Guidelines for responding to a Subject Access Request
On receipt of a valid Subject Access Request, we recommend that you follow these high-level steps:
Agree Scope – facilitate discussion between Data Controller and (where possible) the Data Subject to establish the focus of their request and limit the scope.
Agree Stakeholders – based on the ‘temp test’ criteria, starting at a reasonable, central data source, agree the internal and external (third-party) stakeholders who are likely to have access to data relating to the Data Subject
Communications – prepare a script outlining the agreed scope and extent of the Request, and send to the agreed listof stakeholders with clear instructions regarding the time-line for response, the fact that the request relates to both manual and automated data, and advice on the appropriate mechanism for responses – whether electronic, manual, redacted or ‘original’.
Permanent and Intelligible Format - At this point, it may also be necessary to agree the ‘intelligibility’ criteria – language, glossary of terms, translation of text, interpretation of hand-written notes, etc.
Agree time-line – the ‘clock’ starts at the point when the Request meets the validity criteria, i.e. is in writing, and the identity of the Data Subject has been verified to the Controller’s satisfaction. Payment of a fee may be required, but is not a factor which should halt the commencement of the data collation (non-payment may be a reason to withhold the ultimate release of the data, however).
Data Collection – extensive search for all instances of the references to the Data Subject, within the scope agreed. Collate to a central point, preferably with a project manager to coordinate receipt and organisation of the incoming data. Involves retrieval from off-site archive, running e-discovery against relevant databases, searches of staff hard drives, storage devices and home-pc’s where company data has been processed by staff off-line or at home, trawl of operational systems and files storage. Does not involve a review of statistical data, historical (non-operational) archives and the content of system back-ups.
Review – based on the agreed criteria, a review of the incoming material should be held in order to identify which data meets the criteria, and which are to be omitted from the process (e.g. data to which the Data Subject already has access, data which mentions but is not ‘about’ the Subject – e.g. a list of the attendees at a particular meeting.
Collation – agree a point at which all sources of relevant data have been searched, and a full response to the Request has been acknowledged from all stakeholders. All electronic records to be printed out at this stage, and gathered alongside the manual originals to form a central repository of data.
Redaction – A full copy of all material is made, and held in reserve as a baseline reference set for the Data Controller. The source material is then used as the Redaction Set. Unless their permission has been received to disclose their data, any reference to a third party should be redacted so that the Data Subject only receives data which relates to themselves. V tedious, but involves manual redaction of appropriate references.
Copies – Once fully redacted and reviewed by in-house counsel to ensure that it complies with the agreed criteria, a full copy of the redacted material should be made for the Requestor. The ‘original’ redacted copy is held for reference by the Data Controller.
Disclosure – The Data Subject is then notified, and a secure means of delivery of the material is agreed, with the Data Controller getting acknowledgement of receipt from the Data Subject.
Timeline – the 40 calendar days permitted by the legislation should be considered as a limit, and not a target – i.e. the organisation should strive to complete the request as soon as possible after receipt. If a delay is anticipated, the Requestor should be informed so that their expectations are being managed throughout the process.