Subject access request (SAR)

Last Updated:
by Craig Braisby

To comply with GDPR organisations need to be able to respond to a Subject Access Request providing a copy of all relevant data held. For more information please see the ICO article Your right of access.

The use of Assemble for all communications to/from volunteers as well as for storing related volunteer records and information makes it easier for organisations to respond to SAR's against those with paper based or disparate systems.

Completing a SAR

A SAR export from Assemble contains all users data, including potentially sensitive items. Access to complete an SAR request should be restricted to specific key trained staff typically in the admin team or DPO.

Exported data is your responsibility!

Before releasing any information ensure the person requesting the data has authority to do so and confirm their identity. Carefully review exports to ensure it is the expected data only, does not breach another users privacy and is reasonable to release.

The SAR export feature is located on the user details page, top row under 'Other'. SAR will export all user data in a tabular excel file, including attachments where applicable as a single password protected zip.

To further protect the data the link to the file (within Assemble) will be emailed to the manager who requested the SAR along with a password. The user will need to be logged in to download the zip and the zip will only extract with the password supplied in the email.

Once the manager has downloaded the file they should review the data included to ensure it fits the detail of the request. For example if a volunteer has asked for messages from X to Y dates ensure this is all that is sent.

Verify the data included does not breach another's privacy and is in line with organisation policies on SARs. Ensure data is sent in a secure way to the requester to protect their privacy and that the downloaded data is securely erased where appropriate.