Subject access request (SAR)

Last Updated:
by Wendy Halley

To comply with GDPR organisations need to be able to respond to a Subject Access Request by providing a copy of all relevant data held. For more information please see the ICO article Your right of access.

The use of Assemble for all communications to/from volunteers as well as for storing related volunteer records and information makes it easier for organisations to respond to SARs, with information retrieved with a single click from Assemble.

Exporting data for a SAR

A SAR export from Assemble contains all user's data, including potentially sensitive items. The permission Generate an export of all user data for SAR is required and is a high-level permission requiring two-factor authentication. This permission should be restricted to specific key trained staff, typically in the admin team or DPO.

Exported data is your responsibility

When you use the SAR export, all data relating to the user is visible in the exported file in tables. Once this data is outside of Assemble, ensuring the data is kept secure is your responsibility. You should always follow your organisation's guidance on how to follow a SAR.

Please note, it is possible that some data relating to another user may also be included in the user's SAR export (eg within messages) so the exported data should always be carefully reviewed by your data protection team before its released. 

For those with the relevant permission, the Export SAR command is under the Other command on the user record. This will export all user data in a tabular Excel file as a single password-protected zip file. Attachments will also be included, if applicable.

To ensure data security, the link to the file to download and a unique password will be emailed to the manager who requested the SAR. The manager will need to be logged in to download the file and a unique password will be required to extract the data from the zip file.