SAR: those three little letters that can bring a world of pain to the HR manager’s day. One minute you are trying to get on top of a thousand and one HR tasks; the next you receive a simple request for information that can take you hours, if not days, to respond to.
SARs or Subject Access Requests were introduced under section 7 of the Data Protection Act 1998. They are now referred to as Right of access requests under the General Data Protection Regulation (GDPR). They enable employees to request certain information about their personal data and how employers are processing it.
As such, an employee often directs a SAR to the HR department. Although, they may send them to line managers, or indeed anyone else in the business.
Once you receive a SAR, you must acknowledge receipt promptly and respond to it within a maximum of one month; a frightening time-frame if you work with a maze of different online and offline systems to store your staff’s personal data.
As an employer, you can ask the requesting party to specify the scope of the SAR before the month-long period begins. This is true as long as you genuinely need this guidance to be able to find the data.
If you can get the requesting party to specify the type of data they want – such as emails between certain dates and between specific staff members – this can remove the need to collect of a lot of unnecessary data.
However, the requesting party may not be able to clarify where they think the data is. This means you may have to search documents in a host of formats. This could be computerised data, for example records stored in your HR software, or emails stored on your server. It could also be manual data such as paper files and records. As a result, some SARs can take huge amounts of time to respond to in an accurate and comprehensive manner.
Although responding to a SAR is rarely going to be a five minute job, you may be able to significantly reduce the time you have to spend searching for data by keeping as much information as possible on your HR software.
That way, if an employee asks for a copy of the data you hold on them relating to absence, performance reviews, disciplinary proceedings or their personnel file, you can find it quickly and easily.
Of course, many SARs will relate to emails, which your HR software won’t be able to help with. That said, if the data relates to any issues concerning matters such as appraisals, disciplinary or back-to-work meetings, your HR software may well help you identify the likely timing and location of any emails relating to the SAR request.
The rules around Subject Access Requests are quite complicated, but you can find a host of information on the Information Commissioner’s Office website here, along with a handy SAR checklist for organisations.
How to choose GDPR compliant software
Mitigate compliance risks: protect your business with HR software