By Sofia Carroll, Information Governance Manager, Naomi Korn Associates
The Information Commissioner’s Office (ICO) has launched a new service for people to submit a personal data request to an organisation. Here, we consider what you can expect from it – as a requester of personal data or recipient of a Subject Access Request (SAR).
What is the Subject Access Request service?
The regulator has created a form on their website which people can use to send subject access requests (SARs) to organisations. Individuals add some personal information, contact details for the organisation, and some background information about the request itself.
Then they can review the form, submit it, and the organisation or a named employee will receive it from an ICO email address.
I am an individual – what can I expect from the ICO’s SAR service?
- Using the ICO SAR service doesn’t make your request any more urgent or important.
- It is not a complaint about the organisation that the ICO will consider. If you want to complain, use the online complaint form.
- You don’t have to fill in all fields in the form. For example, a reason for requesting the information might be helpful but it’s irrelevant to your request.
- The ICO remains independent to your SAR and won’t get involved with any further correspondence between you and the organisation. Including them in any subsequent emails won’t make a difference.
The ICO will only keep your information for a few weeks and then delete it. It is using a third-party to process your data and you can read about this in the privacy policy.
I am from an organisation – what should I do with the notification from the SAR service?
- This is a legitimate email and likely a valid request. If unsure for any reason, call the general Helpline on 0303 123 1113.
- Read the guidance linked in the email. It provides an overview of how to answer a SAR.
- Verify the requester’s identity. The ICO haven’t done this, and it remains your responsibility as the organisation receiving the request.
- The email says you may need to contact the requester to clarify the request, but you may not. Check if you have everything you need to start searching. If you don’t, do ask them, but bear in mind the requester isn’t obliged to provide further clarifications to make it easier for you. If that’s the case, search for what you reasonably can.
- There is no need to keep the ICO updated on your progress handling the SAR or tell them that you have received it.
- The ICO aren’t assessing your data protection compliance with this tool.
General Comments
There are some questions which are worth clarifying about the tool. For example, whether the ICO should be considered a third party (like a portal to submit requests on behalf of people); is it time efficient to add another extra step in the SAR process; and if people might expect their request to be treated with more urgency because it’s come from the ICO service.
This is still new and the regulator has asked for feedback on it. You can share your thoughts with them both as a person and an organisation, and Naomi Korn Associates has done.
Naomi Korn Associates has managed hundreds of SARs on behalf of our clients over the years. We offer a range of Data Protection services to help organisations respond to SARs within the legal parameters of the legislation. For more information contact Jess Pembroke, Head of Data Protection at jess@naomikorn.com or +44 2045822230.