In July 2023 Nigel Farage’s bank accounts were closed by Coutts, a subsidiary of NatWest Banking Group after an internal risk committee determined that his views on Brexit, LGBTQ+ rights and Net Zero “did not align” with the bank’s “values”.
The BBC had reported that his account was being closed because he no longer met the wealth threshold for Coutts but later apologised when it materialised that the then-head of the Group had leaked the incorrect information. Farage identified the real reason for the closures after submitting a Subject Access Request (‘SAR’).
In today’s data-driven world, the demand for transparency and control over personal information has reached new heights. With accelerating redundancies leading to a breakdown in employer-employee relationships and concerns over data being misused, there has been a 60% rise in SARs. However, these requests can pose a significant risk to employers including the threat of reputational damage. What is the right of access and what are your obligations?
What is a SAR?
A Subject Access Request ('SAR') is a right of access to an individual’s own personal data, as well as other supplementary information. A SAR is distinct from a Freedom of Information Act request which is for information held by a public authority.
You don’t have to be a celebrity to submit a SAR. Any individual can submit a request to any organisation that processes – or they think processes – their personal data.
What are my company’s obligations under the Act?
You must comply with a SAR without undue delay and at the latest within one month of receiving the request. This period can be extended in certain circumstances for more complex requests.
You can ask for ID to satisfy the requester’s identity and the timescale for a response does not begin until you have received that information.
Are there any exemptions to providing the information?
You can refuse to disclose information by invoking one or more of the exemptions listed in Schedules 2 and 3 of the Data Protection Act 2018. Two of the exemptions are:
- Legal professional privilege: Prevents you from disclosing confidential information made to provide/obtaining legal advice where there is a real prospect of litigation. It also prevents confidential communications between a client and their lawyer to give legal advice.
- Confidential references: Prevents an employer from disclosing references about the individual for the education, training, or employment and applies regardless of whether you have given or received the reference.
What if the information requested contains third-party data?
Where possible you should consider whether it is possible to comply with the request without disclosing information that identifies another individual. If it is not, the ICO recommends you consider seeking permission from a third party, failing which you should consider whether it is reasonable to disclose in any event.
With all the exemptions, it is a requirement that you apply the public interest test. This is a delicate balancing act and our expert lawyers can assist.
Can I charge for providing the information?
No, unless the request is manifestly unfounded or excessive, or if an individual requests further copies of their data.
Can I be penalised for refusing to comply with the obligations?
Yes. If you fail to comply, the requester may apply for a court order requiring you to comply or to pay compensation. It is also a criminal offense to alter, deface, block, erase, destroy, or conceal information with the intention of preventing disclosure.
How can I ensure my company has good procedures in place to deal with SARs?
- Ensuring that you have a compliant Privacy Notice. You may also implement a separate Privacy Notice for your employees.
- Ensuring that your employees are trained to recognise a SAR which can be made verbally or in writing, including on social media.
- Ensuring good record-keeping to justify any decisions to disclose or withhold information.
- Implementing a SAR policy with provisions to deal with vexatious requests, saving you time and resources.
- If you are in doubt about the exemptions and the public interest test, seek legal advice.
How can Tozers assist?
The disclosure of personal data can have significant consequences, including reputational risk. A SAR can often be a precursor to, or made in the course of, litigation. Tozers’ data protection lawyers can provide you with the expert guidance you need in this ever-evolving legal landscape and are well-equipped to draft policies and complex SAR responses.