Here are our top 10 tips to help you respond efficiently and effectively.
Tip 1: Communication, communication, communication!
Communication is key, even if it's simply to acknowledge the request and confirm that it will be dealt with and a further response will be provided at a later date. People complain to the ICO when they feel unheard or badly treated. If you cannot meet the deadline for responding, keep the individual updated and informed as early as possible. Ensure all communications you send are clear, concise and easy for the individual to understand and explain why certain information has been excluded or redacted.
Tip 2: Have a single point of contact
We recommend having a privacy@ email address and contact information for all SAR's to be directed to. This avoids SAR's getting missed in individuals' in-boxes and allows the business to coordinate and manage its response.
Tip 3: Verify who is making the request
Verify the identity of the person making the request. It's fine to ask for further information if you are unsure of the requester's identity. If the request is made on behalf of another individual, ensure you are authorised to release information to the person making the request. Note - A child over the age of 12 years old is capable of making their own SAR, and you should request permission from that child first before releasing any information you hold about them to their parents or guardians.
Tip 4: Dates in diaries
Diarise when your full response has to be provided to the individual and ensure you meet the deadline. In most cases, you will have one calendar month to respond to a SAR. Note – the date the request is received (even if this is a weekend or public holiday) is when the calendar month starts to run from.
Your response will be due one calendar month later; if this falls on a weekend or public holiday, you have until the next working day to respond. You cannot add extra days when the calendar month is a shorter month - for example, if you receive a request on 31 January, you should respond by 28 February.
Tip 5: Check the extent of the request
Ask the individual what information they require. Does their request relate to specific information/categories of information, or do they want everything your business holds about them?
You cannot ask requesters to narrow the scope of their request; however, by understanding the scope of their request, you can ensure you are providing the information they actually want and mitigate the risk that unsatisfactory information has been provided. It may also save you time compiling information that is not required. Clarity on what is being requested is key, particularly with complex requests or requests involving large amounts of data.
Tip 6: Be proactive
People make complaints to the ICO when they don't know what's happening with their request. If you're dealing with a particularly large or complex SAR, you can explain to the requester you will send out information in batches and provide a timeframe, so they know when to expect this.
Tip 7: Have you got everything?
Checking your databases, CRM and other contents management systems is not enough; you need to consider where else data may be stored, including text messages, WhatsApp, tablets, portable memory sticks, and call recordings. You should consider whether you operate a bring-your-own-device policy – if so, have all devices been checked for personal data? You must search for all the information you possess on the individual.
Tip 8: Keep it confidential
Before you provide information to the individual, you must review it and consider whether any information contained in the documents relates to a third party. Note - Personal information of a third party should not be disclosed. If there is any information relating to a third party, it should be blacked out, or a new document should be created that only contains information relevant to the individual making the SAR request.
When redacting information, you must ensure that the individual cannot reverse or see the redacted information, as this would amount to the unauthorised disclosure of another person's personal data. Where you can't separate the relevant data from another person's data, you should consider the impact of the third party's data on the requester. If you consider there will be a negative impact on the third party, then you may withhold the information from the response, but you should make a note of your reasons for doing so.
Tip 9: How to reply
If the request was made by email, your reply should be sent to the same email address unless the individual has specifically asked you to send your reply by another method or to a different address. You should also check the format in which they'd like to receive the information and ensure that when emailing responses, you use a secure method to share the data with the individual only and ensure your response includes all required privacy information. Keep a dated record of the information you have sent (in case they are unhappy with the response or for reference if they make another request soon after).
Tip 10: You can say No!
You are only able to refuse a SAR in limited circumstances, for example, if the request is excessive. This can occur where a request repeats or overlaps significantly with a recent previous request or where a request is unfounded or unreasonable. A request may be unreasonable or unfounded where you have reasonable grounds to believe the requester is not really interested in obtaining the information and instead is more interested in interrupting or causing expense to your business. A particularly large request is not excessive simply because it is large. Note Where you decide to refuse to respond to a request, ensure that you keep a written record of your decision-making.
Blogs
