To round off our data subject access request (SAR) series, we are exploring some more unusual questions which may come up when responding to a SAR.
1. Can an employee demand that their SAR be processed by their employer confidentially, so that other staff members don’t know they have made a SAR?
The short answer to this is no. Nothing in UK data protection law allows a requester to require a SAR to be kept confidential and it is unlikely to be possible for an employer to do this as from a practical perspective there will be people within their organisation who need to be involved in collating the SAR response. Also if personal data about the requester is inextricably linked to personal data about another data subject (e.g. another employee)then the organisation may need to consult with that other data subject about disclosing the personal data in question.
2. Can a requester state in their SAR that they want to be provided with particular documents?
Again the short answer to this is no. Firstly, there are exemptions which can be applied so that certain personal data does not need to be provided and secondly, a requester is entitled to copies of their personal data but not copies of documents themselves. Often the easiest way to provide personal data in response to a SAR is to extract the relevant personal data into a separate document and provide that separate document to the requester.
3. If a requester has already received certain personal data (for example, because we know it was included as an enclosure to a letter our organisation sent to them) does that mean we don’t need to include it in the SAR response?
Unfortunately not. Even if you know (or think) a requester has already received a copy of certain of their personal data you still need to include it in your response (unless the requester has said that they do not require it). The same applies, for example, if the requester is a former employee who is bringing an Employment Tribunal claim against your organisation and you know that their solicitor has received a copy of the personal data via the disclosure process – the personal data should still (subject to the exemptions) be included in the SAR response.
4. Is every email an employee is copied into their personal data meaning we have to provide all those emails in response to a SAR?
Luckily not! Business as usual emails that a requester is merely copied into or which they send in the course of doing their job will contain very little of their personal data. In most cases the personal data will be limited to name, job title and contact details (including email address) which can just be provided once in the SAR response.
5. We have a document which we don’t want to disclose in response to a SAR as it contains commercially sensitive information, is there an exemption that covers this?
Unfortunately not. There is no such exemption but organisations should remember that they don’t need to disclose whole documents in response to a SAR and are only required to disclose personal data within such a document if an exemption does not apply. This should mean the requirement to disclose commercially sensitive information is very limited.
6. If a requester in a SAR states what search terms they want us to use to search for their personal data do we have to search using those search terms?
There is an unintentional theme here; the answer to this question is also no! Whilst a requester can include instructions about searches in their SAR, it is for the controller to decide what is a reasonable, appropriate search and how they will carry out that search.
7. Can a requester challenge an organisation for omitting certain personal data in a SAR response?
Yes. A requester can complain to the ICO and also apply to the court for a compliance order (under section 167 of the Data Protection Act 2018).
8. Can a requester withdraw a SAR?
Yes, a requester can withdraw a SAR but that doesn’t stop them from later making another SAR.
9. Do we have to comply with a SAR if the requester was an employee but has left our organisation and when they did so they signed a non-disclosure agreement (NDA) or settlement agreement?
Yes you do. The right of a data subject to access their personal data cannot be validly waived or overridden by a settlement agreement or NDA. This also means that you cannot refuse to comply with a SAR or withhold documents because you think an employee is going to use them to bring an employment claim against you, unless you can establish a valid exemption to rely upon.
10. Is there a specific way we should redact documents being provided with a SAR response?
There is no requirement to redact documents in a certain way but what is important is that the redaction method you choose actually prevents the requester from seeing the redacted information and that the redaction cannot be reversed. This sounds obvious, but there have been many stories over the years about redaction gone wrong. The issue we have probably heard about most often is when information is (on the face of it) ‘deleted’ from an Excel spreadsheet but actually the information is just hidden and can still be easily viewed.
11. If our organisation uses social media and messaging platforms for business purposes (for example Teams, WhatsApp and LinkedIn) do we need to search these for the purposes of a SAR?
Yes. If your organisation uses such platforms for business purposes, then your organisation is the controller of the personal data processed by them and so they are in the scope of your search. This is why clear policies are needed about the use of social media and messaging platforms for business purposes, whether on work or personal devices.
You can read the previous articles in our SAR series here.
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
