Subject access requests (SARS) and Privacy notices

Subject Access Requests (SAR)

Individuals have the right to obtain a copy of their personal data (and other supplementary information). It does not entitle individuals to receive full copies of original documents. A SAR can be made in writing, verbally, or on social media. It must be provided free of charge

Preparing for SARs

• What personal information do you process?
• Is it kept up to date?
• Is it searchable and clearly labelled?
• Do you have a retention policy?
• Are staff adequately trained?
• Do your staff use personal devices for work?
• Do any third-party service providers process personal data on your behalf?

Exemptions

• There are several exemptions from the right of access.
• Not all the exemptions apply in the same way.
• Should be considered on a case-by-case basis.
• You should justify and document your reasons for relying on an exemption.
• More information on exemptions 

Dealing with information request

ICO has a step-by-step guide to dealing with an information request

1. Choose a data protection lead
2. Know who you’re dealing with
3. Check the request is valid
4. Set reminders
5. Consider the request – what have they asked to see
6. Search for the information
7. Consider what you need to redact
8. Consider the impact of releasing information about other people
9. Prepare your reply
10. Send your reply securely and keep a record of what you’ve sent

Privacy Notices

Before you begin: think about what data do you hold and map out information flows. You need to be able to answer a number of questions. This will then allow you to work out what needs to go into your privacy notice.

Guidance on how to write a privacy notice

Privacy notice template

How to provide privacy information 

You can provide this information through a variety of media:

• Orally - face to face or when you speak to someone on the telephone (it’s a good idea to document this).
• In writing - printed media; printed adverts; forms, such as financial applications or job application forms.
• Through signage - for example, an information poster in a public area.
• Electronically - in text messages; on websites; in emails; in mobile app

Tips on presenting privacy information

• Use clear, straightforward language.
• Adopt a style that your audience will understand.
• Don’t assume that everybody has the same level of understanding as you.
• Avoid confusing terminology or legalistic language.
• Draw on research about features of effective privacy notices.
• Align to your house style.
• Align with your organisation’s values and principles.
• Be truthful. Don’t offer people choices that are counter-intuitive or misleading.
• Follow any specific sectoral rules.
• Ensure all your notices are consistent and can be updated rapidly.
• Provide separate notices for different audiences

Further information and resources

ICO toolkit for small and medium sized organisations - Advice for small organisations | ICO

The right to be informed | ICO

Right of access | ICO

Lawful basis interactive guidance tool | ICO

privacy-notice-checklist.pdf (ico.org.uk)

privacy-template.docx (live.com)

Contact information for ICO in Northern Ireland

To contact the NI ICO office  - Phone 0303 123 1114 or Email - [email protected]

Subscribe to ICO e-newsletter here

Information Commissioner's Office (ICO)