⏱️ Critical Timeline
Response Deadline: 1 MONTH from receipt of valid SAR (extendable to 3 months for complex requests)
No Fee: SARs are FREE unless manifestly unfounded, excessive, or repetitive
1. Introduction and Purpose
This procedure sets out how ClearMinds handles Subject Access Requests (SARs) in compliance with Articles 15 and 12 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
A Subject Access Request (SAR) is a formal request from an individual (data subject) for access to their personal data held by ClearMinds. This is a fundamental right under data protection law that allows individuals to:
- Access their personal data
- Understand how their data is being processed
- Verify the lawfulness of processing
- Check the accuracy of their data
- Exercise other data protection rights
2. Right of Access - What Individuals Are Entitled To
Under Article 15 UK GDPR, data subjects have the right to obtain:
2.1 Confirmation and Access
- Confirmation of whether we process their personal data
- A copy of that personal data
- A copy free of charge (first copy)
2.2 Supplementary Information
- Purposes of processing: Why we process the data
- Categories of data: Types of personal data we hold
- Recipients: Who we share or have shared the data with
- Retention periods: How long we keep the data
- Data sources: Where we obtained the data (if not from the individual)
- Automated decision-making: Information about any automated decisions or profiling
- Rights information: Their right to rectification, erasure, restriction, objection
- Complaint rights: Right to complain to the ICO
- International transfers: Information about any transfers outside the UK
3. What Constitutes a Valid SAR?
3.1 Recognition of SARs
A SAR can be made:
- In writing (letter, email, form)
- Verbally (phone call, in-person)
- Via any communication channel (social media, website contact form)
- Without using specific language or referencing "SAR" or "GDPR"
Recognising an Informal SAR
Any request that asks "What information do you have about me?" or "Can I see my records?" should be treated as a potential SAR, even if the requester doesn't use formal legal language.
3.2 Information Required from Requester
To process a SAR, we need:
- Name and contact details
- Sufficient information to identify them in our systems
- Proof of identity (to prevent unauthorised disclosure)
- Clarification of the request (if unclear or overly broad)
4. SAR Workflow - Step-by-Step Process
SAR Processing Stages
- Receipt: SAR received and logged (Day 0)
- Acknowledgement: Acknowledge within 3 business days
- Verification: Verify identity and clarify request if needed
- Search: Locate all relevant personal data
- Review: Review data for exemptions and third-party rights
- Redaction: Redact any exempt information
- Preparation: Prepare response package
- Approval: DPO approval before release
- Response: Deliver response by deadline (Day 30 maximum)
- Record: Log completion and retain records
4.1 Stage 1: Receipt and Acknowledgement (Days 0-3)
When a SAR is Received
✅ Immediate Actions
- Forward to DPO IMMEDIATELY: All SARs must go to dpo@clearmindseap.com
- Do not delete or alter any data: Preserve all records from the moment SAR received
- Do not discuss: Maintain confidentiality - only discuss with DPO and response team
- Mark as urgent: Flag as priority in systems
DPO Actions
- Log the request: Record in SAR tracking system with unique reference number
- Start the clock: Note receipt date (1-month deadline begins)
- Send acknowledgement: Acknowledge within 3 business days
- Assign case handler: Allocate appropriate staff member
Acknowledgement Letter Content
- Thank them for their request
- Provide SAR reference number
- Confirm we'll respond within 1 month
- Request any additional information needed for identity verification or clarification
- Provide DPO contact details for queries
4.2 Stage 2: Identity Verification (Days 3-7)
Before disclosing personal data, we must verify the requester's identity to prevent unauthorised disclosure.
Identity Verification Requirements
For current service users:
- Name, date of birth, and email address on account
- Security questions or account details
- OR copy of photo ID (passport, driving licence)
For former service users or more sensitive requests:
- Copy of photo ID (passport, driving licence, national ID card)
- Proof of address (utility bill, bank statement) less than 3 months old
- Additional verification questions if needed
For third-party representatives:
- Proof of identity for both the data subject and representative
- Authorisation document (signed authority, lasting power of attorney, court order)
- For children: evidence of parental responsibility
⚠️ Important: The 1-month deadline can be paused while awaiting identity verification, but only if the request for verification is reasonable. Document all communications clearly.
4.3 Stage 3: Request Clarification (if needed) (Days 3-10)
If the request is unclear, overly broad, or would require disproportionate effort, we can ask for clarification:
When Clarification May Be Needed
- Request is very broad and would cover extensive time periods
- Unclear which personal data is being requested
- Multiple individuals with similar details in our systems
- Requesting data that we're unlikely to hold
Clarification Approach
- Be helpful and constructive
- Suggest ways to narrow the request (e.g., specific time periods, types of data)
- Explain what data we hold to help them specify
- Offer a phone call to discuss
- Document all clarification attempts
Best Practice: Don't use clarification as a delaying tactic. Only request clarification when genuinely needed, and assist the requester in refining their request.
