Subject Access Requests – What Information Can Individuals Obtain?
Any individual whose information is held by an organisation has the right to request information relating to it under GDPR and Subject Access Request Legislation.
Individuals have the right both to ask an organisation whether they are using or storing personal information, and also to ask for copies of personal information (this request can be verbally or in writing).
Why would I make a Subject Access Request (SAR)?
To find out what personal information is held about you
- To establish how an organisation is using your information
- To confirm who it is being shared with
- To find out where they got your data from
- Should any data be incorrect, individuals have the right to request a correction.
The request will detail the specific data that is required, and upon receipt an organisation must respond within one month. There are exceptions to that, if the data is complex, in which case up to an extra 2 months can be granted for response. If extra time is required this should be confirmed in writing with an explanation as to why further time is needed.
Is there a charge for making a SAR?
Generally, there is no charge for making a subject access request. However, an organisation can charge an administration fee if there will be a lot of work involved in responding to the request. The one-month timescale doesn’t start until receipt of payment if a fee is chargeable.
How could a SAR affect my organisation?
Something we frequently remind our clients and contacts of is the right of individuals to access data held about them. This data can include formal aspects (contracts, file letters etc) as well as emails or more informal correspondence which has been sent and which relate to the individual.
In cases of, for example, redundancy, this means that all pre-meeting discussions can be seen by the individual. Should there be anything within those emails, notes, or correspondence which pre-judges outcomes or raises any concerns around equality, discrimination or protected characteristics these may well be obtained by the individual.
Therefore, all managers and organisations should be aware of the need to keep correspondence professional. Many are not aware that emails and notes can be produced to individuals, and this is something that can be costly and detrimental should these discussions not be professional and compliant.
If you require any further information regarding your responsibilities under GPDR, SAR or any other aspect of HR, please get in touch to speak with one of our team.