One of the fundamental rights of an individual (data subject), under the UK GDPR is to be able to access and receive a copy of their personal information being held by an organisation (data controller).
As such, a data subject access request (DSAR) can be made by a wide range of individuals such as customers, employees (past and present), tenants and even people visiting a website.
DSARs can be made in writing, verbally and by social media. It is also possible for a third party to request a DSAR on behalf of someone else.
If an electronic request is made, the data controller should provide the information through a commonly used electronic format, unless the data subject requests the information through another medium.
Data controllers also need to be aware that an access request can be made without formally being titled a ‘subject access request’ or similar.
Which Organisations/Data Controllers Need to Comply with DSARs
The simple answer is any organisation which processes personal data (difficult to think of many that don’t) will potentially need to comply with this requirement of the UK GDPR.
Thus, if your organisation has never received a DSAR, don’t get complacent, you may do in the future and you need a process and skilled resources to deal with it.
What are Some of the Challenges of Responding to a DSAR?
Whilst there is nothing new about DSARs (they were first introduced by the DPA 1998), the UK GDPR included some additional requirements which introduced some challenges for data controllers responding to a DSAR.
One of the more obvious ones is the 1-month timescale in which data controllers must respond to an access request.
An organisation can only request additional time (up to a further 2 months) if procedures are considered to be too complex to meet the 1-month deadline, or if the same data subject has made numerous requests.
Data controllers, however, cannot obtain extensions on the grounds they are relying on data processors to provide the necessary information.
Timescale aside, there are numerous other challenges that data controllers must overcome in responding to a DSAR.
The legislation says that data controllers need to satisfy themselves that a DSAR is valid, and that the requester is in fact the data subject or someone acting on their behalf, like a solicitor or Citizens Advice.
- So how do you satisfy yourselves?
- What documentation do you request to confirm their identity?
- How do you process and store this ID?
- How long can you keep it for?
3. Vexatious Requests
How do you separate the genuine requests from the vexatious or malicious requests sent to potentially drain your resources? How can you evidence that a request is malicious?
Do you have enough people to pull together everything you need to facilitate a request? Do you have access to the systems? Is your records management in place so you know how to locate documents that need to be disclosed? Do you have the appropriate software to do professional redaction or are you still using a black felt tip and a photocopier?
URM has found this to be the biggest issues faced by organisations.
Do your people have the knowledge and skills to be able to facilitate requests? Do they really know what personal identifiable data actually is? A name alone within a document is not necessarily personal data that has to be disclosed in response to a DSAR. Do you have the software and skills to pull together all the emails that mention a particular person or a particular complaint?
DSAR Redaction Service
It is important that DSARS are handled fairly and independently, especially where the request is internal and may involve HR records.
One of the areas which organisations often struggle with when dealing with a DSAR redaction is understanding what legal exemptions are available and more importantly can be applied.
This, naturally, will dictate when data can or cannot be released, e.g., where legal privilege applies to communications between an organisation and its solicitor.
Questions that organisations find challenging when redacting documents as part of a DSAR include:
- What if personal data was provided in confidence, such as from a confidential informant, e.g., as part of a grievance and formal complaints process?
- What if an access request is going to be unduly time consuming or particularly voluminous?
- How do you determine if a DSAR is vexatious? What evidence do you need to provide? Do you actually need to respond to it?
- What if someone else is requesting information on the data subject’s behalf? How do you manage third-party requests and manage consent?
- What if a DSAR concerns a child?
- What if documents involved in the DSAR contain the names, or other personal information, of other staff or staff from other stakeholders?
Deciding on what elements of a document need to be redacted and where exemptions can be applied is a time-sensitive process and one which requires a skilled interpretation of the UK GDPR.
This is where utilising a third party provider, such as URM, can be useful.
One of the fundamental rights of an individual, under the UK GDPR is to be able to access and receive a copy of their personal information being held by an organisation
In this blog, we will discuss the importance of ensuring that your whole organisation can identify a DSAR, the benefits of controlling the entry points of DSARs and creating a centralised DSAR process
Let’s face it, there is nothing straightforward or simple about responding to a data subject access request (DSAR).
There is some confusion about the difference between personal data and sensitive personal data and even whether sensitive personal data exists as a term! So, let’s see if we can clarify the situation