4.4 Stage 4: Data Search and Retrieval (Days 7-20)
Conduct comprehensive search for all personal data about the individual.
Systems and Locations to Search
| System/Location |
Data to Search |
Responsible |
| Clinical Records System |
Clinical notes, assessments, treatment plans, progress notes |
Clinical team |
| User Account Database |
Account details, contact information, login history |
IT team |
| Email Systems |
Emails to/from the individual, internal emails about them |
All relevant staff |
| Communication Records |
Call recordings, chat transcripts, SMS messages |
Customer service team |
| HR Systems (if staff member) |
Personnel files, payroll, performance reviews |
HR team |
| Financial Systems |
Invoices, payment records, billing information |
Finance team |
| Backup Systems |
Any data in backups not in live systems |
IT team |
| Paper Files |
Any physical records or documents |
Administration team |
| CCTV/Security |
Security footage if specifically requested and available |
Security/Facilities |
Search Tips
- Search by name, email, employee ID, reference numbers
- Check for name variations, nicknames, maiden names
- Search date ranges relevant to the request
- Include data held by third-party processors on our behalf
- Don't forget archived or offline data
- Document search process and locations searched
Scope Reminder: A SAR covers personal data about the individual, not just information they provided. Include data about them from third parties, system-generated data, and metadata.
4.5 Stage 5: Review for Exemptions (Days 20-25)
Review all identified data for exemptions and third-party information requiring redaction.
Common Exemptions Under UK GDPR and DPA 2018
| Exemption |
When It Applies |
Example |
| Third-Party Information |
Information identifying other individuals who have not consented to disclosure |
Another patient mentioned in clinical notes; colleague's personal info in emails |
| Legal Professional Privilege |
Communications with lawyers for legal advice or litigation |
Email to solicitor seeking advice about the individual |
| Management Forecasting |
Management planning or forecasting for the business |
Internal discussion about employee's future within company |
| Negotiations |
Prejudice to ongoing negotiations with the individual |
Settlement offers or negotiation strategies |
| Serious Harm |
Disclosure would cause serious harm to physical or mental health |
Clinical opinion that disclosure would significantly harm mental health (rare, requires clinical judgment) |
| Crime Prevention |
Disclosure would prejudice prevention/detection of crime |
Information related to ongoing police investigation |
Applying Exemptions
General Principle: Exemptions should be applied narrowly and as a last resort. The presumption is always towards disclosure. We must be able to justify each exemption applied.
Redaction Not Deletion: Redact exempt information, don't withhold entire documents. Provide as much information as possible.
Documentation: Document every exemption applied with clear legal reasoning.
Third-Party Information Handling
For information identifying other individuals:
- Assess Reasonableness: Would disclosure be reasonable in the circumstances?
- Consider Consent: Can you obtain consent from the third party?
- Redaction: If no consent and not reasonable to disclose, redact names and identifying details
- Preserve Context: Try to maintain meaning while protecting third parties
Clinical Records - Special Considerations
For mental health records:
- Clinical Review: Clinical director should review for serious harm exemption
- High Bar: Serious harm exemption has a high threshold - not just "may cause distress"
- Alternatives: Consider whether information could be provided with support or explanation
- Professional Judgment: Document clinical rationale if withholding any information
4.6 Stage 6: Prepare Response Package (Days 25-28)
Response Package Should Include:
- Cover Letter
- Explanation of what's enclosed
- Summary of categories of data provided
- Explanation of any exemptions applied
- Information about their rights (rectification, erasure, etc.)
- Right to complain to ICO
- Supplementary Information Sheet
- Purposes of processing
- Categories of data held
- Recipients of data
- Retention periods
- Data sources
- Rights information
- Personal Data
- Intelligible format (permanent, easy to read)
- Securely redacted documents (if applicable)
- Key or glossary for any codes or abbreviations
- Explanation of context where helpful
Format and Delivery
- Preferred Method: Secure electronic delivery (encrypted email, secure portal)
- Physical Copy: Registered post if requested or if electronic not appropriate
- Format: PDF for most documents; explain any technical data
- Size: If very large, consider secure portal or encrypted USB drive
4.7 Stage 7: Quality Check and Approval (Days 28-29)
✅ Final Quality Checks
- All data provided is about the requester (no wrong person's data)
- All relevant systems have been searched
- Exemptions properly applied and documented
- Third-party information appropriately redacted
- Cover letter accurate and complete
- Supplementary information provided
- Data is in intelligible format
- All documents properly labelled
DPO Approval: DPO must approve all SAR responses before release.
