How to cope with Subject Access Requests

The Data Protection Act 2018 (DPA) allows a person to make a subject access request (SAR) for the data you process about them, and for copies of those data along with information about how and why you process them. Any of you that have responded to a request know that the obligation can be onerous, and the surrounding rules can be complex.

The Information Commissioner’s Office (ICO) has updated its guidance to include examples and provide clarity.

What are the rules?

I want everything

SARs often request ‘all the information you hold about me’, with no further detail. You can pause the time limit for responding to the SAR if you need clarity to respond to a request and have a large amount of data about the subject.

How hard must you look?

If the SAR is broad, you need only perform a ‘reasonable’ search. But you must be able to demonstrate that your search was reasonable and proportionate given the circumstances of the SAR and your ability to access the data.

E-mails

The ICO has confirmed that data processors do not need to provide a data subject with all e-mails to which he or she is a party. The SAR covers only messages in which the content relates to the data subject.

Manifestly unfounded or excessive requests

You do not need to respond to a request that is ‘manifestly unfounded or excessive’, but what does the phrase mean?

Manifestly excessive: Is the SAR proportionate when balanced against the burden or cost of fulfilling the request?

Manifestly unfounded: the requester ‘clearly has no intention to exercise their right of access’ — the ICO provides the example of an individual offering to withdraw a request in return for a benefit; or if the request is made ‘with malicious intent or used to harass the organisation with no real purpose other than to cause disruption’.