR records
- Any CRM records
- Emails that contain their personal data
- Performance review information
- Complaints information
It is important to remember that a name is personal data and to think carefully about what you write in emails or other correspondence and record on to your CRM System. Remember, if the data subject requests this data, they are entitled to see it by law.
What should I do if I receive a request?
All SAR’s must be logged with our Data Protection Officer (DPO), Dee Beckett. If you receive an SAR, please contact your Data Lead and our DPO within 24 hours to inform them of the request. Where GC is the Data Processor the request may need to be referred to the Data Controller for action. We have one calendar month to respond to a SAR, this can be extended under exceptional circumstances, however this must be discussed and agreed with our DPO.
In order to respond to the request there will be a number of steps needed to ensure compliance with the DPA. Including verifying the identity of the individual you are dealing with, ensuring the third party requesting the data has the correct authority and not disclosing any data that relates to another individual.
It’s important that everyone at GC is aware of what a SAR is so that we can follow the correct procedure in compliance with the DPA. More information about SAR’s can be found on the ICO website and if you have questions, please contact Dee Beckett.
Paul Simpson,
Chief Financial Officer