Guide to managing Subject Access Requests (SARs)

Subject Access Requests (SARs) are a fundamental aspect of data protection legislation, allowing individuals to access the personal data that organisations hold about them.

An employee might submit a Subject Access Request (SAR) for various reasons, including:

1. Access to Personal Data: An employee may want to access personal data held by their employer, such as employment records, performance reviews, or disciplinary records.

2. Verification of Accuracy: They may wish to verify the accuracy of the personal data held by the organisation, such as contact information, employment history, or salary details.

3. Concerns about Data Processing: If an employee has concerns about how their personal data is being processed or used by the organisation, they may submit a SAR to obtain more information about the data processing activities.

4. Legal Proceedings: In preparation for legal proceedings or disputes, an employee may request access to personal data relevant to their case, such as emails, correspondence, or witness statements.

5. Exercising Data Protection Rights: Employees have the right to access their personal data under data protection laws, such as the General Data Protection Regulation (GDPR) in the UK. They may submit a SAR to exercise this right and obtain a copy of their personal data held by the organisation.

6. Investigating Incidents: In cases of suspected data breaches or security incidents, employees may request access to personal data to understand the extent of the breach and assess any potential impact on their personal information.

Overall, employees may submit a SAR to exercise their rights under data protection laws, gain transparency about the processing of their personal data, and ensure that their data is being handled in accordance with applicable regulations and organisational policies.

Effectively managing SARs is crucial to ensure compliance with data protection laws and maintain trust with employees. This guide outlines key steps to manage SARs efficiently and securely.

1. Understanding SAR Requirements:

• Familiarise yourself with relevant data protection laws, such as the General Data Protection Regulation (GDPR) in the UK.
• Know what constitutes personal data and understand the rights of individuals regarding their personal data, including the right to access under GDPR Article 15.

2. Establishing Procedures:

• Develop clear procedures for handling SARs within your organisation, outlining the steps employees should take to submit a SAR and the process for responding to requests.
• Identify who within the organisation is responsible for managing SARs and ensure that staff are trained on how to recognise and appropriately handle SARs.

3. Recognising SARs:

• Train HR staff and relevant employees to recognise SARs promptly. SARs can be made in writing or verbally, so ensure staff are aware of how to identify requests.
• Designate a central point of contact within the HR department for managing SARs and ensure that all employees know where to direct SARs they receive.

4. Responding Promptly:

• Act promptly upon receiving a SAR. Under GDPR, organisations are typically required to respond to SARs within one month, although this can be extended in certain circumstances.
• Acknowledge receipt of the SAR promptly and provide the individual with an estimated timeline for response.

5. Verifying Identity:

• Verify the identity of the individual making the SAR to ensure that you are disclosing personal data to the correct person.
• Request additional information or documentation if necessary to confirm the identity of the data subject.

6. Conducting Data Searches:

• Conduct thorough searches for the requested personal data across all relevant systems, databases, and paper records.
• Document the search process, including the sources searched and any challenges encountered in locating the requested data.

7. Reviewing and Redacting Data:

• Review the personal data found to ensure it is relevant to the SAR and does not contain information about third parties.
• Apply appropriate redactions to remove any third-party personal data or confidential information before disclosing the data to the individual.

8. Providing the Response:

• Provide the requested information in a clear and concise manner, either electronically or in hard copy, depending on the individual's preference.
• Include details of any exemptions applied, the legal basis for processing the data, and information on how the individual can exercise their rights if they are not satisfied with the response.

9. Documenting and Record-Keeping:

• Keep accurate records of SARs received, including the date of receipt, details of the requester, actions taken, and the date of response.
• Maintain documentation of the response provided, including any communications with the data subject and any decisions made regarding exemptions or redactions.

10. Continuous Improvement:

• Regularly review and update SAR procedures in line with changes to data protection laws and organisational practices.
• Provide ongoing training and support to HR staff and relevant employees to ensure they are equipped to handle SARs effectively.

By following these steps and implementing robust procedures for managing SARs, you can ensure compliance with data protection laws and effectively fulfill individuals' rights to access their personal data.

This not only helps to maintain legal compliance but also fosters trust and transparency with employees regarding the handling of their personal information.