Preparing your response to a SAR can be challenging but if you follow the tips below you should avoid the most common pitfalls.
In November 2019 we provided advice on handling the initial stages of a subject access request (SAR). This follow up article sets out what to consider when preparing the disclosure. In addition, we outline the key change in the Information Commissioner's Office (ICO) new guidance.
Remember That There Are Exemptions From Disclosure
Not all of the requester's personal data will necessarily be disclosable. If you have serious concerns about disclosing information (e.g. for safeguarding reasons) there's probably an exemption from disclosure. Remember to document which exemptions you have relied on in case you are asked to explain your approach (e.g. to the ICO) but you are not obliged to give this information to the requester. Applying the exemptions properly can be complicated so seek legal advice if in doubt.
Provide the Supplementary Information
The requester is entitled to certain supplementary information about the personal data being disclosed. This should be provided alongside a copy of the disclosure. The supplementary information is similar to what is included in a privacy notice (e.g. sources and recipients of the personal data, retention periods, the right to complain to the ICO).
Double Check the Disclosure
Ask someone else to check the disclosure before it is sent to the requester. It's easy to accidentally leave in information which shouldn't be disclosed and this could have serious consequences.
Send the Disclosure Securely
If the disclosure gets lost in transit this will be a data breach so make sure that you have robust procedures in place to send it out securely.
The Latest ICO Guidance
The key take-away from the new guidance (which is still in draft form) concerns seeking clarification from the requester.
When a requester makes a broad request (e.g. everything you hold on them) it can be helpful to ask for clarification on what they are seeking. Previously, the ICO's view has been that if you asked for clarification, the one month period did not start until you had received the requester's response. However, the ICO's new detailed draft guidance states that the time period continues to run whilst you are waiting for a response. You should therefore start to make your searches for their personal data as soon as the request is received.
The guidance is currently in draft form and will be finalised once the ICO has considered the feedback received under its consultation process.