Dealing with a Subject Access Request
Recently we have seen a significant increase in the number of Subject Access Requests (SAR) being made to sports clubs. These requests are often made in response to a grievance or dispute that the individual has with the club as part of an information gathering exercise, often as a prelude to deciding whether to take the matter further.
But do you have to respond to a SAR? If so, can you withhold any information? Are you allowed to charge expenses? These are all common questions.
This note aims to address some of the most common questions surrounding SARs and give some guidance to clubs on how to deal with them.
What is a SAR?
A Subject Access Request is a written request made by or on behalf of an individual for the information which they are entitled to ask for under section 7 of the Data Protection Act 1998 (DPA).
What information is the individual entitled to?
The right of subject access is actually four separate rights, which are described below and subject to various exemptions:
- Right to know if personal data is being processed;
- Right to description of what personal data is being held/processed and who it may be disclosed to;
- Right to a copy of the information communicated in an intelligible form; and
- Right to be informed of how of any automated decision taken in relation to the individual is made.
What is personal data?
The broadest interpretation includes any information, relating to a living individual which can be identified as relating to him or her. In most cases, it will be obvious whether the information being requested is personal data. For example, a club’s register of members will include all kinds of personal data about a member’s name, address, date of birth, etc. However, the Information Commissioner’s Office (ICO) has published some guidance to help you decide in cases where it may be unclear.
Do I have to comply with a SAR?
On the whole, yes. Normally you have to comply with a SAR even where it would be costly and time consuming. However:
- There is no need to comply with a request if it is similar or identical to one complied with earlier unless a reasonable interval has elapsed.
- A data controller is only required to supply a data subject making a request with such personal data as is found after a reasonable and proportionate search.
- Where aspects of the search and review process would
(a) be particularly time consuming,
(b) required consideration by skilled lawyers and
(c) would be costly,
it may be that the complexity and cost burden is disproportionate.
Can someone makes a request on behalf of a third party?
The Act does not prevent an individual making a subject access request via a third party. However you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. Otherwise you may be unlawfully disclosing the data subject’s personal data.
What if someone requests information about children?
Information about children may be released to a person with parental responsibility (e.g. a parent or guardian). Be sure to properly identify the individual making the request.
Before responding to a subject access request for information held about a child, you should also consider whether the child is mature enough to understand their rights. In Scotland, the law presumes that a child aged 12 years or more has the capacity to make a subject access request and this is generally considered an appropriate age in England and Wales. That said, if you are confident that the child can understand their rights, then you should respond to the child rather than a parent.
Can I charge expenses?
No, but you may charge a £10 fee for dealing with it, except in certain circumstances relating to health records, if it is your normal practice to do so. If you choose to charge a fee, you need not comply with the request until you have received the fee.
However, you cannot ignore a request simply because the individual has not sent a fee. If a fee is payable but has not been sent with the request, you should contact the individual promptly and inform them that they need to pay.
How should I respond to a SAR?
- Appoint someone to oversee the response to the request
- Acknowledge receipt of the request and confirm you will respond within the required statutory timeframe.
- Consider whether you understand what information is being requested and if not ask for clarification. In these circumstances the timeframe for responding to the SAR will generally commence from when the individuals responds with clarification.
- Confirm the identity of the individual making the request and that they are entitled to the data.
- Request a £10 fee if they have not provided it. If you have asked for it, you are not required to respond until you have received it.
- Identify whether any of the information contains third party personal data. If it does, consider seeking consent of the third party to disclose. If they are not willing to consent redact the information so that the third party cannot be identified.
- Consider whether any data is exempt from disclosure.
- Ensure you respond to the SAR promptly and within 40 days of receipt of the request.
- Provide a written response and consider including an explanation of the types of data provided and whether and for what reasons any data has been withheld.
How should I present the data?
- First you will need to determine whether the request is for a description of the data held by you, or whether it is a request for copies of the data, or both.
- The information should be provided in an intelligible (i.e. understandable to the "average person") and permanent form (for example, paper) unless that is not possible or would involve disproportionate effort.
- Where the information contains large amounts of electronic data, it may be preferable to copy it on to a CD.
Is any data exempt?
Yes. The following types of data are exempt:
- Personal data held for personal, family or household affairs including recreational purposes. This covers most data held by individuals.
- Confidential references given by the data controller for employment or educational purposes.
- Management information to the extent that complying with a SAR would prejudice the conduct of the business (e.g. information on a staff redundancy programme before it has been announced to the rest of the workforce).
- Personal data consisting of records of intentions in relation to negotiations between the data controller and data subject to the extent that the SAR would be likely to prejudice the negotiations.
- Personal data subject to legal professional privilege.
- Health records where disclosure would be likely to cause serious harm to the physical or mental health of the employee or any other person.
What if I don't comply with a SAR?
Failure to comply with a SAR request may entitle the individual to:
- make a statutory request to the ICO asking the ICO to determine whether or not it is likely that the SAR has been carried out lawfully. The ICO can serve a notice on you requiring you to provide information.
- make an application to court alleging breach of the SAR rules and seeking an order for compliance.
- make a claim for compensation against you. You will have a defence if it can prove that it had taken such steps as were reasonable in the circumstances to comply with the subject access request rules.
If you have any queries on what the changes will mean in practice for your club, please call our dedicated County FA Helpline on 08448 240 432 or email [email protected].