Please or to access all these features

Add post

Watch this thread

Save thread

Start a new thread

Flip thread

Hide thread

My feed

Active Unanswered threads

Getting started FAQ's

Unanswered threads Acronyms Talk guidelines

Hide shortcut buttons

Talk

Work

Chat with other users about all things related to working life on our Work forum.

Flip

Original poster

Subject Access Request

16 replies

chocolateworshipper · 05/06/2019 20:42

Has anyone submitted a SAR to their employer and have any tips on do's an don'ts? I am thinking about leaving anyway, so not worried that it might upset management or whatever.

OP posts:

daisychain01 · 05/06/2019 23:02

I wouldn't put in a SAR unless you have a valid reason to do so. If you're intending to leave, what is the purpose of your SAR?

They are normally submitted in conjunction with a grievance, because the goal of an SAR is to find out information held about you.

AlwaysCheddar · 06/06/2019 06:09

Give clear parameters, such as what dates to cover, is it your hr record you want or all references to you in whatever format held by your boss, joe blogs and a n other.

AgnesNaismith · 06/06/2019 06:19

They don’t need to know the purpose and you don’t have to be specific. It also doesn’t have to be in relation to a grievance.

You have the right to request all data on file. The best way to do this is reference GDPR, call it a DSAR (data subject access request) and remind them they have 30 days. It may take longer depending on how long you’ve been there, they will let you know - but you should get all HR files, Finance files, all emails (with others names redacted) and instant messages referencing you.

Cuppa12345 · 06/06/2019 06:23

If you request all data on file then depending on how big a job it'll be, they may be able to say its not possible for them to collate it all.

Being specific is going to help you. Do you want emails between. Particular people over the last year, say your manager and their manager since June 2018? They are unlikely to refuse that.

Think about the purpose of your request and then ask for that information only, so they can't say its disproportionate effort

daisychain01 · 06/06/2019 10:27

Here is a letter template recommended by the ICO. They state it is helpful to keep the SAR limited to specific dates because if it is deemed to be a vexatious request or one that could be deemed ' manifestly unfounded or excessive ’ they may decline the request citing that reason. Hence my point upthread to be clear why you want it. You have the right, but you also have responsibilities.

Letter template

[Your full address]

[Phone number]

[The date]

[Name and address of the organisation]

Dear Sir or Madam

Subject access request

[Your full name and address and any other details to help identify you and the data you want.]

Please supply the data about me that I am entitled to under data protection law relating to: [give specific details of the data you want, for example:

my personnel file
emails between ‘person A’ and ‘person B’ (from 1 June 2017 to 1 Sept 2017)
my medical records (between 2014 and 2017) held by ‘Dr C’ at ‘hospital D’
CCTV camera situated at (‘location E’) on 23 May 2017 between 11am and 5pm
copies of statements (between 2013 and 2017) held in account number xxxxx.]
If you need any more data from me, or a fee, please let me know as soon as possible. It may be helpful for you to know that data protection law requires you to respond to a request for data within one calendar month.

If you do not normally deal with these requests, please pass this letter to your DataProtection Officer, or relevant staff member. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk or it can be contacted on 0303 123 1113.

Yours faithfully

[Signature]

FFSeverynameisused · 06/06/2019 11:02

could an organisation just dismiss any request as vexatious or excessive though?

And does 'excessive' depend on the size of the organisation?

eg my employer has over 5000 employees so would they be less justified in calling a request for all data held on me 'excessive' than a wee 50 employee organisation?

Sorry to hijack the thread!

Cuppa12345 · 06/06/2019 12:02

If they have a single staff member doing these and someone says I want everything ever - emails, files, etc. The org could decline but would have to justify this if the person complained to the ICO. They could say: "we did a search, 10000 emails came up for the last 15 years employment, we don't have the resource as a company to begin to verify whether these are relevant or contain sensitive or personal information of others.

If you say I want emails between 2 specific people for 5 years and 100 come up, and you have a team of people working on SAR, the ICO would probably agree with the employee is wasn't disproportionate effort.

The more specific you can be, the harder the org can say its too much work.

daisychain01 · 06/06/2019 12:48

And does 'excessive' depend on the size of the organisation?

A very relevant question! Company size and set up is indeed important. What ICO is controlling against is a disgruntled member of staff/customer/service consumer bombarding a small company with an impossibly time consuming activity that saps their limited resource.

So, yes, a giant blue-chip company with 30 staff allocated to activities that might include SAR processing, is a very different proposition to a 1 woman and her dog SME, where the dog has to do the SARs and make the tea

FFSeverynameisused · 06/06/2019 13:54

thanks - in my company there is only one person with the specific title of DPO but he is a 'trainee' DPO so there must be others. Its a big organisation.

I put in a SAR for 2 specific documents and also everything held on file about me.

I have a very good reason to request the latter, but I have been working there for 16 years so it might be considered excessive? However, I need to know if my suspicion about something is correct.

Original poster

chocolateworshipper · 06/06/2019 15:40

Thank you all for the input - I really appreciate it and it's very very helpful.

OP posts:

Cuppa12345 · 06/06/2019 17:47

If they say that, then ask that they exclude letters you've already been the recipient of and if they redact it, they can give you a time and date to go and look at the file yourself. It'll mean they can't say it'll be too much work to scan or photocopy it all in advance. You should be given the opportunity to see it and make your own copies as an option.

yummumto3girls · 06/06/2019 21:20

Just be sensible with this, if there is something specifically you are seeking then ask for it. Set specific timeframes/people/ subjects etc and you are more likely to get the information you are seeking. If you ask for everything then there is no responsibility to put this in any order and you could just receive hundreds of pages of random information that is of no use to you.

Rosasey · 28/01/2021 18:05

@daisychain01@AgnesNaismith is it possible to request GDPR during early conciliation or do we need to request it before it?
Thanks in advance.

AgnesNaismith · 28/01/2021 18:37

This is an old thread

GDPR is the regulation - general data protection regulation

That covers what I think you’ll be asking for which is a data subject access request, to get all of your data

You can request this at any time - use the template above!

Rosasey · 28/01/2021 19:36

@AgnesNaismith thanks. Yes thats what I meant.

AgnesNaismith · 28/01/2021 20:52

No worries - good luck

Flip

Swipe left for the next trending thread