Web Analytics World

Analytics, Mobile, Social Media and Digital Marketing Strategy

  • Home
  • About Us
  • Digital Marketing Courses
    • Digital Marketing Professional Certificate
    • MSc Digital Marketing Online
  • Current Bloggers
  • Contact Us
You are here: Home / Data Protection / Dealing with a Subject Access Request

Dealing with a Subject Access Request

November 19, 2013 by Irene Bodle Leave a Comment

internetlaw

SaaS Software suppliers are increasingly having to deal with subject access requests (SARs) in relation to data they store on behalf of customers. Excessive time and costs can be spent dealing with such requests, unless a SaaS supplier’s obligation to comply with or assist a customer with such requests is clearly defined in the terms of the SaaS agreement between the parties.

Subject Access Request (SAR)

Under the Data Protection Act 1998 (DPA), an individual has the right to access personal data held by a supplier by making a SAR. Such requests for data usually relate to customer data held by SaaS suppliers on behalf of SaaS customers. The SAR can be sent directly to the supplier or the customer. This is not the same as a request for information under the Freedom of Information Act (FOIA).

FOIA

Under the FOIA members of the public are entitled to request disclosure of:

  • non-personal information;
  • held by public authorities.

Requests are made to the customer directly who often passes the request on to their supplier.

SaaS suppliers should not confuse a FOIA request with an individual’s right to request personal information under a SAR, as if a SaaS supplier mistakenly discloses personal data under an FOIA request, this could breach the DPA and result in a large fine.

SARs

The Information Commissioner’s Office (ICO) has issued a Subject Access Code of Practice which all SaaS suppliers should read. This provides useful advice on how to respond to a SAR.

For example, supplier’s should upon receipt of a SAR:

  • identify whether a request is actually a SAR;
  • ensure they have enough information to be certain of the requester’s identity;
  • consider whether any of the exemptions apply; and
  • provide a response in a permanent form where appropriate, stating whether a fee is payable.

Contractual Provisions

Suppliers should include specific provisions in their terms and conditions setting out how disclosure requests will be dealt with. These should not be limited to SARs as there are other types of disclosure requests that can be made under English law.

The SaaS agreement should:

  • set out the extent of the assistance to be given by the supplier to customers when dealing with a disclosure request;
  • specify whether the consent of the customer is required prior to any data being disclosed; and
  • include relevant time limits for complying with any requests.

Additionally suppliers could consider having a data access policy setting out their specific obligations. This can be incorporated into the SaaS agreement by reference to it in the terms and conditions. 

Image courtesy of  caliorg on Flickr

Filed Under: Data Protection, Internet Law, SaaS, Software Access request

About Irene Bodle

Irene founded Bodle Law in 2010 after working for 8 years as corporate counsel for a global software company. Irene offers specialist legal advice on IT law in particular, Internet law, website law, cloud issues, international software contracts and SaaS agreements. Learn more about Irene Bodle
Read Irene's latest articles
Have a question? Contact Irene here

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get Your Professional Certificate

 

Never miss another post!

Entering your email address in the field below will subscribe you to our RSS to Email list. This means that when we publish a new post, you'll get an email with a synopsis of the post and links to the full article on this site.

  

You can unsubscribe from this service at any time by following the instructions within the notification email.

© 2019 Web Analytics World • Privacy • Cookies