Subject access requests (SARS) and Privacy notices
Subject Access Requests (SAR)
Individuals have the right to obtain a copy of their personal data (and other supplementary information). It does not entitle individuals to receive full copies of original documents. A SAR can be made in writing, verbally, or on social media. It must be provided free of charge
Preparing for SARs
- What personal information do you process?
- Is it kept up to date?
- Is it searchable and clearly labelled?
- Do you have a retention policy?
- Are staff adequately trained?
- Do your staff use personal devices for work?
- Do any third-party service providers process personal data on your behalf?
- There are several exemptions from the right of access.
- Not all the exemptions apply in the same way.
- Should be considered on a case-by-case basis.
- You should justify and document your reasons for relying on an exemption.
- More information on exemptions
Dealing with information request
- Choose a data protection lead
- Know who you’re dealing with
- Check the request is valid
- Set reminders
- Consider the request – what have they asked to see
- Search for the information
- Consider what you need to redact
- Consider the impact of releasing information about other people
- Prepare your reply
- Send your reply securely and keep a record of what you’ve sent
Before you begin: think about what data do you hold and map out information flows. You need to be able to answer a number of questions. This will then allow you to work out what needs to go into your privacy notice.
How to provide privacy information
You can provide this information through a variety of media:
- Orally - face to face or when you speak to someone on the telephone (it’s a good idea to document this).
- In writing - printed media; printed adverts; forms, such as financial applications or job application forms.
- Through signage - for example, an information poster in a public area.
- Electronically - in text messages; on websites; in emails; in mobile app
Tips on presenting privacy information
- Use clear, straightforward language.
- Adopt a style that your audience will understand.
- Don’t assume that everybody has the same level of understanding as you.
- Avoid confusing terminology or legalistic language.
- Draw on research about features of effective privacy notices.
- Align to your house style.
- Align with your organisation’s values and principles.
- Be truthful. Don’t offer people choices that are counter-intuitive or misleading.
- Follow any specific sectoral rules.
- Ensure all your notices are consistent and can be updated rapidly.
- Provide separate notices for different audiences
Further information and resources
ICO toolkit for small and medium sized organisations - Advice for small organisations | ICO
Contact information for ICO in Northern Ireland
To contact the NI ICO office - Phone 0303 123 1114 or Email - [email protected]
Subscribe to ICO e-newsletter here