If you have a question you'd like to ask our experts, please get in touch on firstname.lastname@example.org.
What is a subject access request and what information does an agent need to provide?
Bernard George, solicitor for Socrates Training Ltd:
Most small businesses never get a subject access request. By far the most likely case is where a disgruntled former employee is considering bringing an employment claim.
In that case, they often start with an SAR in order to collect evidence. In such cases, you should get legal advice before doing anything.
The best advice is not to record information which would embarrass you if someone did make an SAR. Email banter about clients and colleagues, for example, is all disclosable, and tribunals are not known for their sense of humour.
Damon Bullimore, chief information officer at BriefYourMarket.com:
Under the GDPR, individuals can issue a subject access request to agents to obtain a copy of personal data held by the business.
As the ICO state, “Individuals can make a subject access request verbally or in writing, [agents will] have one month to respond to a request, [and] you cannot charge a fee to deal with a request in most circumstances.”
Agents will need to have a comprehensive understanding as to what constitutes as personal data, for more information about this, they should consult the ICO’s guide here.
A request can be made verbally or in writing, across all areas of your organisation – including social media. Any member of your organisation can receive a request, so it’s important that they are trained to handle them.
Annemarie Proudfoot, head of customer relations at BestAgent:
When a customer (data subject) submits a ‘subject access request’, a company must show the (personal) data that it has collected on that customer.
In the agency world, this covers contact and personal information.
It does not include an agent’s work notes related to a customer.
Jon Baines, data protection advisor at Mishcon de Reya LLP:
The right of subject access has existed in data protection law for many years now, so many organisations will be used to handling them. However, GDPR does bring a few significant changes.
At root, a subject access request (SAR) is a right that a person has to ask whether an organisation is processing their personal data, and if they are, to be told (among various things) what the purposes are, to whom the data is being or may be disclosed to, and how long it will be retained. And crucially, a copy of the information must be provided.
This is substantially the same position as existed pre-GDPR. But, previously, organisations had the general right to charge a fee, and they had forty days to comply. Under GDPR, a fee cannot generally be charged and the request must be responded to within one month.
However, it is important to note that if a request is 'manifestly unfounded', or excessive, a 'reasonable' fee can be charged or the request can simply be refused.
Additionally, the time for compliance can be extended by a further two months, taking into account the complexity and number of requests.
A person has a right to complain to the Information Commissioner if they are unhappy with how their request has been handled.
Anyone dealing with a SAR should remember that the right is regarding the requester’s personal data, and doesn’t extend to other information held.
The GDPR team at Mishcon de Reya comprises data protection experts as well as non-lawyer cyber security specialists. If you would like any advice on how to manage GDPR within your organisation, please contact Jon Baines.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.