As a principal what should you bear in mind and how should you deal with a Subject Access Request (“SAR”) made by an agent?
What is an SAR
A SAR is a request for information under the Data Protection Act 1988 (the “Act”) which may be used by an agent to gather information, most commonly when pursuing a claim against his principal. It can be an onerous task for the principal and may lead to the disclosure of documents which reflect badly on the principal.
A SAR will request you to: confirm whether data about the agent is being processed; give descriptions of the data and its recipients; provide the data in an intelligible form; and give the source of the data. An agent can make a SAR at any time and you must comply within 40 days.
You must be particularly careful when disclosing information relating to third parties under a SAR. Under the Act, you should provide as much of the data as can be supplied without identifying third parties. You may seek third parties’ consent to the disclosure of information to agents and if it is granted then you must disclose it. If no consent is obtained, you will be required to disclose the information if it is reasonable in all the circumstances to do so, for example by considering any duty of confidentiality owed to the third party. You will also need to strongly consider whether to redact any information.
- Keep a note of the date by which you need to respond in accordance with the 40 day limit.
- Check your data protection policy as it may help you to locate relevant information.
- Appoint someone to oversee the collation of the data and ensure that an appropriate search has been carried out, paying particular attention to any third party information.
- Ask yourself whether the scope of the SAR is too onerous, i.e. is it unreasonable or disproportionate.
- Check whether the agent has made a similar request before as a reasonable time must pass between SARs.
- Only information held on a computer or as part of a structured paper filing system is covered by the Act. The information must also be specifically about the individual in question.
- Do not make amendments to relevant data after having received a SAR.
- Consider whether any data is exempt from disclosure, e.g. if it is subject to legal privilege.
Non-compliance with a SAR
If you do not comply with a SAR:
- the agent may make a statutory request to the Information Commissioner to assess whether the processing has been carried out in accordance with the Act. You will be required to provide the Information Commissioner with such information required to make the assessment.
- the agent may apply to court for an order if his/her rights have been breached under the Act and can claim compensation if he/she has suffered damage.
- financial penalties of up to £500,000 may be imposed where there has been a serious contravention of the Act or where substantial damage or distress results.
See www.ico.gov.uk for further information on dealing with a SAR.