SaaS Agreements – Confidential Information – FOIA and SARs

SaaS suppliers are increasingly dealing with subject access requests (SARs) and freedom of information requests (FOIAs) in relation to SaaS customers. Excessive time and costs can be spent dealing with such requests, unless a SaaS supplier’s obligation to comply with or assist a SaaS customer with such requests is clearly defined in the terms of the SaaS agreement.

Subject Access Request (SAR)

Under the Data Protection Act 1998 (DPA), an individual has the right to access personal data held by a SaaS supplier by making a SAR. Such requests for data usually relate to customer data held on behalf of SaaS customers. The SAR can be sent directly to a SaaS supplier or to the SaaS customer. This is not the same as a request for information under the Freedom of Information Act (FOIA).


Under the FOIA members of the public are entitled to request disclosure of:

  • non-personal information;
  • held by public authorities.

Requests are made to the SaaS customer directly who often passes the request on to their SaaS supplier.


SaaS suppliers should not confuse a FOIA request with an individual’s right to request personal information under a SAR. The test for disclosure under the FOIA is to the world at large – not just the requester. This means that if a SaaS supplier mistakenly discloses personal data under an FOIA request, this could breach the DPA and result in a large fine as a substantial number of unauthorised persons may see the wrongly disclosed data.


The Information Commissioner’s Office (ICO) has issued a Subject Access Code of Practice which all SaaS suppliers should read. This provides useful advice on how to respond to a SAR.

For example, SaaS supplier’s should upon receipt of a SAR:

  • identify whether a request is actually a SAR;
  • ensure they have enough information to be certain of the requester’s identity;
  • consider whether any of the exemptions apply; and
  • provide a response in a permanent form where appropriate, stating whether a fee is payable.

The Data Commissioner has also issued guidance on how to deal with a FOIA request.

Contractual Provisions

SaaS suppliers should include specific provisions in their SaaS agreement setting out how disclosure requests will be dealt with. Note that these should not be limited to SARs and FOIAs, as there are other types of disclosure requests that can be made under English law.

The SaaS agreement should:

  • set out the extent of the assistance to be given by the SaaS supplier to SaaS customers when dealing with a disclosure request;
  • specify whether the consent of the SaaS customer is required prior to any data being disclosed; and
  • include relevant time limits for complying with any requests.

Additionally SaaS suppliers could have a data access policy setting out their specific obligations. This can be incorporated into the SaaS agreement by reference to it in the terms of the SaaS agreement.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To learn more about SaaS and cloud computing join me at the Berlin CloudConf 2013 on 5th of December.

To register for my newsletter click here


Other related articles: