Producing a Subject Access Request Report

On occasions data subjects may request from their service provider a summary of the information that is held about them, and to which they have been granted access. In many cases the information held in Safe4 about individuals, or indeed by individuals themselves, may be a small element of the overall data relating to that subject. For this reasons it is essential that the service provider complete an Information Asset Register.

GDPR Requirements

In order to be compliant with GDPR, and to be able to evidence such compliance, organisations should complete a register of all of their information assets. This register should identify where the data is held, the format it is held in, where it originated, who is responsible for it, and other basic details. Clearly much of this information will be held in systems other than Safe4 – a variety of business applications and indeed paper records may constitute the entirety of records about an individual. The Regulation grants data subjects the right to request this information at any time.

Safe4 now provides a means of reporting on the information that is held in the system about an individual user. This can be accessed through the Manage Users function described in the Advanced System Admin section of this guide.

In this illustration the user who has been chosen is known as Safe4 Provider User. If the row representing their record is highlighted several options are shown, including a Subject Access Request button:

Clicking this button will produce a report in PDF format that can be utilised in any way that is required; this can include being saved outside Safe4, or indeed uploaded to Safe4.

Important to bear in mind:  this report will only show the information that the user has chosen to enter into their own My Account settings in Safe4, and a list of the provider accounts and vaults to which they have access. In many instances there may be vaults in Safe4 relating specifically to individuals, containing information that may be required if the data subject requests it. Safe4 does not control the information that is placed into specific vaults, and cannot therefore report on it. Making such information available to the data subject will be the responsibility of the provider who manages the vault in question.