A SAR is simply a written request made by an individual for the information which he or she is entitled to ask for under section 7 of the Data Protection Act 1998 (DPA). The request does not have to be in any particular form but an employee can be required to pay a £10 fee.
An employee is entitled to know:
- If “personal” data is being processed about them
- A description of the data, why it is being processed and who is processing it.
- Information constituting the personal data
- Any information on the source of the data.
In practice what tends to happen is that an employer sends an employee copies of emails/documents of which the employee is the subject and copies of the employee’s personnel file. Often this is problematic, because employees tend to only make such requests when there are disciplinary or grievance issues and the employer does not necessarily want the employee to read what has been said about him or her.
Firstly, data is only likely to be considered personal data and thus disclosable if:
- A living individual can be identified either from the information alone, or with other information which is in the possession of the data controller.
- The information relates to the person in his personal or family life, business or profession.
- The information is used to inform or influence actions or decisions affecting that person.
- The information focuses on the individual as its central theme rather than on some transaction or event.
- The information impacts or has the potential to impact on an individual in a personal, family, business or professional capacity.
Secondly in relation to manual data must be held in a ‘relevant filing system’ one which is sufficiently structured to provide the same or similar ready accessibility as a computerised filing system. That would eliminate the majority of paper personnel files.
Once personal data has been identified as being potentially disclosable an employer should then consider whether any of the statutory exemptions apply:
- personal data processed in connection with management forecasting or planning, disclosure of which would prejudice the conduct of business need not be disclosed.
- records of intentions in relation to negotiations between employer and employee which would be likely to prejudice those negotiations need not be disclosed.
- Documents subject to legal privilege are exempt from disclosure.
- health records the disclosure of which would be likely to cause serious harm to the employee’s physical or mental health or that of another person need not be disclosed
Any third party data or information should also be redacted.
There is no obligation to provide an original document (for example, a letter or an e-mail) containing personal data. It is the information constituting the personal data contained in the document that must be supplied
The DPA does not contain any express provisions permitting an employer to refuse to respond if it considers a request to be onerous. However if an employer acts reasonably when handling onerous requests, it is likely to promote a favourable exercise of discretion by the court or, the Information Commissioner.
In Dawson-Damer v Taylor Wessing, the High Court refused an application to make an order for compliance with a subject access request as it was not reasonable or proportionate for the solicitors' firm, to whom the requests were made, to carry out costly searches of files dating back at least 30 years to determine whether or not the information requested was protected by legal professional privilege. See http://www.bailii.org/ew/cases/EWHC/Ch/2015/2366.html.
So our top tips for handling SAR’s are as follows:
- Insist on payment of the £10 fee and if necessary appropriate identification documents to verify the identity of the person making the request.
- Once the appropriate fee has been received acknowledge the request and set out the time limit for compliance (40 days from receipt of the request).
- If the request is likely to be onerous, see if the scope of the searches can be agreed e.g. limited to a particular time frame or particular word searches.
- Appoint an individual to manage the request.
- Carry out searches for personal information using word searches on email systems if appropriate
- Once the data has been collated review it to assess whether it is personal data and potentially disclosable.
- Redact any third party information.
- Apply any appropriate exemptions.
- Provide a written response.