What is a SAR?
A SAR is a request for personal information that the company may hold about a data subject i.e. an individual. If an individual wishes to exercise their subject access right, the request must be made in writing. The purpose of a SAR is to make individuals aware of and allow them to verify the lawfulness of processing of their personal data. Under the GDPR and the current Data Protection Act (DPA), individuals have the right to obtain confirmation as to whether personal data about them is being processed by the company. If personal information is being processed, they are entitled to access:
- the reasons why their data is being processed;
- the description of the personal data concerning them;
- A copy of all records including e-mails where they are mentioned;
- information about anyone who has received or will receive their personal data;
- details of the origin of their data if it was not collected from them.
- Wheel of Health need to be mindful that the rules on subject access apply to any individual. Wheel of Health are likely to hold and process personal data about its staff; its associates; service users; clients; equipment suppliers, case managers and many others. Each category will have the same access rights.
Key Changes to SARs under GDPR
Under the GDPR, the procedure for making a SAR is similar to the procedure under the DPA. However, there are some key changes to be aware of which:
Fees: Under the DPA, Wheel of Health can charge up to £10 for a SAR. Under the GDPR, a request for personal information is free unless the request is ‘manifestly unfounded or excessive.’ Wheel of Health can charge a ‘reasonable fee’ for multiple requests.
Response time: Under the DPA, we must respond to SARs within 40 days of receipt of the written request. Under the GDPR, we must respond to SARs within one month of receipt. This deadline can be extended by a further two months where there are a number of requests or the request is complex but we must contact the individual within a month of receipt, explaining why the extension is necessary.
- Provision of Information:
Individuals can make a SAR electronically. If they do so, the information provided should be in a commonly-used electronic format, unless otherwise requested. But remember Wheel of Health verify the individual’s identity prior to granting access to information. This can sometimes take a little time especially if it is a guardian or someone acting under a power of attorney who are seeking the information about a data subject.
- In responding to a subject access request, the organisation will need to advise the data subject of:
- The purposes of the processing.
- the categories of personal data concerned.
- who are the recipients to whom we disclose the information.
- where possible, how long you will hold onto the information or what categories have been used to decide how long the personal information will be held for.
- the right to request rectification, erasure or restriction of the processing.
- the right to lodge a complaint to the ICO.
- where the personal data are not collected from the data subject, the source from where Wheel of Health obtained the data.
- and finally, the existence of any automated decision-making.