SaaS Software suppliers are increasingly having to deal with subject access requests (SARs) in relation to data they store on behalf of customers. Excessive time and costs can be spent dealing with such requests, unless a SaaS supplier’s obligation to comply with or assist a customer with such requests is clearly defined in the terms of the SaaS agreement between the parties.
Subject Access Request (SAR)
Under the Data Protection Act 1998 (DPA), an individual has the right to access personal data held by a supplier by making a SAR. Such requests for data usually relate to customer data held by SaaS suppliers on behalf of SaaS customers. The SAR can be sent directly to the supplier or the customer. This is not the same as a request for information under the Freedom of Information Act (FOIA).
Under the FOIA members of the public are entitled to request disclosure of:
- non-personal information;
- held by public authorities.
Requests are made to the customer directly who often passes the request on to their supplier.
SaaS suppliers should not confuse a FOIA request with an individual’s right to request personal information under a SAR, as if a SaaS supplier mistakenly discloses personal data under an FOIA request, this could breach the DPA and result in a large fine.
The Information Commissioner’s Office (ICO) has issued a Subject Access Code of Practice which all SaaS suppliers should read. This provides useful advice on how to respond to a SAR.
For example, supplier’s should upon receipt of a SAR:
- identify whether a request is actually a SAR;
- ensure they have enough information to be certain of the requester’s identity;
- consider whether any of the exemptions apply; and
- provide a response in a permanent form where appropriate, stating whether a fee is payable.
Suppliers should include specific provisions in their terms and conditions setting out how disclosure requests will be dealt with. These should not be limited to SARs as there are other types of disclosure requests that can be made under English law.
The SaaS agreement should:
- set out the extent of the assistance to be given by the supplier to customers when dealing with a disclosure request;
- specify whether the consent of the customer is required prior to any data being disclosed; and
- include relevant time limits for complying with any requests.
Additionally suppliers could consider having a data access policy setting out their specific obligations. This can be incorporated into the SaaS agreement by reference to it in the terms and conditions.
Image courtesy of caliorg on Flickr