Tughans Solicitors | SARs: “Subject Access Request” or “Subtracting from Annual Revenue”

SARs: “Subject Access Request” or “Subtracting from Annual Revenue”

November 24, 2023

The right for a data subject to have access to their personal data is a key principle of data protection law, and one which generally entitles individuals to submit a data subject access request (“SAR”) in order to receive copies of the personal data held about them, usually within one month and usually without being required to pay.

However, just because exercising the right is (usually) free does not mean that there is no cost.

Dealing with one SAR can potentially cost the controller thousands of pounds and can take many hours of staff time (including that of senior management); possibly diverting from their usual roles. It is therefore worth refreshing on steps that controllers can take in advance to limit both the chances of receiving a SAR and the time that may be required to deal with and respond to a SAR if one is received:

1. Accurate Privacy Notices – it is not uncommon for a SAR to follow situations where the individual is frustrated at how their data has been used, apparently without the individual being aware of such use. The concern usually centres on the thought: “if my data has been used in that way, what else are they using it for?”.
By ensuring that privacy notices are comprehensive and up-to-date, and that people are aware of how controllers intend to use their data, controllers can avoid miscommunication issues like this arising and thereby hopefully avoid scenarios in which individuals instead rely on SARs to access this information.

2. Correct Technical Resources – it is widely understood now that SARs can apply to personal data stored in documents [note: not necessarily the entire document].

However, controllers must understand that individuals also have the right to receive photos, video footage and audio recordings of them. Balancing this right against the requirement to not share information which identifies third parties means that controllers will usually have to take steps to isolate the images or recordings which relate only to the requester (which could include blurring-out third parties or redacting third parties from audio recordings and/or transcripts).

Controllers should ensure that they have adequate systems and training in place for this to be done, and should not be left spending time trying to equip themselves with the necessary skills when the one-month time limit is already ticking.

3. Following Retention Timelines – not only is “storage limitation” a principle of data protection law (meaning personal data is only retained for as long as is necessary), it also operates to limit the amount of data that controllers would have to sift through in order to respond to a SAR.

For example, 30 days is the usual retention period for CCTV footage, following which footage should be deleted. However, if that deletion is not carried out (either because of a rule or because it was unintentionally archived), then more work will be required to respond to the request. Questions may also follow as to why it was not deleted when it had otherwise fulfilled its purpose.

4. Manageable Filing System – the Information Commissioner’s Office expects all controllers to be able to demonstrate that they have good records management practices in place, which permit all files that contain personal data to be located, secured and destroyed when appropriate.

One of the record management approaches we see that commonly leads to issues (with SARs and other aspects of data protection law compliance) is where data storage is not centralised. This can lead to various problems, including difficulties in trying to locate and/or access information which is actually only held in a silo – like one employee’s laptop.

Improving records management practices should ensure that data is available to those authorised personnel who need to access it.

Like many elements of data protection compliance, dealing with SARs is an unavoidable cost of doing business. Ensuring you are ready to deal with SARs now (rather than waiting for one to land before beginning to think about or test your systems) should, however, be seen as an investment in comparison to the cost of failing to properly deal with the SAR and it being escalated to involve the Information Commissioner’s Office.

If you would like more advice on this or other data protection related issues please feel free to contact Paul Eastwood or another member of Tughans’ Contracts & Technology team.

While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.

Cookie name	Duration of storage	Purpose
Strictly Necessary Cookies
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this necessary cookie is used to record the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this necessary cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-functional	1 year	This necessary cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this necessary cookie is used to store the user consent for cookies in the category "Performance".
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this necessary cookie is used to record the user consent for the cookies in the "Analytics" category.
Google Cookies
_gid	1 day	Installed by Google Analytics, the _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages on our website they visit anonymously.
_gat_gtag_UA_24785398_1	1 minute	Set by Google to distinguish users.
Youtube cookies
YSC	Session only	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
yt-remote-connected-devices	No expiry	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	No expiry	YouTube sets this cookie to store the video preferences of the user using an embedded YouTube video.
CONSENT	2 years	YouTube sets this cookie via embedded Youtube videos and registers anonymous statistical data.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this necessary cookie is used to record the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_24785398_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, the _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages on our website they visit anonymously.
Consent	2 years	YouTube sets this cookie via embedded Youtube videos and registers anonymous statistical data.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	Session only	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	No expiry	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	No expiry	YouTube sets this cookie to store the video preferences of the user using an embedded YouTube video.

SARs: “Subject Access Request” or “Subtracting from Annual Revenue”

Paul Eastwood

Director