Subject Access Requests (SARs) are a key right under the UK data protection regime, allowing people to access their personal data held by organisations. Compliant handling of Subject Access Requests is crucial from a liability perspective, but also from a reputational perspective. It would be reasonable for trust and confidence in the organisation to erode because of SAR mishandling as the law clearly prescribes how such requests should be managed. A recent reprimand from the Information Commissioner’s Office (ICO) to one of the biggest acute NHS Trust in the country highlights this importance.
What Happened?
The ICO found that the Trust failed to respond to 32% of SARs within the statutory one-month timeframe between March 2021 and March 2022. In failing to meet this deadline on multiple occasions, the Trust failed to meet the standards expected of it set by the UK Data Protection regime. Specifically, Articles 12(3), 15(1) and 15(3) of the UK GDPR. The Trust in question serves around 769,474 people a year and employs approximately 9,136 people. This means it processes personal data on a large scale and needed systems to support this scale in terms of compliance. The Trust had reported problems with its former systems and the ICO welcomed remedial steps taken by the Trust. Despite mitigating factors, the ICO decided to issue a reprimand on its website relating to the Trust, along with several recommendations on improvement.
Why is this important?
Non-compliance can lead to legal penalties and, given the public nature of reprimands and enforcement action, it can also have a damaging effect on the organisation’s reputation.
Best Practices for Subject Access Requests
Best practice recommendation will vary depending on the organisation and the personal data it processes. However, the basics will be the same across the board. These are:
- Know your deadlines: Remember, you may not need to provide personal data within one-month and lawful extension may apply; however, in most cases, you will need to communicate the use of the extension within one-month.
- Have clear processes: Document and train staff on SAR procedures, including how to identify a SAR.
- Build systems to support compliance: Whether it’s an Outlook calendar tracking SAR requests or a bespoke system managing the SAR lifecycle, you should explore resources that are available to you to assist your compliance with the UK data protection regime.
- Audit Regularly: Your DPO or privacy lead should regularly review the SAR lifecycle to keep ahead of potential problem areas.
- Communicate: Unless you are legally prohibited or a lawful exemption applies, you should always maintain transparency and uphold communications with data subjects.
Conclusion
The ICO’s reprimand is a reminder of the importance of lawful SAR handling. By following best practices, organisations can stay compliant, maintain trust, and respect individuals’ rights.
For any questions or concerns about your business’s activities relating to data protection please don’t hesitate to contact Stephens Scown’s Data Protection team.