The GDPR modified the right of individuals to access data held about them. Here is a basic guide on what to do if you receive a Subject Access Request (SAR).
Is the request valid?
Requests can be either verbal or written. The request need not refer to the legislation or even say it is a “subject access request”. An indication of a future intention to make a request, is not a request. It’s good practice to keep an up to date log of requests received, especially if they are received in person or via telephone, rather than in writing.
Is a fee payable?
There is no longer a £10 processing fee. A fee can now only be charged in circumstances that will rarely apply (where a request is manifestly unfounded or excessive). Whilst you may feel a request is excessive because it will involve a large amount of work for you to track down data in order to hand it over – that is reason to introduce practices/ software that will make future compliance easier, rather than justification for a fee. It is wisest to assume no fee is payable.
Who is the request from?
You should confirm the identity of the person making the request, e.g. is it from an email address that is not known to you, even if it says it is from someone you know? Is it from a shared email address which someone could be misusing? If asked to send the requested data by post, is the address one you know they live at? Don’t assume the person is who they say they are – if in any doubt, verify (they may be grateful that you take your responsibility seriously). Time for complying with a SAR does not run until verification is received.
Do I need more information?
Although the GDPR hasn’t fully replicated the Data Protection Act 1998, we consider that that the same principles apply. Therefore, if you reasonably require more information to identify or locate the data requested, you should ask for it. For example, if asked to provide copies of emails, you may need to know whether this relates to emails to or from particular people, or during a particular period or relating to a particular matter. Time for complying with a SAR will not run until that information has been received.
Can I ask for the reason for the request?
Although you can ask, not knowing the purpose, or knowing/suspecting there is no good reason or purpose, does not justify not processing the request or extend the time for complying.
Do I have to provide everything asked for?
You only have to provide personal data. Just because someone’s name appears in a document (or it is to or from their email address) does not mean it is personal data; it must also relate to the individual in some way. In addition to providing copies of personal data, individuals are entitled to request other supplementary information when making a SAR. This is essentially the information you are likely to provide in a privacy notice (e.g. purpose of processing, categories of personal data, retention periods). NB: you are under no obligation to provide copies of any original documents, although it can sometimes be easier to do so.
What about data that relates to others?
Other people have the right to have their privacy respected. Ask yourself if it is reasonable for you to provide the information without their consent and, if not, is it appropriate to seek their consent? In weighing this up, it can help to know the purpose behind the request – for example if it is to help someone provide their innocence in a criminal process it would be more reasonable to provide it. You may need to redact documents or put relevant data in a new document in order to meet your conflicting obligations.
How long do I have?
You should comply as soon as possible and within 1 month (for example, if a request is received on 3 September, it should be responded to by 3 October). If that isn’t possible, communicate within that first month that you need more time and why. All requests must be processed within 3 months.
If you are not sure whether your church or Christian organisation is GDPR compliant, our team can help you.
This information has been provided by solicitors working for Edward Connor Solicitors. It is designed for the purpose of knowledge sharing only and does not constitute legal advice.
