Subject Access Requests

“When I receive a Subject Access Request do I have to provide everything with a person’s name on?”

The Short answer is no. Whilst a person’s name will be personal data, this does not mean the whole content of any document becomes their personal data. There is no need to disclose the whole of an email, or any document just because they are addressed to an individual. Any content not related to an individual is not personal data and can be withheld/redacted. Here is an example straight from the Information Commissioner’s Office,

“An employee makes a SAR for all of the information you hold about them. During your search for their personal data, you find 2000 emails which the employee is copied into as a recipient. Other than their name and email address, the content of the emails does not relate to the employee or contain the employee’s personal data.

You do not have to provide the employee with a copy of each email (with the personal information of third parties redacted). Since the only personal data which relates to them is their name and empl-ail address, it is sufficient to advise them that you identified their name and email address on 2000 emails and disclose to them the name contained on those emails, e.g. John Smith, and the email address contained on those emails, e.g. . Alternatively you could provide one email with other details redacted as a sample of the 2000 emails you hold. You should also clearly explain to the individual why this is the only information they are entitled to under the UK GDPR, but remember to provide them with supplementary information concerning the processing, e.g. retention periods for the emails.

However, if any of the content within the email relates to the individual, you should provide them with a copy of the email itself, redacted if necessary.”

In Conclusion,

Whilst the GDPR / Data Protection Act 2018 require you to confirm what personal data you hold, how you process it and to provide a copy upon request within 30 days, this does not give a data subject a right to anything and everything with their name on it. If you do receive a request for information that you do not believe is personal data, we would advise that you confirm to the subject that you hold the document, confirm the personal data contained and either withhold the document or redact any information that is not personal to the subject (depending on how much). We would also advise that you set it aside a full set of the original documents so that this can be provided upon request to either the Information Commissioners Office or a court.

As always, this advice is general in nature and will need to be tailored to any one particular situation. As a MILS member you have access to the Legal advice line, as well as a number of industry experts for your assistance. Should you find yourself in the situation above, contact us at any stage for advice and assistance as appropriate.