SAR - Subject Access Request Help
Discussion
Can anyone help me with the wording?
Is it even possible?
Has anyone successfully done this?
My understanding - A SAR is a request for personal information held by an organisation.
But what if that personal information on record contains personal information about another person.
Lets say a husband and wife.
The record is primarily about one but also contains information about the second.
Is it possible to request a complete record by the primary person by including a request for the record to be complete (both people) - and includes say a written consent of the second in the application?
Has anyone considered this?
Has experience of this.
I'm wanting a complete record and don't want the organisation to wriggle out - especially if the application isn't worded well.
Hope someone can understand what I'm trying to explain
RGG said:
Can anyone help me with the wording?
Is it even possible?
Has anyone successfully done this?
My understanding - A SAR is a request for personal information held by an organisation.
But what if that personal information on record contains personal information about another person.
Lets say a husband and wife.
The record is primarily about one but also contains information about the second.
Is it possible to request a complete record by the primary person by including a request for the record to be complete (both people) - and includes say a written consent of the second in the application?
Has anyone considered this?
Has experience of this.
I'm wanting a complete record and don't want the organisation to wriggle out - especially if the application isn't worded well.
Hope someone can understand what I'm trying to explain
see hereIs it even possible?
Has anyone successfully done this?
My understanding - A SAR is a request for personal information held by an organisation.
But what if that personal information on record contains personal information about another person.
Lets say a husband and wife.
The record is primarily about one but also contains information about the second.
Is it possible to request a complete record by the primary person by including a request for the record to be complete (both people) - and includes say a written consent of the second in the application?
Has anyone considered this?
Has experience of this.
I'm wanting a complete record and don't want the organisation to wriggle out - especially if the application isn't worded well.
Hope someone can understand what I'm trying to explain
https://ico.org.uk/for-the-public/getting-copies-o...
be clear in what you want, dates etc
williamp said:
RGG said:
Can anyone help me with the wording?
Is it even possible?
Has anyone successfully done this?
My understanding - A SAR is a request for personal information held by an organisation.
But what if that personal information on record contains personal information about another person.
Lets say a husband and wife.
The record is primarily about one but also contains information about the second.
Is it possible to request a complete record by the primary person by including a request for the record to be complete (both people) - and includes say a written consent of the second in the application?
Has anyone considered this?
Has experience of this.
I'm wanting a complete record and don't want the organisation to wriggle out - especially if the application isn't worded well.
Hope someone can understand what I'm trying to explain
see hereIs it even possible?
Has anyone successfully done this?
My understanding - A SAR is a request for personal information held by an organisation.
But what if that personal information on record contains personal information about another person.
Lets say a husband and wife.
The record is primarily about one but also contains information about the second.
Is it possible to request a complete record by the primary person by including a request for the record to be complete (both people) - and includes say a written consent of the second in the application?
Has anyone considered this?
Has experience of this.
I'm wanting a complete record and don't want the organisation to wriggle out - especially if the application isn't worded well.
Hope someone can understand what I'm trying to explain
https://ico.org.uk/for-the-public/getting-copies-o...
be clear in what you want, dates etc
It's the "second person" conundrum that isn't addressed in the ICO info.
That's the specific I'm trying to work around.
V8LM said:
I think any information given will be redacted to not disclose personal information about anyone else. If it can't be, it won't be given.
I think that's a good understanding of how it should work.Our praxis experience to date however has been different.
We've made three or four applications to different organisations (all healthcare) about the same core subject and each organisation have responded differently or inconsistently from within.
Some redact according to V8LM's understanding which redacts anyone other than the applicant. This seems to fit well with the SAR process.
Others have redacted any secondary person (myself!) inconsistently.
Some things redacted some things not.
It's not hard to read between the lines (blacked out) and see that information has been blocked that compromise that organisation.
It seems fairly obvious to us that some of the redaction is being used to protect the organisation.
On one SAR redaction has been used to hide the identity of one particular professional who had been, let's say unprofessional.
Also, my understanding of the SAR process according to the proper sources is that professionals identities should not be redacted. This was the Ambulance Service.
All of the above is why I am trying to get some ideas and advice.
RGG said:
my understanding of the SAR process according to the proper sources is that professionals identities should not be redacted. This was the Ambulance Service.
I don't believe that's the case. While back I made an SAR to the police regarding a nasty incident with an ex who went mental at my home. The request comprised CAD report (ie the initial call), body cam footage from the officers attending, officer report and interview audio.
