A Wake-Up Call for SAR Compliance
We have just finished our subject access request (SAR) series but before we move on, the Information Commissioner’s Office (ICO) announced on 4 September that a director of a care home in Yorkshire has been fined for refusing to respond to a SAR made in April 2023 by a woman who requested personal data relating to her father who was a resident of the home. The director in question was found by the ICO to have “blocked, erased, or concealed records held…. to prevent this information being disclosed” and was ordered to pay a fine of £1,100 and additional costs of £5,440.
This action reminds us of two important aspects relating to SARs:
Firstly, a SAR can be made for a data subject by a third party (for example, a parent can make a SAR on behalf of their child and a solicitor can make a SAR on behalf of their client). However, if an organisation receives a SAR from a third party then the first thing it must do is ensure that the third party has authority to make the SAR on behalf of the relevant data subject and to receive that data subject’s personal data.
Therefore, upon receipt of a SAR from a third party, an organisation should request evidence of the third party’s authority to act on behalf of the data subject. It is the third party’s responsibility to provide appropriate evidence of their authority. The ICO guidance on this subject gives the example that the third party may provide a written authority, signed by the relevant data subject, stating that they give the third party permission to make a SAR on their behalf. In the case mentioned above, the daughter had authority to act on her father’s behalf under a lasting power of attorney so a copy of that power of attorney would have evidenced her authority.
Secondly, under the Data Protection Act 2018, it is a criminal offence for a controller or a person who is (a) employed by the controller, (b) an officer of the controller or (c) subject to the direction of the controller to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive unless:
- the alteration, defacing, blocking, erasure, destruction or concealment of the information would have occurred in the absence of a request made in exercise of a data subject access right, or
- the person acted in the reasonable belief that the person making the request was not entitled to receive the information in response to the request.
Therefore, great care needs to be taken, once a SAR is received, that all personal data relating to that SAR is preserved. If, in reliance on either of the defences mentioned above, personal data isn’t preserved, then controllers would be wise to document their actions and the reasoning behind them should they need to justify the action taken in future.
You can read the previous articles in our SAR series here.
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
