Guide to managing Subject Access Requests (SARs)

£ 20

Our Guide to Managing Subject Access Requests (SARs) assists organisations in handling data requests efficiently and compliantly, ensuring transparency and adherence to data protection regulations.

Reading time
How long to understand this guide?
10 mins
Get a value bundle that includes our Guide to managing Subject Access Requests (SARs)

Complete package
624 templates, our full range
£ 125
Management library
391 templates, supporting multiple management needs
£ 100
Data access and privacy toolkit
8 templates, supporting Data access and privacy processes
£ 35

What is a Guide to managing Subject Access Requests (SARs)?

The purpose of this Guide to managing Subject Access Requests (SARs) is to provide you with a flexible and customisable document to serve as a robust and effective starting point for you.

By using our Guide to managing Subject Access Requests (SARs), you can streamline your process, maintain consistency and accuracy, and save time, and it can be easily adapted to fit your specific scenario.

Applicable legal jurisdiction
In which jurisdiction can this guide be used?
Great Britain & NI (United Kingdom)

Guide to managing Subject Access Requests (SARs)

Subject Access Requests (SARs) are a fundamental aspect of data protection legislation, allowing individuals to access the personal data that organisations hold about them.

An employee might submit a Subject Access Request (SAR) for various reasons, including:

  1. Access to Personal Data: An employee may want to access personal data held by their employer, such as employment records, performance reviews, or disciplinary records.

  2. Verification of Accuracy: They may wish to verify the accuracy of the personal data held by the organisation, such as contact information, employment history, or salary details.

  3. Concerns about Data Processing: If an employee has concerns about how their personal data is being processed or used by the organisation, they may submit a SAR to obtain more information about the data processing activities.

  4. Legal Proceedings: In preparation for legal proceedings or disputes, an employee may request access to personal data relevant to their case, such as emails, correspondence, or witness statements.

  5. Exercising Data Protection Rights: Employees have the right to access their personal data under data protection laws, such as the General Data Protection Regulation (GDPR) in the UK. They may submit a SAR to exercise this right and obtain a copy of their personal data held by the organisation.

  6. Investigating Incidents: In cases of suspected data breaches or security incidents, employees may request access to personal data to understand the extent of the breach and assess any potential impact on their personal information.

Overall, employees may submit a SAR to exercise their rights under data protection laws, gain transparency about the processing of their personal data, and ensure that their data is being handled in accordance with applicable regulations and organisational policies.

Effectively managing SARs is crucial to ensure compliance with data protection laws and maintain trust with employees. This guide outlines key steps to manage SARs efficiently and securely.

1. Understanding SAR Requirements:

  • Familiarise yourself with relevant data protection laws, such as the General Data Protection Regulation (GDPR) in the UK.
  • Know what constitutes personal data and understand the rights of individuals regarding their personal data, including the right to access under GDPR Article 15.

2. Establishing Procedures:

  • Develop clear procedures for handling SARs within your organisation, outlining the steps employees should take to submit a SAR and the process for responding to requests.
  • Identify who within the organisation is responsible for managing SARs and ensure that staff are trained on how to recognise and appropriately handle SARs.

3. Recognising SARs:

  • Train HR staff and relevant employees to recognise SARs promptly. SARs can be made in writing or verbally, so ensure staff are aware of how to identify requests.
  • Designate a central point of contact within the HR department for managing SARs and ensure that all employees know where to direct SARs they receive.

4. Responding Promptly:

  • Act promptly upon receiving a SAR. Under GDPR, organisations are typically required to respond to SARs within one month, although this can be extended in certain circumstances.
  • Acknowledge receipt of the SAR promptly and provide the individual with an estimated timeline for response.

5. Verifying Identity:

  • Verify the identity of the individual making the SAR to ensure that you are disclosing personal data to the correct person.
  • Request additional information or documentation if necessary to confirm the identity of the data subject.

6. Conducting Data Searches:

  • Conduct thorough searches for the requested personal data across all relevant systems, databases, and paper records.
  • Document the search process, including the sources searched and any challenges encountered in locating the requested data.

7. Reviewing and Redacting Data:

  • Review the personal data found to ensure it is relevant to the SAR and does not contain information about third parties.
  • Apply appropriate redactions to remove any third-party personal data or confidential information before disclosing the data to the individual.

8. Providing the Response:

  • Provide the requested information in a clear and concise manner, either electronically or in hard copy, depending on the individual's preference.
  • Include details of any exemptions applied, the legal basis for processing the data, and information on how the individual can exercise their rights if they are not satisfied with the response.

9. Documenting and Record-Keeping:

  • Keep accurate records of SARs received, including the date of receipt, details of the requester, actions taken, and the date of response.
  • Maintain documentation of the response provided, including any communications with the data subject and any decisions made regarding exemptions or redactions.

10. Continuous Improvement:

  • Regularly review and update SAR procedures in line with changes to data protection laws and organisational practices.
  • Provide ongoing training and support to HR staff and relevant employees to ensure they are equipped to handle SARs effectively.

By following these steps and implementing robust procedures for managing SARs, you can ensure compliance with data protection laws and effectively fulfill individuals' rights to access their personal data.

This not only helps to maintain legal compliance but also fosters trust and transparency with employees regarding the handling of their personal information.

To view this you will need to make a purchase.

To view this you will need to make a purchase.

Why buy our Guide to managing Subject Access Requests (SARs)?

  • It's easily editable and implementable, saving you time and money
  • It's designed by CIPD accedited Chartered HR practitioners with operational experience in this area
  • You will maintain compliance with ACAS guidelines, legislation, and industry best practices
What other advantages does buying from offer?
  • Email notifications for any updates made to this template or its accompanying materials
  • 12 months of unrestricted access without any additional costs (any update in that period is free to you)
  • A 25% discount on all library, toolkit, and template purchases/renewals

I have just renewed our membership for another year for HRdocbox. It's an extremely useful resource with a wide variety of documents and knowledge...
- Rachel Masing, ETM Group

I have been using the service now for around 6 months and it has been really useful in developing and updating polices and processes.
- Jamie Allan, Armstrong Craven

Excellent library of resources and templates which have made my job in my small business so much easier to manage HR for my employees...
- Emma Hunt

Great value and the site contains an extensive library of essential HR documents. I access the site probably once a week...
- Laura Alliss-Etty

HRDocBox is a great resource. It is incredibly good value, providing a large selection of HR guidance materials as well as...
- Emma Beauchamp

Navigating Holiday Requests - Balancing Employee Needs and Operational Demands
Fri, 19 Apr 24

Navigating Holiday Requests - Balancing Employee Needs and Operational Demands

Managing holiday requests in the workplace can be a complex task, requiring employers to balance the needs of their employees with the operational requirements of the business...