4.8 Stage 8: Delivery of Response (Day 30)
- Send response by secure method
- Obtain delivery confirmation
- Follow up to confirm receipt
- Offer to discuss or clarify any questions
5. Extensions and Delays
5.1 When Extensions Are Permitted
We may extend the response deadline by an additional 2 months (to 3 months total) if the request is complex or we receive multiple requests from the same individual.
Requirements for Extension:
- Notify the requester within 1 month of receipt
- Explain reasons for the extension
- Provide new deadline (cannot exceed 3 months from original receipt)
5.2 Manifestly Unfounded or Excessive Requests
We may refuse or charge a reasonable fee for requests that are:
- Manifestly unfounded
- Excessive (e.g., repetitive requests)
High Bar for Refusal: This is rare and requires clear evidence. We must demonstrate that the request is manifestly unfounded or excessive, not just inconvenient or burdensome.
If Refusing:
- Inform requester without undue delay (within 1 month)
- Explain reasons for refusal
- Inform of right to complain to ICO and right to judicial remedy
6. Special Scenarios
6.1 SARs from Children
- Children can make SARs if they have sufficient understanding (Gillick competence)
- Generally, children aged 13+ are considered competent for standard SARs
- For younger children, assess competence on case-by-case basis
- Parents can make SARs on behalf of children, but consider child's rights to confidentiality
- Particularly sensitive for mental health data - seek clinical advice
6.2 SARs from Representatives
Verify authority carefully:
- Lasting Power of Attorney (LPA): Check it covers health and welfare decisions
- Deputyship Order: Verify scope with court order
- Next of Kin: No automatic right - requires data subject consent or lack of capacity
- Solicitors: Require written authorisation from the data subject
- Parents: Verify parental responsibility (especially if separated/divorced)
6.3 Deceased Persons
GDPR does not apply to deceased individuals, but:
- Consider Data Protection Act 2018 provisions for deceased persons' data
- Review any instructions left by the deceased about their data
- Consider common law duty of confidentiality
- Seek legal advice for complex cases
- Be particularly careful with clinical records
6.4 SARs During Employment Tribunal Claims
- Employee tribunal SARs are common
- Cannot refuse due to ongoing tribunal - same rules apply
- Legal professional privilege may apply to some legal advice
- Seek legal advice before responding
- Respond within normal timescales
7. Tracking and Record-Keeping
7.1 SAR Log
Maintain a comprehensive log of all SARs including:
- Date received and reference number
- Requester details
- Date acknowledged
- Response deadline
- Whether identity verified
- Extensions applied
- Summary of data provided
- Exemptions applied and reasoning
- Date responded
- Any complaints or follow-up actions
7.2 Retention of SAR Records
Retain SAR records for 3 years:
- Original request
- All correspondence with requester
- Copy of data provided
- Documentation of exemptions and decision-making
- Proof of delivery
8. Fees
General Rule: SARs are FREE. No fee can be charged for:
- The first copy of personal data
- Standard supplementary information
- Processing the request
When Fees May Be Charged:
- Additional copies (reasonable fee based on administrative cost)
- Manifestly unfounded or excessive requests (reasonable fee or refusal)
9. Training and Responsibilities
9.1 Data Protection Officer
- Overall oversight of SAR process
- Approving all SAR responses
- Making decisions on exemptions and extensions
- Handling complaints about SARs
9.2 All Staff
- Recognising SARs and forwarding to DPO immediately
- Completing SAR training
- Cooperating with SAR searches
- Not altering or deleting data once SAR received
9.3 Clinical Staff
- Advising on clinical exemptions (serious harm)
- Providing clinical context where helpful
- Ensuring clinical records are comprehensive and accurate
10. Monitoring and Review
- Quarterly Reports: SAR statistics and compliance rates
- Annual Review: Review of this procedure
- Quality Audits: Sample reviews of SAR responses
- Learning: Post-SAR debriefs for complex cases
11. Complaints and Escalation
11.1 If Requester Unhappy with Response
- DPO to review and discuss concerns
- Consider if additional information can be provided
- Explain reasoning for any exemptions
- Provide clear explanation of review process
11.2 ICO Complaints
Inform requester of right to complain to ICO if not satisfied:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk
12. Related Documents
- Data Protection Policy
- Privacy Policy
- Data Retention Policy
- Information Security Policy
- Complaints Policy