This short blog is for small organisations (including small businesses and sole traders) who have recently handled a subject access request (SAR) and are looking for simple tips on how to make it easier next time
If you have an active SAR that you’re dealing with right now, read our simple guide on how to deal with a SAR.
If someone asks you for a copy of their information, it’s called a subject access request (SAR). By law, you have to respond, because it’s their right to request copies of their information.
Organisations of all types – including sole traders and people who work for themselves – need to know about subject access requests.
If a SAR has caught you off-guard recently or if you’re looking for ways to improve or prepare, you can make SARs so much easier to handle with some careful planning. This guide is here to help.
1. Plan ahead
Make a plan for how you’ll deal with SARs, because it should be a normal course of business. Your plan could include who is responsible for responding, the timeframes you need to meet and your methods for sending information. If you’re not sure about any of these steps, our simple SAR guide can help.
It’s a good idea to map out each step in a 28-day plan because that helps you to always stay within the one calendar month deadline. Something as simple as a checklist helps to make sure you don’t forget anything important.
Remember that if a request is complex, you can take longer than a month to respond, as long as you let the person know there will be a delay and give them your reasons.
2. Practice good records management
If you know what information you hold about people, where you keep it and how you can search for it, you’ll find it easier to handle your next SAR. If you’re not sure what information you hold, start with our beginner's guide to data protection. It’s also helpful to make sure you don’t hold on to information for longer than you need it.
Good records management is about more than files, letters and emails. If you use CCTV or an internal messaging system, you also need to think about how you’d find relevant information stored in these places. When responding to a SAR, you need to be able to create and send copies of it securely.
3. Train your staff
It’s important you train your staff and volunteers to recognise a SAR so they can spot it early.
Your customers, clients, members or others whose information you hold all have subject access rights – but they might not use those exact words when asking for their information. Here are some ways in which someone might ask for copies of their data:
- “Can you tell me what information is in my file?”
- “I want to see what you hold on me.”
- “I’d like to know what personal details of mine you have saved.”
The person doesn’t need to tell you why they’re asking or reference data protection law as part of their request. And it doesn’t matter whether they make the request in person, by phone, letter, email or on social media.
Train your staff and volunteers on the steps they need to take when they recognise a SAR, such as recording the date and passing it to the relevant person.
4. Check you’ve understood
With the clock ticking, it can be tempting to launch into your next SAR and start pulling information together straight away. But it’s important to check you understand exactly what the person has asked to see. If you’ve misunderstood either the sort of information they’re after or how they want to receive it, you could end up wasting valuable time.
For example, Oliver runs a small accountancy firm and he receives a SAR from Luisa, who has been a client for seven years. Luisa asks for a copy of her information.
Oliver was going to print off everything in Luisa’s file and post it to her, but instead he decides to check whether there’s something in particular that Luisa wants to see. He also asks Luisa how she would like to receive the information. Luisa replies that she only needs information about a series of workshops she attended at Oliver’s firm three months ago and she’s happy to receive the information by email.
This simple clarification reduces the task of responding to the SAR significantly and makes it more likely that Luisa will be satisfied with how Oliver handles her request. If Oliver hadn’t gone back to her for clarification, he wouldn’t have been able to complete the request as efficiently and Luisa might have struggled to find the information she was looking for. Luisa might have even complained to the ICO and Oliver would have had to deal with that too.
If you’re not sure what the person is asking for, make sure you check. And it’s helpful to know that while you wait for them to respond, you can pause the one calendar month countdown if you need to.
- How to deal with a request for information: a step-by-step guide
- How can I send information securely as part of a SAR?
- What should we do if some of the data we’re looking to provide when responding to a right of access request contains someone else’s personal data?
- Subject access request template for small businesses