What Documents Should My Business in England Disclose Following a Subject Access Request?

In recent years, organisations in the UK have faced an increasing number of Subject Access Requests (SARs). However, many business owners dislike SARs due to the administrative time they take up and the complexity of the relevant rules within the General Data Protection Regulation (GDPR). Pressure also results from the Information Commissioner’s Office (ICO) having the power to issue fines of up to £17.5m on any organisation that fails to deal with a SAR correctly. 

This article will explore the main types of documents your business should disclose following receipt of a Subject Access Request. Accordingly, this should help your business avoid committing a UK GDPR breach and any subsequent financial penalty from the ICO.

What is a Subject Access Request?

A SAR is a (usually written) request from an individual for a copy of all personal information relating to them. The SAR usually states whether the individual wishes for digital or printed copies of the data. Some individuals will label them as a Data Subject Access Request or DSAR, which is the same thing.

There are two main types of SAR:

1. targeted SAR: one in which an individual asks for specific pieces of information (e.g. all emails between them and a specific manager within a period); and
2. general SAR: an individual simply asks for all personal data relating to them during their lifetime.

The rules for dealing with both are the same, albeit you will likely disclose fewer documents in response to a targeted SAR.

What Rules Should My Company Comply With?

The core rules include the following:

• confirm receipt of the SAR (usually in writing);
• provide the individual with a digital or printed copy of the documents sought (verbally confirming the contents of a document down the phone is not sufficient);
• provide the information within one calendar month of receiving the SAR (with limited exceptions where the SAR is exceptionally complex or broad); and
• inform the individual whether any other third party has received the relevant documents, for example, you may have provided limited health records to an Occupational Health provider to assist a report.

Now we know the nature of a SAR and the core rules, let us consider which documents your organisation should disclose in response to a Subject Access Request.

1. Only Disclose the Documents Requested

This is where the difference between targeted and non-targeted SARs comes into play. For example, if an individual has only asked for a copy of their sickness absence records, you should provide this document rather than sending their entire HR records.

If your company is in doubt about which documents the individual is interested in, you should write to them and ask them to describe the records sought and the purpose behind the request.  This can simplify matters considerably as, if an employee told you that they wanted documentation to help a pension appeal, you would know that payslips and pension emails were relevant personal data (but disciplinary records were not).

2. Redact Confidential or Irrelevant Information

This is step two for a reason.  Step one aims to get all relevant documents together, whilst this step involves a review of those documents and redacting any confidential or irrelevant information.

Redaction is a method of covering up specific sections of information within documents, so the recipient cannot view them. The traditional way, on printed copies, was to strike parts of the text with a thick black marker. Nowadays, there are digital methods of striking out information, so recipients cannot view it. Additionally, it guards against someone simply trying to copy and paste it into another document to read it.

So, for example, if an email mentions the pension-related earnings of three different staff members, you would redact the parts of that email relating to the other two individuals. This is because disclosing that information to the SAR author would breach the privacy of those other staff members.

3. Avoid Disclosure of ‘Closed’ Documents

The first follow-up question here is obvious: what is a ‘closed’ document? The simple answer is that there are two main types of closed documents:

• any document recording legal advice between your company and its legal advisors (which is covered by ‘legal advice privilege’); and
• any correspondence marked ‘without prejudice’ and sent between your company and the relevant individual to negotiate a confidential deal.

Legal advice privilege only applies to genuine legal advice between a company and a lawyer, so any emails between you and an HR manager are not covered. For this reason, many business owners disclose sensitive matters by phone or in a meeting room rather than by email to avoid sensitive topics falling within the scope of a SAR.

Without prejudice correspondence covers materials that aim to explore a potential deal. Your business cannot simply mark documents ‘without prejudice’ and expect them to remain confidential. Instead, these documents must also evidence at least one party aiming to progress negotiations. If so, these documents can be protected from disclosure even if the parties fail to achieve a deal.

Key Takeaways

Dealing with Subject Access Requests will take time and effort. Unfortunately, this is unavoidable, given the need to search, compile and deliver documents to the SAR author.  However, another potential stress is failing to deal with the SAR correctly and risking a fine from the ICO.  The good news is that the above steps can help your organisation handle SARs efficiently and in line with GDPR principles.

If you need help complying with Subject Access Requests, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership.  For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents.  Call us today on 0808 196 8584 or visit our membership page. 

Frequently Asked Questions