Recently we received some information, out of the blue, by a company we had never heard of, and whose services we were unlikely to use. Although pleased to read the information within the email, we thought it would be a good way to explore whether firms who contact us actually understand SAR – Subject Access Request – sometimes known as Data Subject Access Request. (DSAR) We decided to use them as our tool for a planned exercise – Do SARS Work?
A little recap – a SAR is your right of access.
What is the right of access? (From the ICO website)
You have the right to ask an organisation whether or not they are using or storing your personal information. You can also ask them for copies of your personal information, verbally or in writing.
This is called the right of access and is commonly known as making a subject access request or SAR.
We replied to the company’s email and within in we included the line:
I’d like to formally know what details you hold on us. Please take this as a formal SAR.
Our request was deliberately simple. Although we could have been more specific, our request was in keeping with the email they sent to us. It would have been over the top to ask for a full blown SAR in relation to an email.
Note that you can ask for information in any way you like: email, text message, phone call, in-person, to anyone within the company. All you need to ask is ‘I would like any personal information you hold on me.’ Remember this is personal information, not business information. You do not have any rights to support asking for any business information held, despite it being about your business. If you do so, the recipient does not have to respond.
While we just included a simple line asking for information, we could have included:
a clear label for our request (eg use ‘subject access request’ as your email subject line or a heading for our letter)
- the date of our request
- our name (including any aliases, if relevant)
- any other information used by the organisation to identify or distinguish us from other individuals (eg customer account number or employee number)
- our up-to-date contact details
- a comprehensive list of what personal data we want to access, based on what we need
- any details, relevant dates, or search criteria that will help the organisation identify what we want and how we would like to receive the information (eg by email or printed out).
At the same time as the request was emailed to them, we logged our request using our own CRM, HubSpot. We used HubSpot to send the email and to date and time the request, should we need this information later. If the recipient chose not to respond, we would need to supply this information to the ICO. We also converted the email into a PDF and saved the file.
While the email was on its journey, we wondered how quickly they would respond; would they respond at all and if so, what would our next action be?
Companies/individuals have a month to respond. If the request is complex, they may need extra time. Whichever the situation, the recipients must reply to you within one month.
Historically, there have been concerns about firms requesting a fee for releasing the data you request, but the situation is now more reasonable. In most circumstances, they are not going to charge a fee. If, however, they think that your request is manifestly unfounded or excessive, then they can charge a fee along with a fee for extra copies of the information provided. Please note, if the organisation do charge a fee, the one month limit does not begin until the fee is paid.
The company in our example responded the next day, supplying all the information they held on us. This was very likely from their CRM system as it came in a simple template form: clear information about the business, how they researched their information about us and the personal information regarding InfoLore. We were not asked to pay a fee.
So what should an organisation send back to us?
When an organisation responds to your request, they should normally tell you whether or not they process your personal information and, if they do, give you copies of it. The organisation should also include:
- what they are using your information for
- who they are sharing your information with
- how long they will store your information, and how they made this decision
- details on your rights to challenge the accuracy of your information, to have it deleted, or to object to its use
- your right to complain to the ICO
- details about where they got your information from
- whether they use your information for profiling or automated decision-making and how they are doing this and what security measures they took if they have transferred your information to a third country or an international organisation.
If you specifically wish to receive this additional information, we recommend you state this in your request.
Will we always receive everything we asked for?
For our simple request – not always, depending on the circumstances.
You may receive only part of the information you asked for; or
the organisation may not provide you with any personal information at all.
An organisation can refuse to comply with your subject access request if they think it is ‘manifestly unfounded or excessive’.
There can be other reasons why you may not receive all the information you expect, such as when an exemption applies, or the type of information you asked for is not covered by a subject access request.
So what could we receive? Would we receive everything? Am I entitled to receive copies of entire documents?
No. Your right of access does not entitle you to receive full copies of original documents held by an organisation – only your personal information contained in the document.
You make a subject access request to your bank for full copies of your bank statements.
Your bank is not required to provide copies of the actual bank statements, but they must provide you with your personal data contained within them, for example, by providing you with a list of transactions.
By doing so, they have now complied with your subject access request without having to give you a full copy of the original bank statements.
There must be a real reason behind your request for information, or it could be seen as ‘manifestly unfounded’.
There is no set definition of what makes a subject access request ‘manifestly unfounded or excessive’. It will depend on the particular circumstances of your request. An organisation should explain the reasons for their decision.
As an example, an organisation may consider a request to be ‘manifestly unfounded or excessive’ when it is clear that:
- it has been made with no real purpose except to cause them harassment or disruption;
- the person making the request has no genuine intention of accessing their information
- they may offer to withdraw their request in return for some kind of benefit, such as a payment from the organisation or it overlaps with a similar request they are still addressing.
To decide this, an organisation must consider each request on a case-by-case basis and be able to explain their reasoning to you.
Can an organisation withhold information, or some of the information from you?
Yes they can and this is called an exemption.
What is an exemption?
An organisation may withhold some, or all, of your personal information because of an exemption in data protection law.
Exemptions are meant to protect particular types of information, or how certain organisations work.
Sometimes an organisation may not even have to let you know whether or not they hold information about you.
An organisation may also refuse to give you your information if it also includes personal information about someone else, except where:
the other individual has agreed to the disclosure; or
it is reasonable to give you this information without the other individual’s consent.
In their decision-making, an organisation has to balance your right of access against the other individual’s rights over their own information.
This may lead the organisation to refuse your subject access request.
Alternatively, the organisation may attempt to remove (or edit out) the other individual’s information before sending your information to you. This is commonly known as ‘redaction’.
This could mean you only receive partial information – such as copies of documents showing blanked-out text or missing sections.
In any case, an organisation normally needs to:
- tell you why they are not taking action
- justify their decision and
- explain how you can challenge this outcome.
What information is not covered by my request?
The right of access does not cover all types of information or uses of personal information.
Some common examples of this include:
information used for personal/household activity (eg friends writing letters to you or pictures of you taken by family members)
images of you captured on a domestic CCTV system within the boundary of their domestic property; and information about a deceased relative’s medical records (as data protection law only applies to living individuals).
We were fairly confident we would not be asked for a fee, however an organisation may charge a fee.
Can an organisation charge a fee?
In most circumstances, they should give you a copy of your personal information free of charge. However, an organisation can charge a reasonable fee to cover their administrative costs – if they think your request is ‘manifestly unfounded or excessive’.
They can also charge a fee if you ask for further copies of your information following a request.
If an organisation can charge a fee, the one-month time limit does not begin until they have received the fee.
To know more about SARS and GDPR in general, please take a look at our online training portal on our website.