The faces of the 2 officers were blurred out on body cam and officer names redacted from the interview and officer report. The name of the solicitor was redacted in the interview footage. The name of the woman and any identifying details was redacted, even though I obviously knew her name/details so hard to see the point of that.
That means some poor sod must have had to watch > 1 hour of body cam footage/listen to interview audio/read officer report and redact/blur out as needed. It would not have been possible to identify the officers or the lady concerned from the SAR.
To get a full account of what happened you and the other person(s) would have to make separate requests. Clearly it is not the case that professional's names should not be redacted - they were redacted/blurred.
done lots of these in my big civil service organisation.
as above, be really precise.
for example:
'I want all information held containing my name, either electronically or in paper form, from the dates 1 January 2001 to 31 July 2025'
they'll need to confirm your ID. if this is your employer your employee number will be enough.
you can also request emails sent by people that contain your name. for example:
'I want all emails send from the following address - Joe.bloggs@civilserice.gov.uk - that contains my name in either the heading or subject text'
only thing with this is its self policing. but if it comes on top further down that they've lied then it can be bad for them.
in your example of 2 people putting them in to get the info that will work. just both do carbon copies of the request like the above. each one should come back redacted against the other.
they have 3 months to comply. then go to the ICO when they send it back heavily redacted. as they will. then be prepared for a long fight and stone walling. so make sure its all worth it before you send!
as above, be really precise.
for example:
'I want all information held containing my name, either electronically or in paper form, from the dates 1 January 2001 to 31 July 2025'
they'll need to confirm your ID. if this is your employer your employee number will be enough.
you can also request emails sent by people that contain your name. for example:
'I want all emails send from the following address - Joe.bloggs@civilserice.gov.uk - that contains my name in either the heading or subject text'
only thing with this is its self policing. but if it comes on top further down that they've lied then it can be bad for them.
in your example of 2 people putting them in to get the info that will work. just both do carbon copies of the request like the above. each one should come back redacted against the other.
they have 3 months to comply. then go to the ICO when they send it back heavily redacted. as they will. then be prepared for a long fight and stone walling. so make sure its all worth it before you send!
The SAR refers to information relating the subject of the request. In complying, the organization should not disclose personal information of anyone else. This could include their names. Indeed, if they disclosed personal information about someone else to you, without their permission, they would be in breach of GDPR. Any other information that is not about you can be redacted.
If your name is included in emails, but these do not include any information about you, then these do not need to be disclosed.
If you believe the redacted parts contain personal information, you should then go back to them, detailing what information you believe they hold and ask them to review again. If you then still believe personal information of the subject is being withheld, you can go to the ICO - https://ico.org.uk/for-the-public/getting-copies-o...
If your name is included in emails, but these do not include any information about you, then these do not need to be disclosed.
RGG said:
It's not hard to read between the lines (blacked out) and see that information has been blocked that compromise that organisation.
It seems fairly obvious to us that some of the redaction is being used to protect the organisation.
Unless it is information about the subject, they can.It seems fairly obvious to us that some of the redaction is being used to protect the organisation.
If you believe the redacted parts contain personal information, you should then go back to them, detailing what information you believe they hold and ask them to review again. If you then still believe personal information of the subject is being withheld, you can go to the ICO - https://ico.org.uk/for-the-public/getting-copies-o...
RGG said:
On one SAR redaction has been used to hide the identity of one particular professional who had been, let's say unprofessional.
As they should. This is information about the professional and not about the subject.Edited by V8LM on Friday 1st August 10:04
Thanks very much to those that have made helpful and considered replies.
Myself, as the secondary person, I'm thinking of the following.
To request my personal information separately.
To put in the request that, in order to identify my personal information, I am known, first name, in a shortened version, and will/could also be identified as husband, partner, carer etc.
The reasoning being that in speech and written accounts plain English is used and people are rarely referred to by their full names.
I would be very grateful for any comments on this particular point as I feel it could influence their response.
Thanks again for helping with this troubling problem.
Yes, you should give as much information that they can use to identify you - names, initials, etc.
'Partner of X' gets difficult as they would only need to disclose any relevant information about you if they have information that uniquely identifies you as the Partner of X. And then, the information they would then give is only that related to you, not X.
'Partner of X' gets difficult as they would only need to disclose any relevant information about you if they have information that uniquely identifies you as the Partner of X. And then, the information they would then give is only that related to you, not X.
