Since the introduction of GDPR back in 2018, there has been a steady increase in the number of Subject Access Requests within the legal profession, resulting in extra workload for many Chambers and their practice managers.
In a legal context, a client may make a SAR to gather evidence for a case or to assess the strength of their legal position. The information obtained through a SAR can also help a client ensure that their personal data is accurate, complete, and up-to-date, and that it’s being used appropriately and in compliance with relevant data protection laws.
However, dealing with a SAR can be quite burdensome on resources as organisations must provide copies of all data that is held on the individual. Often, that will mean:
- providing copies of all documents, emails and any other types of communication that is held on the individual.
- redacting any information made in references to other individuals.
Anything which constitutes personally identifiable information, including:
What type of personal data should be provided?
- National Insurance Number,
- Passport Number
- Mobile Number
- IP Address
- Email Address
- Genetic Data,
- Health Data
- Ethnic Origin
- Political Opinions
- Religious Beliefs
- Sexual Orientation
What types of comms you have to review?
- Meeting minutes
- Text messages
- Diary entries
- Records from computer systems
- Personnel file
- Transcribed Recorded Calls
It’s also important that no information relating to the individual who made the request is deleted pending compliance with the SAR, as it’s a criminal offence to modify or remove this data.
While every individual has the right to access their own personal data, it Is recognised that it can consume an extraordinary amount of time to gather up this information and it’s important to note that failure to respond, or an unjustified delay can result in regulatory enforcement action being taken by the Information Commissioner’s Office. Only recently, the ICO updated their guidance on responding to a SAR as there was over 15,000 complaints relating to a SAR between 2022 and 2023o.
Here at Briefed, we provide a comprehensive GDPR framework that includes Advisory Services with our in-house barristers. This can become particularly valuable when you require guidance on processing Subject Access Requests (SARs) and need a quick phone call to clarify what data is relevant to the individual SAR.
Our advisory services were instrumental in providing support to College Chambers with a recent SAR they received, you can read about it here.