More guidance emerges for subject access requests in the UK
Joanne Cracknell, Willis Towers Watson, Divisional director, London, 28 December 2019
On 25 May 2018 the General Data Protection Regulation (GDPR) came into force, its mission being to ensure that people know about the data that firms are holding about them and how they are using it. The Information Commissioner's Office (ICO) of the United Kingdom has now issued some more advice about how to comply.
You might receive a SAR from a complainant and litigation might be possible. You cannot ignore a SAR on this basis. Remember, you are only obliged to supply him with personal data (i.e. data that identifies and relates to him) and not the documents in their entirety. The complaint file might not belong in its entirety to the complainant. It is bound to hold personal data that relates to more than one individual. You might therefore have to review all documents in a file to decide whether to hand it over to the complainant.
If you do decide to withhold any information on the grounds that it is third-party personal data, it would be prudent to keep a record of the reason for your decision and the way in which you made it.
Again, the ICO has published detailed notes on this issue.
* Joanne Cracknell can be reached at joanne.cracknell@willistowerswatson.com