RGG said:
To put in the request that, in order to identify my personal information, I am known, first name, in a shortened version, and will/could also be identified as husband, partner, carer etc..
So something like you're called Michael but you go by Mike? That wouldn't be an issue. When you make the SAR online you will need to provide ID - scan of your passport and driving licence.The fact you're husband/partner/whatever is irrelevant. You are entitled to request about you and you alone, your relationship to the other person does not entitle you to any more information. As the chap above noted the identities of the professionals involved will be redacted or blurred if there's video.
In my example I gave a statement to police which was included in the SAR but half of it was redacted as it contained information about the other person. Seems pretty pointless to send me a redacted version of a statement I gave but that seems to be the rules.
Presumably you are on good terms with the other person so they'd be happy to make their own request?
If you both make separate SARs you still won't get a full account of what happened.
Edited by jonsp on Friday 1st August 10:43
You can only request your own personal data under a Subject Access Request.
Where there is a risk of another person’s data being exposed, the company is obliged to redact it or it would be a breach of the Data Protection Act or a Data Subject Breach, reportable under GDPR.
In certain circumstances, if the effort required to remove other person’s details is particularly onerous, they may decline to give you it on the grounds of it not being reasonable/practicable. However, if they attempt to do this, they are required to explain for each item why they are not providing it.
Realistically, unless you’re requesting War and Peace they will probably provide it with redactions, due to the risk of a complaint to the ICO against them for refusing to facilitate your rights (article 12).
The best approach for you would be to send two separate DSARs, one for each person.
They will have different redactions but with AI tools now, like ChatGPT (turn data sharing off!) or Claude for £15 a month, you could provide both versions of the same documents (if different parts of the email are redacted) to merge you a fully unredacted mail to help with reading.
Where there is a risk of another person’s data being exposed, the company is obliged to redact it or it would be a breach of the Data Protection Act or a Data Subject Breach, reportable under GDPR.
In certain circumstances, if the effort required to remove other person’s details is particularly onerous, they may decline to give you it on the grounds of it not being reasonable/practicable. However, if they attempt to do this, they are required to explain for each item why they are not providing it.
Realistically, unless you’re requesting War and Peace they will probably provide it with redactions, due to the risk of a complaint to the ICO against them for refusing to facilitate your rights (article 12).
The best approach for you would be to send two separate DSARs, one for each person.
They will have different redactions but with AI tools now, like ChatGPT (turn data sharing off!) or Claude for £15 a month, you could provide both versions of the same documents (if different parts of the email are redacted) to merge you a fully unredacted mail to help with reading.
yeah but...
if its for you and your partner, but just you ask for it then its likely to include both. Why?
-Its easier for the person doing it
-Its likely their data protection rights are not affected by the disclosure
For example: you have a joint record. Only you ask, but the data you receive includes some of your partners data, Is it a problem that you now know things which you already know (eg I bet you know your partners name, date of birth, place of birth, probably have access to their ID so passport number etc; maybe even their bra and dress size). So if this is included, so what? Its not hurt anyone for you to be given this.
Their medical data would be different. But a partner knows a lot about their partner. Its not a problem to be told this again. The focus for the ICO is to look into whether their rights have been adversely affected by the disclosure. Not necessarily that its happened.
if its for you and your partner, but just you ask for it then its likely to include both. Why?
-Its easier for the person doing it
-Its likely their data protection rights are not affected by the disclosure
For example: you have a joint record. Only you ask, but the data you receive includes some of your partners data, Is it a problem that you now know things which you already know (eg I bet you know your partners name, date of birth, place of birth, probably have access to their ID so passport number etc; maybe even their bra and dress size). So if this is included, so what? Its not hurt anyone for you to be given this.
Their medical data would be different. But a partner knows a lot about their partner. Its not a problem to be told this again. The focus for the ICO is to look into whether their rights have been adversely affected by the disclosure. Not necessarily that its happened.
Being easy is not a reason to disclose information.
https://ico.org.uk/for-organisations/uk-gdpr-guida...
Two SARs, each with written consent from the partner to disclose in the response any information in the record relating to them, and means for the data holder to confirm that consent, would be a way to help get fuller responses.
They still might redact, though.
ETA: For the 'professional', revealing any personal information about them depends on their involvement:
https://ico.org.uk/for-organisations/uk-gdpr-guida...
