As a principal what should you bear in mind and how should you deal with a Subject Access Request (“SAR”) made by an agent?
What is an SAR
A SAR is a request for information under the Data Protection Act 1988 (the “Act”) which may be used by an agent to gather information, most commonly when pursuing a claim against his principal. It can be an onerous task for the principal and may lead to the disclosure of documents which reflect badly on the principal.
A SAR will request you to: confirm whether data about the agent is being processed; give descriptions of the data and its recipients; provide the data in an intelligible form; and give the source of the data. An agent can make a SAR at any time and you must comply within 40 days.
You must be particularly careful when disclosing information relating to third parties under a SAR. Under the Act, you should provide as much of the data as can be supplied without identifying third parties. You may seek third parties’ consent to the disclosure of information to agents and if it is granted then you must disclose it. If no consent is obtained, you will be required to disclose the information if it is reasonable in all the circumstances to do so, for example by considering any duty of confidentiality owed to the third party. You will also need to strongly consider whether to redact any information.
Non-compliance with a SAR
If you do not comply with a SAR:
See www.ico.gov.uk for further information on dealing with a SAR.
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.