What to do when you receive a SAR

Having a policy and written processes in place will help to deal with subject access requests. These policies should include the means to record and document all requests you receive. All individuals have the right to ask you for confirmation that you are processing their data and for a copy of that personal data along with any other supplementary information. It is important to make sure that all employees know how to recognize a request and if they receive one, they should report a request to the department or individual responsible without delay. A log of the request should be made, particularly requests made verbally or in person, they should include the data they request and it's recommended that the individual asking for their information is contacted to make sure that their request has been understood correctly. You can provide a form online for individuals to complete. However, you must make it clear that they do not have to use the form and you cannot use it as a means to delay responding to their request. You must respond within one calendar month. And as such many organizations have an internal policy have responded within 28 days, which makes it easier to ensure that they comply regardless of the number of days in the month the request was made.

If you have any doubts about the identity of the person making the request, you can ask for more information. This must only be information that is necessary to confirm who they are. The request for more information should be made as quickly as possible, and a period for responding to the requests will begin when you receive their additional information. Be aware that this should not be used to the delay of responding. If the individual is known to you, or you can confirm their identity by asking them to confirm one piece of information you hold, for example, a postcode or an email address, you should do so. Delaying your response to their request by contacting them again or asking for more information would not be appropriate and could not easily be justified if the individual complained to the ICO. You cannot charge a fee for responding to a request and you cannot delay or refuse a request unless it's in repeated nature or it's manifestly unfounded or excessive. In most cases charging a fee, refusing or delaying a request would not be appropriate. And if you do so, you will need to inform the data subject of your decision. Tell them that they have the right to lodge a complaint and be ready to justify your decision to the ICO. If you do think a fee is justified, then it should be a reasonable fee for the administration cost of complying with their request.