FOI release

Subject access requests answered by the SIA: 2021 to 2023

Published 20 February 2024

1. Request

Under the Freedom of Information Act, please could I request the following information:

1. Please advise how many Data Subject Access Requests (hereafter referred to as SARs) you received and responded to in 2021, 2022 and 2023 relating to employees (past or present) and other requests (e.g. customers, general public, service users etc).
2. When responding to SARS do you manage the process in-house, or do you outsource the whole or part of the process? And if conducted in house please specify the name of the team/function that is responsible for this part of the process (eg Data Privacy, HR, etc). If for example you outsource one type of SAR (e.g. employee) but complete others (e.g. citizen/customer) inhouse, please provide details.
3. Approximately how many working hours does it take to pull together a typical SARs response, this includes the time taken to collate and redact the information, and putting the information together for issuing?
4. What is the estimated percentage of handwritten documentation within a typical SAR response?

2. Response

I can confirm that the SIA does hold this information.

The information you have requested in respect of the internal SAR numbers from employees (past and present) is exempt from disclosure under section 40(2) FOIA 2000, as it constitutes personal information that does not relate to you. Due to the significantly low number for this category, if the information was provided it would single out certain employees and allow them to be easily identified.

The definition of personal data is any information that relates to an identified or identifiable individual. Section 40(2) exemplifies the provision of information that is the personal information of another person if releasing it would contravene any of the data protection principles as set out at section 34 of the Data Protection Act 2018. The first principle requires that the disclosure of the requested personal data must be lawful and fair. Under the Act the disclosure of personal data is considered to be lawful if:

• there is a legitimate interest in the disclosure of that personal data
• the disclosure of the personal data is necessary to meet that legitimate interest
• the disclosure would not cause unwarranted harm to the data subject

Having considered the release of this piece of personal data, I am of the view that it would not serve any legitimate interest. Its disclosure would also cause unwarranted harm to the data subjects because they would become easily identifiable from the data, particularly as it is shared in the public domain.

The SIA can provide the remainder of the information you have requested.

2.1 Question 1

	Number of SARs requests in 2021	Number of SARs requests in 2022	Number of SARs requests in 2023
Employees (past and present)	Exempt under section 40(2) FOIA	Exempt under section 40(2) FOIA	Exempt under section 40(2) FOIA
Other (e.g. customers, general public, service users)	40	37	87

2.2 Question 2

Responding to subject access requests is managed in-house by the Risk and Assurance department.

	In house (please specify)	Outsourced
Collating the data (pulling the data together from across your organisation/department)	Risk & Assurance	Not applicable
Redacting the data	Risk & Assurance	Not applicable
Pulling the information/ data together into a response	Risk & Assurance	Not applicable
Checking the information before issuing it to the requestor	Risk & Assurance / Legal Services	Not applicable

2.3 Question 3

The SIA does not hold this information.

2.4 Question 4

0%

[Reference: FOI 0487]