What is a SAR?
The Subject Access Request (SAR) is the right of access afforded under the Data Protection legislation of 2018. Broadly1 It allows for any individual to request a copy of any information an organisation holds concerning them.
Any individual can make a SAR and an organisation has to respond to their request as long as it is reasonable to do so.
When the legislation was initially introduced there was some ambiguity. Many organisations needed clarification on subjects such as:
- Who can access the information?
- How much information should be provided?
- What format should an SAR be presented?
- Were there exemptions for repeat requests?
- What was needed to be done if there were nuisance requests?
- Could fees be charged for excessive cost to fulfil an SAR?
- How much time could be taken, and when does the clock start ticking?
There were gaps in understanding that were only more apparent when the law was implemented.
The ICO (Information Commissioner’s Office) sent out a consultation paper in December 2019. There is now a short briefing and full detailed guide to rights of access available on their website which I will be covering in this series.
Over these four blogs I am going to discuss a little of what the new SAR detailed guide contains. What it means for individuals seeking to express their rights, and organisations that have to comply.
The ICO Statement, TL/DR Format
- Individuals have the right to access and receive a copy of their personal data;
- This is commonly referred to as a subject access request;
- Individuals can make SARs verbally or in writing;
- A third party can also make a SAR;
- You may not, normally charge a fee;
- You should respond without delay within one month;
- In some circumstances you can extend the time limit by a further two months;
- You should perform a reasonable search;
- You should provide the information in an accessible format;
- There are certain circumstances in which you refuse to provide the information.
In the next article I will be looking a little more closely at the right of access and how to recognise who has the right to access. I will also be looking at access rights on behalf of others.
For detailed guidance on SAR visit the ICO website.