Subject access requests (SARs) – A reminder

Recently, there have been several instances of politicians and other high-profile figures making subject access requests to organisations and releasing their discoveries to the media. These statutory requests for information are increasingly being used as a tool by public figures to discover what an organisation has been saying about them. These incidents serve as warnings to organisations that any internal communications may become the focus of a subject access request (SAR) that, once made, may necessitate the release of everything in scope – including those emails and messages you never expected anyone but your colleague to read.

Under the UK General Data Protection Regulation (UK GDPR), individuals have a legal right to make a SAR to an organisation to find out what information it holds about them. This right applies to any recorded information held, and can include everything from official documentation to WhatsApp chats. An organisation does have the right to refuse to release certain information, but only under limited exceptions. Once released, the data subject is under no obligation to keep the information private. As a result, SARs can be costly for an organisation and, where good practice is not followed, have the potential to result in significant reputational damage.

To ensure that your organisation does not suffer as a result of a SAR, there are a number of strategies you can take to mitigate risk. Having an internal communication policy can go a long way to ensure that only professional, accurate comments are put on record. It is important to ensure that the communication policy is well-circulated and understood by everyone working for the organisation, including trustees, employees and volunteers. Trustees should satisfy themselves that the policy is fit for purpose and being effectively implemented ‘on the ground’.

Similarly, managing personal data in accordance with a data retention policy, regularly reviewing the data you hold and deleting or anonymising data when it's no longer needed can ensure that only necessary information is held for the appropriate time. Good record management is key to ensuring that SARs are complied with efficiently and effectively.

Finally, training all staff and volunteers on data protection, including data retention and SARs, can be the difference between a simple SAR with no risk involved, and a costly SAR that results in significant reputational damage. By keeping your employees updated on data protection best practices and the risks associated with data processing, you can get ahead of the curve and be assured that your organisation will not attract unwelcome media attention as a result of a targeted SAR.