For today’s post, we’re taking a quick dive into the murky depths of Subject Access Requests.
Imagine this scenario. One of your students, staff members, or anyone you might have information about is standing at the front desk, and they’re asking for all of their data. What do you do? What happens next? For many organisations, it’s a daunting thought.
In reality, answering a Subject Access Request can be reasonably simple. However, the process is easier to understand with a little background knowledge:
What is a Subject Access Request?
Every individual is entitled to know what information you are holding about them. Individuals have a range of rights, including the right to rectification and the right to be forgotten, but the right most commonly exercised is the right to access.
Individuals exercise this right by submitting a Subject Access Request. Through this process, individuals can ask you to provide them with a copy of the personal data you hold about them.
An individual has been able to submit a Subject Access Request (SAR) since before the GDPR. Although the process was slightly different, you could request your data under the 1998 Data Protection Act. The GDPR has simplified the process for individuals, so they can exercise their rights with more ease.
Receiving a Subject Access Request
Back to the situation at hand, you’re manning the front desk and you’re face-to-face with a SAR. What comes next?
The first thing to note is that a Subject Access Request can come to anyone within an organisation, and can come in any format. Your organisation may have a specified route for Subject Access Requests such as an email address or phone number, but individuals are not obligated to use these methods.
A Subject Access Request can be verbal or written and can be sent through mechanisms like social media. You can receive a Subject Access Request via tweet. When you receive a request via one of these routes, it’s best to make a written record of the request, but you can’t force the individual to do so.
In this scenario, the first thing you’ll want to do is gather a little more information. You can ask the individual for their name, and whether they have any other information such as a reference number to help locate their records.
After that, it’s best to enquire if there is anything specific the individual is looking for. Sometimes an individual is looking for specific information, or data from a specific time-period. They’re under no obligation to narrow the scope of their request, but it can sometimes save them from sifting through hundreds of records and save time for your organisation.
A Note About Identification
It is important that the person making the request is who they claim to be. This process requires some common sense. Identity verification must not be used to block access to information. In the case of requestors such as students or staff, you already hold information about their identity, and their presence at your organisation on a daily basis means that further checking is not required.
When requestors are less well known, verification of identity is required. This is easiest to do in person. The requestor can show identification documents such as:
- Current Drivers Licence
- Utility Bill
- Bank or Building Society Statement
- Letters from the Benefits Agency
- Letter from Professional
In the scenario used here, you might not be absolutely certain of the requestor’s identity. You could ask to see identification when they first make the request. If they didn’t have any, you could advise them to return with ID when possible, but that you’ll start processing their request immediately.
Moving down the chain
Once you’ve taken this information, the next step depends on how your organisation works. For larger organisations, you might have a designated data protection team. For smaller organisations, you may have a single point of contact, or you might be the data protection lead. In particularly small organisations, it’s not unusual for employees to have more than one hat to wear.
Regardless of size, your next step will involve recording the request, and setting the data discovery process in motion. Your organisation has a calendar month to respond to a Subject Access Request, and this begins when anyone in the organisation receives a request, not when the designated data protection lead receives it, so it’s important you get the ball rolling quickly.
You should have somewhere to record any Subject Access Requests your organisation receives. It might be an cloud-based system like ours. You should record the request, along with the date requested and any additional details. If someone makes a written request or sends a tweet, you should record that request verbatim so there can’t be any confusion.
The request has been recorded and passed on to the correct team. If you’re in a large organisation, that might be the last you hear of the request. If your organisation is smaller, you are more likely to be involved in data discovery.
At this stage you’ll need to look through all your records for any personal data of the requestor. If the scope has been narrowed down, you may not need to locate all the personal data for an individual. When searching for data, make sure to search using any identifiers that might be used in your organisation. If customers have a reference number, or if individuals are referred to by initials, these should be searched for too, as well as searching for the requestor’s name. It’s also worth noting that something can be personal data, even if none of these identifiers are used. For instance, sometimes a cursory glance through all relevant emails might turn up one or two results that were missed by a filtered search done previously.
This can be quite a complex process, and if you’re struggling to hit the deadline, it might be worth looking at extensions.
Redact and Return
The data has been found and it’s been collated. Now you need to provide it to the individual. In general, SARs are sent out in electronic format, but a general rule of thumb would be to respond to a request in the format you received it. In this case, the request was verbal, and it wouldn’t make sense to try and provide the response verbally. Instead, the data protection team are using the contact details you collected at the start of the process and will be emailing out the response. Good for the bees, good for the trees, and easily accessible to the requestor.
However, before this data can be sent out, it must be redacted. An individual only has the right to access their own data, so anybody else’s personal data needs to be removed.
There are a few different methods to redact information, either in hard copy or in digital format. A quick scribble in black pen seems to suffice in the movies, but it’s not a reliable form of redaction. To ensure you don’t give away data you shouldn’t, have a look into electronic redaction, which covers the data and then deletes it from underneath so it cannot be recovered.
The end of the line
A month has passed, and your student or staff member has received an email with the personal data they requested. They’re happy, you’re happy, and there have been no inadvertent data breaches.
Subject Access Requests might seem daunting to begin with, but they just require a little teamwork and some forward planning. With a step-by-step process you can solve a SAR with ease.