Subject Access Requests: what data do I need to disclose?

Posted on 19/04/21
First of all – when in doubt you should check with the appropriate authority or qualified legal advisor on your requirements.
It’s important to realise 3 key issues here:
1. This is not (yet) a legal matter – it’s not necessary to perform a full forensic collection.
2. Just because it’s inconvenient or difficult, doesn’t mean it’s out of scope.
3. Context matters. Just because an email is business-sensitive, doesn’t mean it’s not personally sensitive. Equally, just because the subject was a recipient of the email doesn’t make them entitled to its contents.
To elaborate on those points; in legal discovery and collection we go to great lengths to retrieve data. That’s because we’re looking for anything that may be evidence relevant to the matter, and that sets a very high level of importance on finding all information and preserving it in a forensically sound manner. Even to the point where we scan devices for deleted files.
The purpose of a Subject Access Request is different: it’s to be transparent with individual about the data you hold on them. It’s basically about behaving responsibly with information that isn’t yours. It’s been loaned to the business by the owner, and they simply have a right to know what you have and what you’ve done with it.
If your business has, as a matter of standard practice outside of the SAR, deleted the data, then it’s quite reasonable to leave it at that without going to extreme processes to recover deleted information. That said, a “deleted items” folder doesn’t count as deleted, and you can never remove data just to avoid disclosing it. Also, unless exempt, redact the data to ensure other individuals’ personal information is not disclosed. You can find out about redaction here.
You only need to disclose information if it can be said to form part of a “filing system” – which does include emails. The point is that if it’s operationally accessible to the business, then of course it should be disclosed. However, where that’s not the case, you need to make a determination. Bear in mind you need to be able to justify that determination if/when you are challenged on that.
Another important point to consider, is that often SARs are simply fact-finding exercises for individuals looking to start a litigation process. If you believe this to be the case, it may be your legal responsibility at this point to impose a legal hold on all relevant information on an impending investigation.
Often the biggest challenge to organisations is knowing where to look for the individual’s personal data. If you are in doubt as to where it may be stored, you should refer to your DPIA(s) for the particular processes they were involved in. If you don’t have DPIAs, well, that’s another matter entirely.