Understanding where your organisation stands when it comes to a subject access request is vital. Businesses must respond to a request within a month of the request, failure to do so can mean involvement from the Information Commissioners Office (ICO) or in extreme circumstances, legal action is taken.
A subject access request (SAR), also known as the right of access, gives individuals the right to obtain a copy of all the personal data your organisation holds on them. This can be from anyone your organisation holds data on including clients and employees. This personal data may include various identifiers, such as:
However, it is important to note that personal data includes all the information you hold on that individual, not just the identifiers which single them out.
There are a variety of reasons an individual can ask for a subject access request, whether it's to understand how and why their data is being used - and check it's being used lawfully, through to whether a decision about a job position has been given fairly.
Below is an overview of the entire process:
A subject access request can be made verbally, in writing or via social media, and a business has one month to deal with the request. The request can be made to any employee, therefore it is a good idea to ensure that your business has a documented process for managing SARs. It's also important that all staff, especially those who are client facing or with HR responsibilities, are trained on the process.
Individuals have the right to obtain information such as:
In effect this means that you need to supply a copy of their personal data, together with copies of the applicable privacy notices which describe the processing.
Documentation may account for a large portion of the information you hold on an individual, whether that be their CV, contract, training records or disciplinary meeting notes.
How easily would your business cope with a request for all this information? Would you need to search across your server, other software, paper files or even desks?
Document management software keeps confidential information in a secure, central location. A simple text search for the name of the individual making the access request can be carried out with results brought back in seconds. These documents can then be downloaded by a user with download rights, and presented to the individual who made the request.
Document management software also puts retention rules in place to comply with UK GDPR and other legal requirements. An individual may also want to know how long your business is legally allowed to keep their data and with retention rules applied, this can be easily provided.
Access can be restricted to authorised users and the system can provide a full audit trail of who has accessed what document when, as well as any changes that have been made.
There are a variety of advantages to having a document management system in place when managing a subject access request. The tools that are part and parcel of the software offer a number of benefits:
While DocTech can support your organisation with secure document management and efficient data handling, there are still three important responsibilities you need to remember:
You can find the full guidance on handling subject access requests on the ICO's website.
You might also want to consider an independent GDPR consultant to engage with your business and give you advice on all aspects of GDPR.
Paul Strout, MD of GDPR Assist UK Ltd also points out that:
“There is usually something which has prompted the SAR, such as a customer service failure, so make sure that you also own and address that issue as well. It is also worth pointing out that there may well be a difference between what the individual believes they are entitled to and what you are actually obligated to provide – so if in any doubt seek professional advice”.
Get in touch with us to discuss any subject access requests, data security or document management requirements you may have.
How GDPR compliant is the information in a document management system? Something we're often asked about. The EU General Data Protection Regulation (GDPR), has been in force since the 25th May 2018. It is about the ...
Fully understanding document management software can be a big job because of how much the software offers. At its core, it digitally stores business documents, providing one central location to access emails, contracts, ...
“It seems to work ok”….. "It’s how we’ve always done it”… "We don’t have time to make changes” – These are just some of the things our sales team often hear when talking to prospects about process optimisation.