Two SARs, each with written consent from the partner to disclose in the response any information in the record relating to them, and means for the data holder to confirm that consent, would be a way to help get fuller responses.
They still might redact, though.
ETA: For the 'professional', revealing any personal information about them depends on their involvement:
ICO said:
If the data subject requests information that is also the personal data of a health worker, an education worker or a social worker, it is reasonable to disclose information about them without their consent, as long as the disclosure meets the appropriate test .
For health workers, it meets the health data test if:
For health workers, it meets the health data test if:
- a health record contains the information; and
- the third-party individual is a health professional who:
- compiled the record;
- contributed to the record; or
- was involved in the requester s diagnosis, care or treatment.
- consists of data concerning health; and
- is made by or on behalf of a health professional (eg a doctor, dentist or nurse) in connection with an individual s diagnosis, care or treatment.
Edited by V8LM on Sunday 3rd August 08:41
Vanity Projects said:
You can only request your own personal data under a Subject Access Request.
Where there is a risk of another person s data being exposed, the company is obliged to redact it or it would be a breach of the Data Protection Act or a Data Subject Breach, reportable under GDPR.
In certain circumstances, if the effort required to remove other person s details is particularly onerous, they may decline to give you it on the grounds of it not being reasonable/practicable. However, if they attempt to do this, they are required to explain for each item why they are not providing it.
Realistically, unless you re requesting War and Peace they will probably provide it with redactions, due to the risk of a complaint to the ICO against them for refusing to facilitate your rights (article 12).
The best approach for you would be to send two separate DSARs, one for each person.
They will have different redactions but with AI tools now, like ChatGPT (turn data sharing off!) or Claude for £15 a month, you could provide both versions of the same documents (if different parts of the email are redacted) to merge you a fully unredacted mail to help with reading.
Yes, thanks, I am thinking two mirror SAR applications each with the others consent delivered "in the same envelope" would be the best way forward.Where there is a risk of another person s data being exposed, the company is obliged to redact it or it would be a breach of the Data Protection Act or a Data Subject Breach, reportable under GDPR.
In certain circumstances, if the effort required to remove other person s details is particularly onerous, they may decline to give you it on the grounds of it not being reasonable/practicable. However, if they attempt to do this, they are required to explain for each item why they are not providing it.
Realistically, unless you re requesting War and Peace they will probably provide it with redactions, due to the risk of a complaint to the ICO against them for refusing to facilitate your rights (article 12).
The best approach for you would be to send two separate DSARs, one for each person.
They will have different redactions but with AI tools now, like ChatGPT (turn data sharing off!) or Claude for £15 a month, you could provide both versions of the same documents (if different parts of the email are redacted) to merge you a fully unredacted mail to help with reading.
That might be the best way to focus their minds re providing as much information as possible; thank you.
V8LM said:
Being easy is not a reason to disclose information.
https://ico.org.uk/for-organisations/uk-gdpr-guida...
Two SARs, each with written consent from the partner to disclose in the response any information in the record relating to them, and means for the data holder to confirm that consent, would be a way to help get fuller responses.
They still might redact, though.
ETA: For the 'professional', revealing any personal information about them depends on their involvement:
This ICO information is the section that provides guidance to the Health Services and my expectation was that (one example) the ambulance paramedic's name would not be redacted; but it was. https://ico.org.uk/for-organisations/uk-gdpr-guida...
Two SARs, each with written consent from the partner to disclose in the response any information in the record relating to them, and means for the data holder to confirm that consent, would be a way to help get fuller responses.
They still might redact, though.
ETA: For the 'professional', revealing any personal information about them depends on their involvement:
ICO said:
If the data subject requests information that is also the personal data of a health worker, an education worker or a social worker, it is reasonable to disclose information about them without their consent, as long as the disclosure meets the appropriate test .
For health workers, it meets the health data test if:
For health workers, it meets the health data test if:
- a health record contains the information; and
- the third-party individual is a health professional who:
- compiled the record;
- contributed to the record; or
- was involved in the requester s diagnosis, care or treatment.
- consists of data concerning health; and
- is made by or on behalf of a health professional (eg a doctor, dentist or nurse) in connection with an individual s diagnosis, care or treatment.
Edited by V8LM on Sunday 3rd August 08:41
Two, applications each with the others consent delivered simultaneously is looking to be the best way forward now.
Thanks very much for your input.
Forums | Speed, Plod & the Law | Top of Page | What's New | My Stuff