How to Respond to a Data Subject Access Request (DSAR)

|
|
PUBLISHED on
25 Jul
2022

Let’s face it, there is nothing straightforward or simple about responding to a data subject access request (DSAR). The words ‘I want all of my data’ equate to hours of trawling systems, reviewing content, redacting files, and collating information before any disclosure can take place.

Dealing with DSARs can be a costly exercise, both in terms of resources and time. Furthermore, as you cannot charge a fee, it means you cannot recoup any of the costs associated with providing the data subject with their data.  Not to mention the required 30-day turnaround time (approx. 20 business days!) which adds further pressure on your privacy team.

Whilst responding to DSARs can be onerous and time-consuming, you cannot take any shortcuts.  It is vitally important that DSARs are handled fairly and independently, particularly where the request is internal and may involve HR records, which can vastly narrow down your options for individuals who can process the DSAR internally.  To demonstrate independence and transparency, HR representatives, for example, should not process an employee’s DSAR.

There are other factors to consider when responding to a DSAR.  Human intervention for example, rather than electronic, has a number of clear advantages.

As per the Information Commissioner’s Office (ICO) guidance, it is essential to understand the context of a DSAR.  This can only be achieved where the raw material is read by the human eye.  Simply putting a name into redaction software is really not sufficient.

Factors to Consider

  • Has any personal data been provided to you in confidence, such as from a confidential informant?  You particularly need to think about HR requests, grievances, and formal complaints.
  • Is dealing with the request going to be time-consuming or particularly extensive?  Is it a vexatious request?  Is it manifestly unfounded or excessive and therefore does not need to be responded to?
  • Is the request being made on behalf of someone else?  How do you manage third-party requests and consent?  A careful balancing exercise should be carried out before disclosure.
  • What if the request concerns a child?
  • What if your response to the request contains the names, or other personal information, of other staff or staff from other stakeholders?

Pivotal to the redaction of documentation is deciding what elements of the document need to be removed and a legal exemption (from the list in Schedule 2 of the Data Protection Act 2018) applied justifying the removal.

This is a time-sensitive process.  Redaction should be performed and overseen by someone who is knowledgeable about the records and the statutory exemptions available, and who can determine what material should or should not be redacted.

Removing just the third party’s name may not be sufficient, as they may still be identifiable from the rest of the information.  Again, a task that can only be achieved with human input and judgement, not solely by automated decision-making (i.e., redaction software alone).

Also, don’t forget the ICO guidance.  A name on its own is not always personal data disclosable in response to a DSAR.  To understand this, you must review the context of the DSAR, and your collated documentation, and redact with this in mind.

Do you need assistance managing your DSARs?

URM can offer a host of consultancy services to help you managing DSARs, DPIAs ROPAs, privacy notices, data retention schedules and training programmes.
Thumbnail of the Blog Illustration
Data Protection
Published on
18/7/2024
ICO Enforcement Action January – June 2024

URM’s blog reviews ICO enforcement activities for the 1st half of 2024, highlighting trends & shifts in how it enforces against data protection breaches.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
21/7/2022
BS 10012:2017 – What are the Benefits and How Do I Achieve Certification

BS 10012 is a standard which has been developed to enable organisations to implement a personal information management system (PIMS).

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
21/7/2022
Gaining Senior Management Buy-In to GDPR Compliance

Why can it still be challenging to gain traction on your GDPR compliance project?

Read more
We used URM as we had a large amount of information to redact for a Court of Protection case and neither had the time nor the knowledge to be able to complete this appropriately. URM were suggested to us and we made contact. They responded very quickly and were able to explain their role, estimated timescales & costings. During the initial consultation, they were very professional and approachable, and certainly had the skills we required. URM’s consultant provided us with details of the work they had completed before & we felt confident to pursue the work with them. We were on a tight deadline for court and URM were confident that they could provide the services we required in a timely manner. The logistics of sending a large amount of confidential documents were easy to navigate and straightforward. We were unable to very accurately gauge how much work was required, however URM’s Team supported us with this and maintained regular contact regarding their progress and addressed any concerns they had. When we needed to contact them, they were prompt with their responses. The work did take longer that envisaged, however that was due to the amount of work that we, as clients, were unable to accurately identify would be required. We did, however, meet the deadline for court. I would certainly use the services of URM again & if possible would work with same team. The services are not cheap, however redacting sensitive information is a skilled task and, therefore, having a professional complete this work is priceless.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.