Introduction
The Subject Access Request (SAR) plugin captures the information you need to process requests to your organisation.
It includes two tasks used by case managers to validate the person's ID and issue a formal response.
Submitting a Request
The standard form someone uses to submit a subject access request includes fields for the following:
- Confirmation that they are requesting their own information
- If requesting information on behalf of someone else, confirmation that they have that person's consent and their relationship to them
- Their name, email and optional phone number
- Uploads for proof of identity
- Fields that allow them to list the data they are requesting and include relevant dates etc
Case Details
Subject access requests appear in Case Management much like any other case type.
The details tab includes a full read-only copy of the request, plus all of the contact details of the person who submitted it.
Statuses
The standard starting status is "Validating", which allows the case manager to review the request and perform the "Validate Subject ID" task.
Other statuses include "Accepted", "Awaiting information" and "Published".
Tasks
The SAR plugin includes two new tasks, used by case managers to process the request.
Validate Subject's ID
This task is automatically generated as soon as an SAR case is raised. It allows a case manager to check the ID of the person making the request.
Contacting the person making the request for further information will notify them via email and prompt them to log in and respond, including the ability to upload further evidence.
The task can be completed by either confirming the user's identity or rejecting it. Rejecting a user's identity emails the case manager responsible for the case, allowing them to take further action.
SAR Response
The response task emails the user who raised the request. It allows the case manager to tailor the standard email response text and add any files that have been uploaded to the case as attachments. This completes the task and allows the case itself to be closed.
Collect Information/Investigate
The two standard tasks, Collect Information and Investigate are also available. These should be assigned to other teams or departments as required. The information uploaded as these tasks are completed should hold the information requested by the person who raised the request. Any files uploaded can be included with the SAR response.
Configuration
The following settings should be reviewed as part of configuring an SAR case type.
User Groups
You'll need user groups to manage your case and carry out the tasks associated with it. The standard ones are as follows.
| Name | Description |
|---|---|
| CM-SAR | The users who will handle SAR cases. These users may also carry out the response and validate tasks |
| CM-TASKS | The users who will have the collect and investigate tasks assigned to them |
| CM-VALIDATE | The users who will carry out the "Validate Subject ID" task |
Tasks
Four tasks are used by SAR cases.
| Task | Description |
|---|---|
| Validate Subject ID | This task formally records that the ID of the person raising the SAR has been confirmed. It includes options for contacting them. It could be set up to be generated automatically. It could be carried out by the case manager or a separate group |
| Collect Information | This allows a single response and file upload |
| Investigate | This allows ongoing updates to be passed back to the case |
| SAR Response | This formal response sends an email to the person who raised the case and allows any files uploaded as part of the case to be included as attachments |
Emails
All of the emails listed in Emails and Notifications should be reviewed.
SLAs
The ICO has published guidance on the time limits for responding to requests https://ico.org.uk/your-data-matters/time-limits-for-responding-to-data-protection-rights-requests/ (opens new window). Your SLAs and reminders should be set up to reflect these limits.
Share this page
