recent work

Do you know how to respond to a Subject Access Request (SAR)? Cardiff City Council told to improve its processes relating to the handling of ‘SARs’ by the Information Commissioner’s Office.

The Information Commissioner’s Office (ICO) has issued an undertaking to Cardiff City Council, which requires the authority to improve its practices regarding Subject Access Requests (SARs).

This came about after the council failed to respond to a SAR within the 40 working days timeline set out in the Data Protection Act (DPA), which subsequently triggered a complaint to the ICO by the individual concerned. This failure prompted the Information Commissioner to take a closer look at the council’s SAR compliance in general and found it to be wanting.

The ICO requires that the council will:

1.   Clearly define procedures for dealing with subject access requests, and make sure that all staff involved in such work receive appropriate training in how to follow them;

2.  Ensure that  appropriate checks and supervision are put in place to ensure that third-party data is dealt with in accordance with the Act’s requirements and the data controller’s policies and procedures;

3. Make sure that sufficient measures are in place for the storage of paper records to ensure that subject access requests are responded to appropriately.

Organisations processing personal data must have regard to the eight principles of the DPA and the 6th principle (relevant to this case) states that “Personal data shall be processed in accordance with the rights of data subjects under the Act”.

One of those individual rights is “a right of access to a copy of the information comprised in their personal data” which they can exercise by making a subject access request to the appropriate organisation; the ICO considers this to be one of the fundamental aspects of the DPA and generally takes a very dim view of any organisation not fulfilling its obligations in this respect.

So, could your organisation handle a ‘Subject Access Request’; would staff even recognise such a request bearing in mind that it doesn’t have to follow a standard form and could arrive by letter or email?  Will you charge the allowable fee (currently £10.00 with some exceptions)?  Do you even know where all your client, staff, customer, supplier, etc personal data (electronic and manual) is held and how easy it would be to access it?  Finally, could you pull the whole thing together and respond within the 40 working days (not as easy as it seems!)?

The ICO has just published the ‘Subject Access Code of Practice’ (58 pages!) available from their website or get in touch to discuss (we’ve helped a client successfully negotiate this minefield, including complaints and challenges by the ICO).

Tags: , , ,