Subject Access Requests in practice: strategy vs. specifics

Subject Access Requests (SARs) are nobody's favourite topic. They can be time-consuming and difficult to manage. Almost all of the SARs that we get involved in have – in reality – very little to do with data protection rights. They're about customer dissatisfaction, mistrust, a grudge, the requestor feeling wronged or wanting to create disruption, or (and this one is at least in part related to data protection rights) it can simply be about making a point in the name of 'privacy activism'.

The ICO released updated guidance on the right of access in October 2020, available here. It's much better than its predecessor (which was showing its age) and the ICO have done a great job of coming up with some good, practical worked examples throughout the new guidance. There are also some helpful clarifications which we have detailed briefly below.

However, before we move on to specifics, it's worth mentioning that we spend a fair amount of time talking to clients about their SAR strategy. To be honest, we often get blank faces or (pre-Teams) dead air when we ask about the strategy for approaching any particular SAR or a type/category of SAR, but the fact is that this is one of the most important points for businesses to consider in practical terms when responding to rights requests and it very often gets forgotten. By the time we get involved, it's often too late for a strategy conversation to add any value. So what do we mean by this?

SAR strategy – the overlooked middle step

In response to GDPR's big stick (fines), most organisations drastically improved their ability to identify and triage SARs; and respond to SARs by searching, extracting and reviewing the in-scope information. However, as a result of increased automation and improved processes (both aspects being significant positives in terms of risk mitigation and resource allocation), we often find that businesses are failing to capitalise on some fairly 'easy wins' at the beginning of the process. Instead of moving straight from triage into response, our recommendation is always that a business build in a short pause for reflection to ask some 'real world' questions:

  • Is there a broader context here? What does the requestor really want?
  • If the broader context is contentious, where could this end up? An employment tribunal? Litigation?
  • What is the relationship with the requestor like? Has trust broken down? Is their behaviour predictable?
  • Have we conducted ourselves with 'clean hands' so far, or have there been failings in the business' handling of the requestor in the past?
  • What is our risk appetite like? How will this all look through the lens of hindsight if things go 'wrong' and this ends up in front of the ICO or subject to a claim for damages?

None of these questions will change your strict technical obligations when it comes to responding to the SAR, but it is absolutely vital to consider these points at the outset because – in practical and commercial terms – the answers will be crucial in determining your approach, focus and tone in terms of your engagement with the requestor.

Once you've thought about the broader context and come up with an approach, that's the point at which the new guidance from the ICO comes into its own in terms of the specifics of dealing with SARs.

SAR specifics: what the new ICO guidance confirms and clarifies

Unless requests are “manifestly unfounded” (e.g. where the requestor offers to withdraw the request in exchange for payment) or “manifestly excessive” (a more complex assessment looking at reasonableness and proportionality), then the requestor’s motives don’t really matter in the context of your obligation to respond to the SAR (though case law has established precedent for a claimant’s costs award being reduced as a result of her “essentially antagonistic” motive – essentially, the bar is high).

A word of caution: “manifestly excessive” is very unlikely to be triggered simply as a result of you unearthing tens of thousands of documents (good/proactive retention and deletion processes are the key here). Similarly, the requestor’s conduct will rarely matter either – for example, aggressive or abusive language will not necessarily make a request manifestly unfounded.

You can extend the deadline to respond to the SAR if the SAR is complex. Complexity does not arise simply as a result of there being a large volume of data to search or disclose. Your ‘strategy step’ (see above) will be really important here. For example, if there is ongoing or anticipated litigation and you either need to seek legal advice or apply lots of exemptions to the data, then the chances are you may reach the complexity threshold and will be able to extend.

If it’s not clear what you need to do in order to respond to a request (i.e. if it’s genuinely unclear what data is being requested) then you can ask the requestor for clarification and you can stop the clock while you wait for a reply. You must tell them that you’ve stopped the clock and your deadline is only extended by the number of days that it takes the requestor to clarify.

It’s worth a mention here that (as has always been the case) whilst you can ask the requestor to clarify, you cannot require them to narrow the scope of their SAR provided that it is a valid request relating to their own personal data.

The new guidance has some helpful examples in the context of data relating to (or not relating to) the requestor. We often see SARs where “all buildings” emails have been revealed in searches as a result of the requestor having been on CC on the recipient list (“cakes in the kitchen!”). You can materially reduce the effort required in responding to an SAR by understanding the limitations of the definition of in-scope personal data.

If the requestor is in fact undertaking a fishing exercise, attempting early disclosure or similar, then this can be a really helpful point to keep in mind. You are not obliged to provide copies of whole documents containing the requestor’s personal data – you could instead provide sections or transcripts. Equally helpful is that you are not required to create new information in order to respond to an SAR (though keep in mind the obligation to act reasonably and proportionately throughout).

Unless requests are “manifestly unfounded” (e.g. where the requestor offers to withdraw the request in exchange for payment) or “manifestly excessive” (a more complex assessment looking at reasonableness and proportionality), then the requestor’s motives don’t really matter in the context of your obligation to respond to the SAR (though case law has established precedent for a claimant’s costs award being reduced as a result of her “essentially antagonistic” motive – essentially, the bar is high).

A word of caution: “manifestly excessive” is very unlikely to be triggered simply as a result of you unearthing tens of thousands of documents (good/proactive retention and deletion processes are the key here). Similarly, the requestor’s conduct will rarely matter either – for example, aggressive or abusive language will not necessarily make a request manifestly unfounded.

You can extend the deadline to respond to the SAR if the SAR is complex. Complexity does not arise simply as a result of there being a large volume of data to search or disclose. Your ‘strategy step’ (see above) will be really important here. For example, if there is ongoing or anticipated litigation and you either need to seek legal advice or apply lots of exemptions to the data, then the chances are you may reach the complexity threshold and will be able to extend.

If it’s not clear what you need to do in order to respond to a request (i.e. if it’s genuinely unclear what data is being requested) then you can ask the requestor for clarification and you can stop the clock while you wait for a reply. You must tell them that you’ve stopped the clock and your deadline is only extended by the number of days that it takes the requestor to clarify.

It’s worth a mention here that (as has always been the case) whilst you can ask the requestor to clarify, you cannot require them to narrow the scope of their SAR provided that it is a valid request relating to their own personal data.

The new guidance has some helpful examples in the context of data relating to (or not relating to) the requestor. We often see SARs where “all buildings” emails have been revealed in searches as a result of the requestor having been on CC on the recipient list (“cakes in the kitchen!”). You can materially reduce the effort required in responding to an SAR by understanding the limitations of the definition of in-scope personal data.

If the requestor is in fact undertaking a fishing exercise, attempting early disclosure or similar, then this can be a really helpful point to keep in mind. You are not obliged to provide copies of whole documents containing the requestor’s personal data – you could instead provide sections or transcripts. Equally helpful is that you are not required to create new information in order to respond to an SAR (though keep in mind the obligation to act reasonably and proportionately throughout).

We know that it can be easy to dive straight into the technical detail of SARs – there's a deadline and (hopefully) a well-oiled process. We also know that businesses often create more work for themselves by omitting the crucial consideration of strategy as a middle step. We have created an on-demand webinar that includes a discussion on SAR strategy together with lots of practical tips and learnings based on our real world experience of supporting clients with tricky SARs:

We have also created a "Subject Access in practice toolkit" for clients with steps and tips for making SARs as painless as possible. Please do get in touch if it would be helpful to discuss.

Key Contacts

Related