I’ve started to receive subject access requests (SARs) from third parties. Some of them look pretty suspicious – they tell me they have consent from the individual but don’t give me any evidence; they use pressure techniques and exert authority like a phishing email – but I know people are allowed to make access requests any way they like. Do I have to respond to requests like this?
Under the General Data Protection Regulation (GDPR), individuals have a right to receive a copy of their personal data, known as a subject access request or SAR. This right can be exercised by a third party on their behalf. Often, lawyers use the right as part of their information gathering where they are supporting someone with a dispute, but there are also companies springing up specifically to help people exercise this right. We have also seen examples of very sensitive situations where, for example, abusive ex-partners use a SAR about their child to try to track down their estranged families.
Responding to a SAR is a risky thing to do and organisations need to be careful when they do it. It can mean taking a large amount of potentially sensitive personal information, linking it together in ways that it is not normally linked, and then moving it to a location outside of the organisation’s security perimeter so the individual can review it. Organisations need to be very careful that they have the right security measures in place to respond to a SAR without causing a personal data breach.
When personal data is shared with a third party, organisations would normally go through processes to make sure that the personal data would be kept safe during and after the transfer. They would also need to make sure that there is a lawful basis for making the transfer.
GDPR Recital 64 says ‘The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.’ The clock starts ticking once you are sure you can identify the person the subject access request concerns, so once you have done that you should start preparing the response at the same time as carrying out any checks to help you decide whether the third party is entitled to receive the individual’s personal data.
You should consider:
- Whether you can be sure the individual initiated the request and understands what information will be provided to the third party.
- Where the third party is located and whether you need to carry out a transfer impact assessment.
If you are unsure, I would recommend that you contact the individual directly. You might also wish to consider providing the personal data to the individual for them to share with the third party.
And if, at the end of your investigations, you are really concerned that something fishy is going on, you can refuse the request, documenting your decision and reason(s) why, and report the third party to the supervisory authority.