- 14 Aug 2024
- •
- 3 min read
Can we clarify a Subject Access Request (SAR)?
This article sets out what steps you should take when you receive a SAR from an individual for whom you hold a large amount of information, and it’s genuinely unclear what information is being requested.
When this happens, you have a choice to either perform a reasonable search of ‘all the information that you hold’ about them, or to ask the individual to clarify their request. It is for you to decide whether you hold a large amount of information about an individual and much will depend on the size of your organisation and your resources. Also, even if you hold a large amount of information about an individual, if you are able to find the information easily and quickly by performing a reasonable search then it is unlikely that you will be able to justify seeking clarification of the SAR.
If you ask the individual to clarify their SAR, you may ask for further details, such as the particular issues or incidents that they are concerned about, the likely dates of when you might have processed the data and any other additional context to assist you in fulfilling their request.
Whilst clarifying a SAR can be beneficial to both the individual and the organisation involved (see point 1 below), clarification must not be sought on a blanket basis. It is important to remember that the individual is entitled to ask for ‘all the information you hold’ about them and you therefore cannot compel an individual to narrow the scope of their request. If an individual responds to your clarification request by either simply repeating their SAR, or by declining to provide any further information, you must still fulfil their request, ensuring that you conduct reasonable searches for the information.
Managing the clarification of a SAR
When handling the SAR, it is essential to meet all legal requirements, and you should also make the clarification process quick and straightforward for individuals, providing advice and assistance whenever possible.
Our top tips to manage clarification of SARs effectively, are set out below:
- Explain to the individual that whilst they are entitled to request all the information held about them, you are only required to conduct a reasonable search of their records, so they may only receive some of the information held about them. Therefore, clarifying their request may enable a more precise search, meaning you will be better able to provide the specific information that the individual actually desires. It should hopefully also be a less time-consuming exercise for you to carry out.
- Explain to the individual the reason/s why you are seeking further details and ensure that if the Information Commissioner’s Office (ICO) was to question this that you could justify your position to them. It might assist to record your thought process in writing.
- If you need proof of ID and to seek clarification of the SAR, request ID documentation at the outset and prior to the individual providing clarification, unless there is a risk of disclosing personal data to the individual before you have checked their identity.
- Request clarification promptly and without undue delay after receiving the SAR. This will allow you to quickly focus on searching for the information the individual requires, enabling you to respond within the set time limits (see our previous article How long does my organisation have to respond to a SAR and below).
- Explain to the individual that the clock stops from the date that the organisation requests clarification and will resume once they respond.
- Contact the individual in the same format they made the request, so if they have emailed the SAR, email back with the request for clarification.
- Provide the individual with the information that you are able to even without seeking clarification (if possible). For example, you are likely to be able to provide a general confirmation that you hold personal data about the individual and you should also be in a position to provide some of the supplementary information prescribed by the UK GDPR, such as:
- the individual’s right to request rectification, erasure or restriction, or to object to processing; and
- the individual’s right to lodge a complaint with the ICO.
If your privacy notice already contains this information, then it is perfectly acceptable to provide a copy or link to it. If possible, provide the information that you are able to within one month of receiving the SAR.
Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421.
If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].