On 28th September 2022, the Information Commissioner’s Office (ICO) released a press releasing stating action it had taken against seven organisations who failed to respond to subject access requests. These organisations were recognised following a series of complaints, from the public, about how data was handled, prompting investigations and subsequent reprimands.
These organisations include:
- Ministry of Defence (MOD)
- Home Office
- London Borough of Croydon
- Kent Police
- London Borough of Hackney
- London Borough of Lambeth
- Virgin Media
Here at BLS Stay Compliant, we have seen an increasing number of subject access requests put to our clients throughout 2022, some relatively simple and easy to respond to and some incredibly complex and time consuming.
But, given the above spate of reprimands issued by the ICO, the need to correctly respond to every single request received is more important than ever to preserve the reputation of any organisation – and avoid a penalty.
The individual’s right of access to their data is an important part of the UK GDPR – and there are no formal requirements they need to meet in order to submit a request.
What is a subject access request?
The information commissioner’s office defines a subject access request (also known as a ‘SAR’) as per the below:
“A SAR is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR.” Information Commissioner’s Office
An individual submitting a SAR is not required to do so in writing, they do not need to direct the request to a specific department nor do they need to formally identify the request as a subject access request.
A SAR may come in any form, to any member of your organisation, at any time for it to be classed as a valid request under which any organisation has legal requirements to respond correctly.
Who can submit a subject access request?
Any individual who believes an organisation may hold personal data about them can submit a SAR – they can also be submitted by a third party on behalf of the individual. If a third party submits a request, it is the organisation’s responsibility to ensure the third party has the relevant permissions to request on behalf of the individual.
Responding to a SAR
Responses to a SAR should be made ‘without undue delay’ and within at least one calendar month of receiving the request. Extensions can be requested for up to two months for more complicated or time-consuming requests. Failure to meet these deadlines can result in action by the Information Commissioner’s Office.
Requests for assistance in recognising, collating and responding to subject access requests have been a common client query of ours this year and, with more and more members of the public choosing to take control of their data, we are expecting to see many more over the coming months.
What is SAR training?
Many organisations set up subject access request online training for their staff to ensure a quick and accessible way of ensuring their teams are up to date on the legislation and aware of how to recognise a SAR.
BLS Stay Compliant offers subject access requests training for your organisation, either online or at a venue to suit you, to correctly recognise and respond to a subject access request, either through our open course schedule or by booking bespoke sessions. Subject access request assistance is becoming a popular feature of our managed service and consultation offerings – if this is something we can assist you with, please get in touch to find out more.
