SAR failure: ICO warns of criminal prosecution

The Information Commissioner’s Office (ICO) has reminded organisations that if they fail to respect the public’s legal right to access their personal information, they could face criminal prosecution.[1]

The ICO issued the warning after Magistrates fined a housing developer for breaching data protection laws. The company failed to comply with an enforcement notice issued by the ICO and so the regulator prosecuted.

Rights of access by the data subject are covered by Article 15 of the General Data Protection Regulations (GDPR) which states: “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data…[2]” (see Chapter 3, Rights of the Data Subject – Data Protection Act 2018 (the Act)[3]).

Regardless of whether you have already received a SAR, you should be ready. Your policy and procedures should be in place. You don’t want to have to develop your policy on the hoof if you receive such a request. You have a month to process a SAR but, in practical terms, that is likely to pass very quickly, especially if you’re making it up as you go along.

Michelle Garlick, Partner Weightmans said: “We’ve certainly seen an increase in the number of SAR requests being made since 25 May.

“Some may be for very legitimate reasons. Others perhaps to make trouble, create difficulties for you, get out of paying a fee or short circuit disclosure. There are all sorts of reasons that clients might issue a SAR.”

A SAR can be made verbally (it doesn’t have to be in writing), and as a consequence, anyone in the firm with client contact can potentially be the recipient of the request; it’s really important that all staff can spot such requests when made and refer them promptly to whoever will be responding on your firm’s behalf. As clients may not be clear about what data they require, consider asking them to complete a Subject Access Request form, although that won’t stop the clock ticking.

We’ve mentioned that you have a month to respond to a SAR, but it’s worth looking at this timescale more closely. One month after receiving a valid request, you have to provide the information, and that’s calculated from the day after you receive the request to the corresponding calendar date the next month. So, if you get a SAR request on 11th September, you’ll have until the 12 October to provide the information. You’ll have to hope that people don’t send too many SARs in February because that’s a shorter month.

Once you have all the necessary information, don’t delay by asking for unnecessary detail. You mustn’t be obstructive in responding to the SAR. Otherwise, you run the risk of receiving a complaint and possibly being reported to the ICO. To satisfy the fair and transparent processing requirements in Article 13 of the GDPR, clients should be advised that they have the right to complain to the ICO if they think you have not handled their data correctly.

We have mentioned clients, but it is not just clients. You need to consider the rights of everyone else on whom you hold personal data. Data subjects would obviously include employees but also think of temps, locums, self-employed consultants, those on work experience and contractors. This list is not exhaustive, but it gives you an idea of the range of data subjects you need to consider.

If the SAR is complex, then you can extend the deadline by a further two months, but you have to explain why to the data subject and let them know within one month of the request. It’s not recommended leaving it to the very last day of the original deadline to get in touch with the client. Do it much sooner. Have a diary entry a couple of weeks into the SAR response timeline to see how you are getting on and then get in touch if you do need more time with an explanation.

You can withhold information if disclosure would adversely affect the rights and freedom of others, and remember the exemption if you can claim legal professional privilege in legal proceedings. Your exemption rights are set out in Schedule 2, Part 4, Paragraph 15 of the Act.

Returning to your handling of SARs, you need to set out how you will deal with requests in a policy with a procedural plan. If you’re likely to receive a number of requests, template letters will be helpful especially in the context of identification; it’s really important to make sure that it is a valid request. Have you verified the subject, the data subject’s identity to make sure that you are providing it to the right person? Templated forms will also ensure that there is consistency in recording the SAR so that you have all the information you need to enable you to interrogate your data and investigate what information is being requested.

If you haven’t already carried out an audit of personal data, that’s something you really should do. Some firms haven’t completed this process as the task is so daunting. However, one way of addressing the audit is, maybe, to look at recently closed files. Depending on the size of the firm, perhaps you’d look at ten or twelve files from different departments in the firm. Review the file and then try to work out what data you hold on those clients. Obviously, there’s the data contained on the file, there are the client ledgers, but if, for example, there’s been a complaint, there might be an associated complaint or claims file. You need to think laterally about where the data is held so you’re capturing everything you know about the client that may be considered personal data.

Having produced your policy and procedures, staff training staff is essential. It is unlikely that clients (and others) will flag up their request specifically as a SAR. It really doesn’t matter what they call it; you still need to respond.

For further information on the issues covered above, contact Aon on 0370 218 4196 or visit our Solicitors insurance page


[1]: ICO, February 2019
[3]: Data Protection Act 2018



Back to the SOLICITORS group News

Media Centre

“The Solicitors Group online directory is an established and respected channel for legal professionals, meaning I can talk to my existing and future customers about products and services both quickly and easily.”

Carole Hatton
Marketing Manager
Landmark Information Group

“Reaching our niche market can sometimes be challenging, however we find promoting our legal training courses on an excellent way of contacting both existing and new customers. The service we receive from The Solicitors Group is both professional and relevant to our core activities and we would recommend their services to others.”


“I must say that to date we have been very pleased with the referrals we are getting from your site.”

Paul West
Orchid Cellmark

“The Newsdesk feature on is ideal for us. Its prominent location on the site provides a great platform to communicate key messages to existing and potential clients.”

Neil Phillips
Marketing Manager
Countrywide Legal Indemnities

"We are very happy with the referrals we are getting from The Solicitors Group web-site."

C.A. Bishop
Technical Director
Wickham Laboratories Ltd

“We received 419 click-throughs to our site from advertising with”

Legal Prospects

“Putting myself in my potential client's shoes, I consider to offer perhaps the clearest and most user-friendly listing of expert witnesses, especially in its choice of index terms.”

Ivan Vince
ASK Consultants

“The banner ad looks great”

Samantha Dawson
The Bundle Business Limited

“The Solicitors Group has been fantastic in helping us to raise awareness about bowel cancer, which kills 16,000 people every year in the UK. Bowel Cancer UK aims to save lives by raising awareness of bowel cancer, campaigning for best treatment and care and providing practical support and advice. Without the support of organisations such as the Solicitors Group we would be unable to carry out this vital work. We are very grateful to the team at the Solicitors Group for their support and assistance.”

Tamara Matthews
Legacy Officer
Bowel Cancer UK

“As a result of Law London, we have registered 208 new companies/firms to the website, generating £20,797 GWP to date, as well as reinforcing our presence in this very profitable marketplace.”


“The event was well put together and executed, and the traffic of potential customers for us was high. We had a number of enquiries regarding our services after the event and we feel our attendance there was important to our overall brand exposure. We feel a Law event of this size without Euromoney Legal Training present could potentially be hurtful to us as a business. We would recommend you to attend and shall ourselves be there again in 2008.”


“Many thanks for the prompt service.”

Martin Gibbs MBE
Director / Investigator
Griffin Forensics Ltd

“A targeted email to key customers is an invaluable method of communication, endorse this with the Solicitors Group branding, relevant editorial content and you have created a winning combination! We look forward to reading the next edition.”

Carole Hatton
Marketing Manager
Landmark Information Group

“Talking directly to Property Lawyers is critical to us as they are key customers or potentially could be for all of our products, The Solicitors Group offer a perfect solution to get our messages right to the right people”

Carole Hatton
Marketing Manager
Landmark Information Group

“Thank you for having a useful and informative site, it is good to see a comprehensive and friendly portal.”

Stefan Fann
UK Probate Services

“Cadogans aims to keep its brand image in front of lawyers who may be looking for engineering experts. A check on Google analytics showed that referrals to our website from The Solicitors Group website were above average.”

Daphne Wassermann
Technical Director