SARS are not a tool for “fishing expeditions” – Lord Justice Auld

A Subject Access Request (“SAR”) is a fundamental right under the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR). It allows individuals to request access to personal data that an organisation holds about them. For businesses, compliance with SARs is not just a legal obligation but also a critical aspect of maintaining trust and transparency with clients.

Legal Framework and Key Obligations

Under the UK GDPR and the DPA 2018, individuals have the right to access their personal data. If your business has received a SAR, you must respond to the following:

1. Timely Response: Organisations must respond to a SAR without undue delay and at the latest within one month of receipt. This period can be extended by two further months if the request is complex or multiple requests are made, but the individual must be informed within the initial month.

2. Verification of Identity: Before processing a SAR, an organization may need to verify the identity of the requester, especially when there is a concern about data security.

3. Provision of Information: The response should be comprehensive, including copies of the data, and a description of how the data is being used, to whom it has been disclosed, and for what purposes.

4. Format of Response: Data should be provided in a commonly used electronic format unless requested otherwise. This ensures that the data is accessible and understandable to the individual.

5. Exemptions: Certain data may be exempt from disclosure under the DPA 2018, such as data involving legal professional privilege, information related to ongoing negotiations, or data that would adversely affect the rights and freedoms of others.

Case Law and Guidance

Recent case law has emphasised the importance of strict compliance with SARs. For instance, in Rudd v. Bridle & J&S Bridle Ltd [2019] EWHC 893 (QB), the court reinforced that organisations cannot use delays or complexity as excuses to deny or unduly delay a response to a SAR.

Durant v Financial Services Authority [2003] EWCA Civ 1746: This landmark case clarified that SARs are not a tool for “fishing expeditions.” The court emphasised that the purpose of a SAR is to enable individuals to verify the lawfulness of the processing of their data, not to obtain information for other purposes such as litigation.

The Information Commissioner’s Office (the “ICO”), the UK’s data protection authority, provides guidance on SARs and has the power to take enforcement actions against organizations that fail to comply. In Afar v. Lloyds Bank plc [2019] EWCA Civ 635, the court ruled that the mere fact of non-compliance with a SAR can justify regulatory action by the ICO.

How we can help

Handling a SAR efficiently requires a thorough understanding of the obligations under the UK GDPR and DPA 2018. Organisations must ensure that they have robust processes in place for identifying, retrieving, and securely delivering personal data within the statutory time limits. Failure to comply can lead to significant penalties, including fines and reputational damage.

Legal advice should be sought if there is any uncertainty regarding the scope of the data requested or the applicability of exemptions.

Griffin Law is a dispute resolution firm comprising innovative, proactive, tenacious and commercially-minded lawyers. We pride ourselves on our close client relationships, which are uniquely enhanced by our transparent fee guarantee and a commitment to share the risks of litigation.  For more details of our services please email justice@griffin.law or call 01732 52 59 23.