• 3 min read

How long does my organisation have to respond to a subject access request (SAR)?

Cyber security Data Protection Information privacy antivirus virus defence internet technology concept.

In our last article we looked at what a SAR is, who may make a SAR and the importance of promptly recognising when a SAR is received. In this article we are moving on to consider in more detail how long organisations have to respond to a SAR.

Standard response time

The starting point is that an organisation is required to respond to a SAR “without undue delay” and in any event within one month of receipt of the SAR. Note that no extra time is given for bank holidays or short months (hence the challenges of SARs received over Christmas) and that this is the time period for providing a full response, not a holding letter or a partial response.

If the deadline for responding to a SAR falls on a weekend, then the date for responding is the next working day. If a SAR is received at the end of the month, say 31 January, then the response will be due by the end of the following month so in some months the organisation could lose a day or more of its time to respond when compared to other months.

Extension to standard response time

The standard one month time period for responding to a SAR can be ‘extended’ in three main sets of circumstances.

Firstly, if:

  1. you need to ask for ID from the individual to verify you are dealing with the person you think you are;
  2. you need more information in order to deal with the SAR; or
  3. any clarification of the SAR is needed,

then the one month clock will start on the day the SAR is received, stop from the date you make such a request and re-start when the required information / documentation is provided. Note therefore that it is not the case that the one month period starts to run from when the further information or clarification is provided, the clock is merely paused. Therefore organisations should not delay in seeking additional documentation, information or clarification of SARs thinking it buys them time, as it doesn’t!

For example a SAR may be received on 1 August which asks for “all information you hold about me”; the clock starts on 1 August and a response would be due by 1 September. The SAR is addressed to ABC Limited when in fact your company is called ABD Limited and is part of a wider group of companies with similar names. Therefore on 2 August you contact the individual to clarify which company the SAR is for. The clock stops on 2 August. A response is received from the requester on 3 August providing the required clarification and so the clock starts again and a response must be provided by 2 September.

Secondly, if the organisation chooses to charge a fee (as discussed in our previous article), the one-month time limit doesn’t begin until this has been paid.

Lastly, if a SAR is complex or if the individual has made a number of SARs and you need extra time to deal with the SAR, it is possible to extend the time for responding by a further two months. If you do need more time you must let the individual know within one month of receiving the SAR, explain that extra time is needed and provide the information as soon as possible (i.e. don’t wait until the last day of the three month period if this isn’t necessary!).

What counts as a complex SAR?

The answer to this is very context specific. The Information Commissioner’s Office (ICO) guidance includes the following examples of factors which point towards a SAR being complex but it will be for the organisation to demonstrate (and document for its records should the decision be questioned in the future) that this is the case:

  • Technical difficulties in retrieving the information – for example if data is electronically archived.
  • Applying an exemption that involves large volumes of particularly sensitive information.
  • Clarifying potential issues around disclosing information about a child to a legal guardian.
  • Any specialist work involved in obtaining the information or communicating it in an intelligible form.
  • Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party.
  • Needing to obtain specialist legal advice. If you routinely obtain legal advice (for example, where lawyers are responsible for responding to, or reviewing SARs), it is unlikely to be complex.
  • Searching large volumes of unstructured manual records (only applicable to public authorities).

The ICO expressly explains in its guidance that SARs shouldn’t be considered complex just because an organisation needs to seek support from a processor in order to fulfil the SAR (i.e. because they are holding the relevant information) or because the SAR requests large volumes of information.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away

Make an enquiry