Would a subject access request include internal emails & telephone recording?

[ExDonut]

I complained to a large organisation (think akin to an energy provider with likely proper data management rules / teams etc).

They only responded to part of my complaint with a "go away" in more polite terms. They didn't respond to my accusation of staff dishonesty during telephone calls which may have been recorded (they refused to answer to my complaint request to preserve any recording).

If I submit a subject access request for myself/my complaint do I have any chance of getting them?
Or might I get access to internal emails between their staff about how to deal with my complaint (I'm fairly sure there would have been a "argh did you really tell the customer that, Bob?!" moment but 99% likely to have been verbal).

Thoughts, advice?

Call recordings with you. Yes. Internal emails about you, no.

Recordings are retained. Whether they responded to you with "go away" or something else depends completely on your complaint - having dealt with complaints in the past it's amazing how many completely unreasonable complaints you get, and they got a polite go away!

Incorrect. A SAR should include all data that identifies you. Definitely includes internal emails - as I am always reminding my staff!

Internal emails are the best bit about SARs.

What's classed as identifying you though?

Nobody sends an internal email with identifying information in like full name and address. At least, we don't where I work.

If it relates to the person involved, then it needs to be disclosed. For example, when I did a SAR for my daughter, they used initials in the subject header. So I got emails that said, for example, "LD" in the subject line, and the body of the email might have simply said "Mum has asked that we contact home if she complains of headache." So even if the email wasn't obviously about my DD it had to be included.

If the individual was copied in on 200 emails that didn't actually involve them in any way, then a reply that says "You were copied in on 200 emails using the following email address." would be ok.

If an email referred to a person and others, you can blank out all the information that doesn't relate to the subject of the request, leaving only that information which does relate to them. For example, there was an email for my DD that said 'Here are the names of 10 children who currently have x provision. I think these 4 children could do without. What you do you think?' The reply said 'These 3 children definitely need it to continue.' When I received the email, the other 9 names in the first email were inked over, and the other two names in the reply were also inked over.

The internal emails were definitely the best bit of my SARS with the Local Authority.

They moaned about me to each other. Moaned about their colleagues to each other.

The best though was the "independent" advocate allocated to my son by them and also the "independent" complaint investigators also joining in with the LA staff with their opinions about me.

“Incorrect. A SAR should include all data that identifies you. Definitely includes internal emails - as I am always reminding my staff!”- This.

I also work for a LA.

Oh..... and..... with my SARs the LA were so incompetent they DIDN'T redact other people's names. So l got a full list of their current open complaints and the reasons for them.

Some were absolutely horrifying.... eg Sarah Lewis has disclosed sexual abuse to a school teacher. Her father (the accused) - Peter Lewis - has raised a complaint as he feels he has been treated unfairly.

Given that SAR stands for Subject access Request, it includes all correspondence available where you are mentioned either directly or indirectly.

you need to justify why your SAR request should be actioned. As part of the Data Protection Act, an organisation being asked to produce SAR data can push back if they can justify that it's a vexatious claim, ie deliberate time wasting. You need to have clear justification as it can take hours to do a complete trawl through of all documentation, including audio.

This is completely wrong - you’re confusing SARs with FOI requests.

Under the Data Protection Act 2018/GDPR, you explicitly do not need a reason to ask for a SAR. If an organisation holds data about you, you can make a SAR.

There are some exceptions, e.g. some data held by the criminal justice system, but not many.

As @MissLucyEyelesbarrow says, you don't need to provide a justification for an SAR. However, as @daisychain01 says, an organisation can refuse to comply if the purpose of the request is vexatious, e.g. the requester has no real purpose other than causing disruption.

Or the burden of fulfilling the DSAR is too great or it’s repetitious.

As a pp has said there are also exemptions - i.e. when a DSAR could be actioned but the data can legitimately be withheld - but they’re narrow.

And, generally, there being a large volume of data is not a legitimate reason to refuse.

Yes, as far as I know the ‘excessive burden’ provision has hardly ever, if ever, been successfully argued.

Thanks everyone, this has been super helpful, and my request definitely has a rationale and narrow focus if I ever did need to deal with push back saying it's excessive or too vague or time wasting etc.

I basically want proof in hand that they said something to me during the complaint that later might be disputed (so far they haven't disputed what I said during the complaint but before this goes to regulatory bodies I'd rather hope to get the audio recording as proof of they did keep it!)

Keep it = say it

I'm not confusing these two acts, I am a Civil Servant public sector and we get FOIs [ability for an individual to ask for information pertaining to an organisation (eg how much tax money was spent on xyz projects in 2022?) and SARs (please provide all information about me processed by x manager).

I was simply providing the OP with practical advice to minimise the risk of pushback.

There is provision for a small organisation with very limited resource eg only 3 staff in total, to decline the processing of an SAR. Large organisations don't normally have that option as they have the benefit of large HR departments, but for an SME where it can be proven that it would adversely affect business operations to take one of their 3 staff off their operational duties to process weeks or months of data, they can generally decline successfully.

I worked for a big insurance company and an SAR would cost us about £1000 to produce. In a decade we never did one, the legal team always settled with the claimant without one.

In that case, why tell the OP that she needs a reason to make a SAR, when this is manifestly incorrect?

I'm confused as to how a civil servant would know how often a SME can successfully decline a SAR. Could you cite your source for claiming that this often permitted?

It's actually very rare for the ICO to permit SARs to be completely declined on the grounds that the work involved would be excessive. And there is no exception for organisations with fewer than 4 staff either. The ICO does permit organisations to narrow or summarise the scope of data held, if the burden of production is too great, but there is no general exclusion on the basis of organisation size.

The ICO really isn't set up to get involved in individual cases, @MissLucyEyelesbarrow anyway they've got you battling it out on their behalf.

Happy New Year.

Incorrect. Emails are subject to an SAR if they’ve been retained.

There are no legal grounds like you’re describing for refusing one. You’re wrong.