Page 26 - BOSS Today Issue 56
P. 26
BOSS Today #56 DOWN TO BUSINESS
SARS AND HOW
TO MINIMISE
HOW MUCH TIME
THEY CAN WASTE
Subject Access Requests (SARs) can be frustrating and time consuming, particularly when you suspect that the
request from the Data Subject (DS) is largely being made to cause you frustration and waste your time.
SAR is simply a request for personal sent to their email address is not data if (d) Data that would prejudice the conduct
Adata, which means any information it’s not about them. of the business or negotiations
relating to an identified or identifiable n The aims of a SAR are to enable the between the employer and employee.
person, including information that employee to be “aware of and verify You cannot refuse to disclose
identifies them directly or indirectly: for the lawfulness of processing”. You data because of possible or actual
example, their identification number, are required to make “reasonable proceedings.
initials or general description. efforts” to find the data, not make
Since 2005, only 99 SAR complaints “unreasonable or disproportionate” Get advice
have been made to the Information searches. BOSS can provide template letters and
Commissioner’s Office (ICO). 55 of those advice to assist with a SAR request.
were upheld, 39 dismissed and five Exemptions Several IT companies provide data search
partially upheld. However, not one of these You can refuse or limit what you software to mine large amounts of data
complaints was made against a private disclose if certain exemptions apply: for under defined search parameters. The
company. example, you can redact or remove data ICO offer a helpful live chat and telephone
To minimise the frustration and if disclosing the data would breach other service through their website ico.org.uk.
time you spend on SAR requests, we people’s data protection rights.
recommend the following: If a SAR is “manifestly unfounded Complaints
or excessive”, you should first seek After receiving a complaint, the ICO will
n Only keep data for as long as necessary, clarification of the request, then either either conclude it is not proportionate
which means destroying it as soon as provide a sample of the data requested, to investigate further, or may take the
you can. The less data you store, the or refuse the request after taking advice view that further investigation or action
less you have to search through! from the ICO. is appropriate. That action can include
n Provide the data within the one You are exempt from disclosing data entering premises, seeing documents,
month deadline or advise that you for a number of reasons: observing the processing of personal data
are extending it to two months if the and interviewing staff. This could lead to a
request is complex or you process a lot (a) Legal privilege fine and/or corrective action advice.
of data. (b) Statements where confidentiality and
n Seek a clarification of what data is the right to data has to be balanced, For further information, please
being sought. A DS is not entitled to such as sexual harassment allegations contact your BOSS HR Adviser.
everything: for example, generic emails (c) Job references given in confidence, Click here for more details.
26
