What Documents Should My Business in the UK Disclose Following a Subject Access Request?

In recent years, organisations in the UK have faced an increasing number of Subject Access Requests (SARs). Many business owners dislike SARs due to the administrative time they take up and the complexity of the relevant rules within the General Data Protection Regulation (GDPR). Pressure also results from the Information Commissioner’s Office (ICO) having the power to issue fines of up to £17.5m on any organisation that fails to deal with a SAR correctly. This article will explore the main types of documents your business should disclose following receipt of a SAR. This should help your business avoid committing a GDPR breach and any subsequent financial penalty from the ICO.

What is a Subject Access Request?

A SAR is a (usually written) request from an individual for a copy of all personal information relating to them. The SAR usually states whether the individual wishes for digital or printed copies of the data. Some individuals will label them as a Data Subject Access Request or DSAR.

There are two main types of SAR:

1. targeted SAR: one in which an individual asks for specific pieces of information (e.g. all emails between them and a specific manager within a period of time); and
2. general SAR: an individual simply asks for all personal data relating to them during their lifetime.

The rules for dealing with both are the same, though you are likely to disclose fewer documents in response to a targeted SAR.

What Rules Should My Company Comply With?

The core rules include the following:

• confirm receipt of the SAR (usually in writing);
• provide the individual with a digital or printed copy of the documents sought (verbally confirming the contents of a document down the phone is not sufficient);
• provide the information within one calendar month of receiving the SAR (with limited exceptions where the SAR is exceptionally complex or wide); and
• inform the individual whether any other third party has received the relevant documents you may have provided e.g. limited health records to an Occupational Health provider to assist a report.

Now we know the nature of a SAR and the core rules, let us consider which documents your organisation should disclose in response to a SAR.

1. Only Disclose the Documents Requested

This is where the difference between targeted and non-targeted SARs comes into play. For example, if an individual has only requested a copy of their sickness absence records, you should provide this document. Avoid the quicker option of sending their entire HR records.

2. Redact Confidential or Irrelevant Information

Step one aims to collate all relevant documents. The subsequent step involves a review of those documents and redacting any confidential or irrelevant information.

Redaction is a method of covering up specific bits of information within documents, so the recipient cannot view them. The traditional way on printed copies was to strike parts of the text with a thick black marker. Nowadays, there are digital methods of striking out information, so recipients cannot view it. Furthermore, it can guard against someone simply trying to copy and paste it into another document to read it.

It is essential to avoid misuse of redaction. Your business should refrain from using this method to cover up the information it does not want to disclose. Instead, use it to protect personal data relating to others. 

So, for example, if an email mentions the pension-related earnings of three different staff members, you would redact the parts of that email relating to the other two individuals. This is because disclosing that information to the SAR author would breach the privacy of those other staff members.

3. Avoid Disclosure of ‘Closed’ Documents

The first follow-up question here is obvious: what is a ‘closed’ document? The simple answer is that there are two main types of closed documents:

• any document recording legal advice between your company and its legal advisors (which is covered by ‘legal advice privilege’); and
• any correspondence marked ‘without prejudice’ and sent between your company and the relevant individual to negotiate a confidential deal.

Legal advice privilege only applies to genuine legal advice between a company and a lawyer, so any emails between you and an HR manager are not covered. For this reason, many business owners disclose sensitive matters by phone or in a meeting room rather than by email (to avoid sensitive topics falling within a SAR).

Without prejudice correspondence covers materials that aim to explore a potential deal. Your business cannot simply mark documents ‘without prejudice’ and expect them to remain confidential. Rather, those documents must also evidence at least one party aiming to progress negotiations. If so, these documents can be protected from disclosure even if the parties fail to achieve a deal.

Key Takeaways

Dealing with SARs will always take time and effort. Unfortunately, this is unavoidable given the need to search, compile and deliver documents to the SAR author. However, another potential stress is failing to deal with the SAR correctly and risking a fine from the ICO. The good news is that the above steps can help your organisation handle SARs efficiently and in line with GDPR principles.

If you need help complying with SARs, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page. 

Frequently Asked Questions