Subject access requests and how to survive them

Given the publicity surrounding data protection, it is perhaps unsurprising that we have seen an increase of individuals asserting their data protection rights. This has caused not only an increase in satellite litigation but also an increase in subject access requests (SAR) by litigants searching for documents that they think will assist their litigation.

We have set out below how a SAR interplays with ongoing litigation and also some top tips for handling SARs.

Interplay of SARs and litigation

As we know, a SAR is where an individual asks a company or organisation for a copy of all of their “personal data” (in short, information) held about them.   They may be seeking premature disclosure of documents or they may be hoping to find the “smoking gun” that they believe will support their claim. 

 If you receive a SAR and there is anticipated litigation or ongoing litigation you should be aware of the following:

SARs are generally motive blind – you cannot ignore a SAR on the basis that there is already anticipated litigation/ongoing litigation. To ignore it could give the individual a further (and possibly good) claim under the data protection legislation which could be added to the wider claim. This may also make any settlement discussions more difficult and protracted.

Timeframe – requests must be complied with without undue delay and at the latest within one month of receipt of the request (albeit this can be extended by a further two months in certain circumstances). The effect is that the litigant is likely to get the SAR response before disclosure in the litigation takes place. However, a requestor is only entitled to receive their own personal data within documents, rather than documents in their entirety.

Disclosure obligations in the litigation – clearly it is unhelpful to disclose documents as part of disclosure that were not provided in response to the SAR. For this reason, when considering your SAR response you should also consider how it would appear if a certain document was not provided as part of the SAR and is later formally disclosed in the litigation. You should document carefully any decision taken not to disclose an important document so that you have a record of your decision-making process that can be relied on if that decision is later challenged.

 Ten top tips

These are our ten top tips if you are on the receiving end of a SAR:

1.     Make sure it is a SAR: you should check whether it should be dealt with as a SAR or under another process eg under the Freedom of Information Act 2000. Practically speaking, this means writing to the data subject (the person making the request) to tell them how you have understood their SAR and to ask them to respond if you have misunderstood their request. In any event, it is good practice to acknowledge receipt of a request.

2.     Know where personal data is held within the business: you will only have one month to respond to a SAR therefore it is important to know where personal data may be held (email, paper files, electronic systems (which could include all the data bases you use, for example for the payroll function of the business)). This can be planned for in advance by undertaking an internal audit to produce a road map of where personal data is held.

3.     Have a clear SAR process: Have a clear written process for handling SARs, which will help you comply with the one month deadline. The audit of where personal data is held can be included as part of that process so that a person who is new to the business or new to the SAR process will know where to start.

4.     Know what to search for:  Searching for and handling personal data requested under a SAR can be extensive, laborious and time consuming, so it may be sensible to engage with the data subject to identify what they are looking for and where they consider their personal data is held. If you can agree keywords with the requestor, this will cut down your work, sometimes significantly.

5.     Good record keeping is paramount: Make sure you know where was searched and what was sent to the data subject. This is important should the individual challenge what has been provided. The requestor may complain to the Information Commissioner’s Office (ICO), which regulates compliance with data protection and information law in the UK, about your handling of the request.  If the ICO were to investigate after receiving a complaint, the legislation expects you to have good records of the SARs that have been made.

6.     Personal data only:  The individual is only entitled to their personal data, not to personal data of other people (unless mixed with theirs and appropriate to disclose) or “information” generally. This means that they are not entitled to information that is solely about the business and how it operates under the SAR regime, although the position may be different under the disclosure rules.

7.     Consider exemptions: There are various exemptions that can be applied to legitimately limit what is provided to the individual. This includes if the communications are privileged or if the communications discuss settlement negotiations about a dispute regarding the individual (this is particularly important in the context of employment disputes).

8.     Other people’s personal data:  Be careful about third party personal data and allow time to consult third parties about their views on providing their data to the requestor.  You should take third party views into account but should also consider wider factors.  This may mean that you disclose data despite a third party’s objection.  Third parties may include employees with whom you will need to communicate your decision in advance of disclosure.

9.     Policy and data review:  Review and refresh policies with regard to retention periods so that you are not keeping personal data for longer than is necessary. This would reduce the amount of data you would need to review when responding to a SAR. This is required in any event in order to comply with the GDPR.

10.  Don’t delete data after receiving a request: You should not delete any of the requestor’s personal data between receiving the request and responding to it unless you would have done so in the normal course of business, as this is a criminal offence.  The duty not to delete may to some extent overlap with your duty to preserve documents following receipt of a civil or employment claim.