Tom Llewellyn, commercial disputes and data protection partner, Ashfords, says that with the right robust measures in place and expert legal advice, businesses can navigate SARs without disrupting day-to-day running or damaging reputation.
The UK Labour Party was publicly reprimanded by the Information Commissioner’s Office (ICO) for ‘repeatedly failing’ to respond to 352 subject access requests (SARs), with over half of the individuals (56 percent) not receiving a response for over a year – 11 months past the one month deadline set by the ICO.
During the investigation, which was triggered by multiple complaints after the political party sustained a cyberattack, it was discovered there were an additional 646 SARs and 597 requests for information to be deleted sitting in a ‘privacy inbox’.
This incident, along with the 13% increase in complaints to the ICO about failures to comply in 2024, demonstrates how a clear action plan dedicated to dealing with SARs should be at the forefront of any CIOs mind.
The balancing act between personal data and third parties
A key consideration when responding to SARs is to consider the rights of third parties whose data may be mixed in with that of the requester. This is a complex and developing area and if you get it wrong you could be liable either for having breached the data protection rights of those third parties or for not adequately responding to the SAR.
The High Court case, Harrison v Cameron, exposed the difficult balancing act between protecting third-party information and sufficiently responding to a SAR request, highlighting the factors that must be considered when dealing with third-party information. It also demonstrates how an SAR can lead to a legal dispute.
A real estate investor (Harrison) contracted a landscaping company (Cameron) to carry out work on his property. The contract was terminated prematurely, resulting in a request for payment for the materials and services. A dispute unfolded and several threatening phone calls were made to Cameron who recorded the calls and shared them with family members, friends and colleagues.
Determined to uncover who had received the recordings, as he argued they had damaged his reputation, Harrison submitted a SAR seeking the names of all people who the recordings had been sent to. Cameron refused in part based on the likelihood of them becoming embroiled in hostile litigation. Harrison then sought unsuccessfully to force disclosure but it was held that Cameron was justified in refusing to disclose the names of the recipients without consent to protect them from hostile litigation.
This case highlights the complex issues that can ensue when dealing with SARs.
However, several steps can be taken to help resolve SARs swiftly and reduce the risk of legal proceedings or regulatory action.
Planning
It’s recommended that you put in place procedures for responding to SARs. This should cover both identifying SARs as well as designating responsibility for ensuring that they are responded to in time. SAR responses planning should also include identifying any locations that SARs might be sent to and ensuring that employees are trained to identify them.
Define the scope of redactions
We regularly see the urge to apply wholesale redactions when dealing with a SAR, particularly when trying to meet tight deadlines, but it is unlikely to create a response that is compliant with obligations under UK GDPR.
Although the recent case demonstrates that you can hold back third-party information in certain circumstances, it is nuanced, and you must document each step of your discovery and the reason for redaction so you can draw upon it at a later date if the seeker appeals your response or the case is pursued in court. Other exemptions such as legally privileged material or that which might prejudice negotiations with the requester might also be applicable.
Act fast
SARs are usually triggered by an incident. This could be, as demonstrated by The Labour Party, an issue outside of the organisation’s control such as cyberattack that raises concern around the safety of data or, in most incidents, it is the last ditch attempt by an unhappy individual to address feelings of unfair treatment, be it a customer or employee.
Rules state an organisation must respond to a SAR within one calendar month from receiving the request. An extension of up to three months can be sought, however, if the SAR is particularly complex, the time when most organisations need to engage in legal help comes when they do not act swiftly and leave requests too close to the deadline. How you respond from the start is likely to shape the whole course of resolving the issue.
Determining who will lead inquiries internally and creating clear, internal deadlines for collating the data and documenting the exploration process in full will help you resolve matters effectively.
Clarify the cause of the request
Understanding the root cause of a request may save valuable time and help create a clear strategy moving forward. It is not uncommon for a request to relate to all personal information held regarding the requester when they may only really be seeking a specific piece of data. Responding to the initial request, and seeking clarification, will also pause the deadline clock until further information has been provided.
Extracting data across all platforms
Trawling through various storage systems of data can feel relentless when faced with a deadline for retrieval. It is not uncommon for businesses, regardless of size, to store data in various locations across, for example multiple email inboxes, handheld devices and either on-prem or cloud-based storage. Having a clear understanding of where the data is located and the custodians likely to hold relevant data will significantly reduce the discovery time once a SAR has been submitted.
Once you have identified where data is held, the next step is to search for all potentially relevant data using keywords. The SAR may provide some suggested keywords and custodians, but organisations should carefully consider whether there are any additional custodians or keywords that should be used. Any failure to consider these at this stage could result in elements of the SAR having to be re-done at a later date.
SARs can demand complex decision-making that requires a team of people to resolve but with the right robust measures in place and expert legal advice, you can navigate the requests without disrupting the day-to-day running of your business or damaging your reputation, externally.
