Data Subject Access Requests (DSARs)
One of the fundamental rights of an individual (data subject), under the UK GDPR is to be able to access and receive a copy of their personal information being held by an organisation (data controller).
As such, a data subject access request (DSAR) can be made by a wide range of individuals such as customers, employees (past and present), tenants and even people visiting a website.
DSARs can be made in writing, verbally and by social media. It is also possible for a third party to request a DSAR on behalf of someone else.
If an electronic request is made, the data controller should provide the information through a commonly used electronic format, unless the data subject requests the information through another medium.
Data controllers also need to be aware that an access request can be made without formally being titled a ‘subject access request’ or similar.
Which Organisations/Data Controllers Need to Comply with DSARs
The simple answer is any organisation which processes personal data (difficult to think of many that don’t) will potentially need to comply with this requirement of the UK GDPR.
Thus, if your organisation has never received a DSAR, don’t get complacent, you may do in the future and you need a process and skilled resources to deal with it.
What are Some of the Challenges of Responding to a DSAR?
Whilst there is nothing new about DSARs (they were first introduced by the DPA 1998) the UK GDPR included some additional requirements which introduce some challenges for data controllers responding to DSAR.
One of the more obvious ones is the 1-month timescale in which data controllers must respond to an access request.
An organisation can only request additional time (up to a further 2 months) if procedures are considered to be too complex to meet the 1-month deadline or if the same data subject has made numerous requests.
Data controllers, however, cannot obtain extensions on the grounds they are relying on data processors to provide the necessary information.
Timescale aside, there are numerous other challenges that data controllers must overcome in responding to a DSAR.
The legislation says that data controllers need to satisfy themselves that a DSAR is valid, and that the requester is in fact the data subject or someone acting on their behalf, like a solicitor or citizens advice.
- So how do you satisfy yourselves?
- What documentation do you request to confirm their identity?
- How do you process and store this ID?
- How long can you keep it for?
3. Vexatious Requests
How do you separate the genuine requests from the vexatious or malicious requests sent to potentially drain your resources? How can you evidence that a request is malicious?
Do you have enough people to pull together everything you need to facilitate a request? Do you have access to the systems? Is your records management in place so you know how to locate documents that need to be disclosed? Do you have the appropriate software to do professional redaction or are you still using a black felt tip and a photocopier?
URM has found that this is the biggest issues faced by organisations.
Do your people have the knowledge and skills to be able to facilitate requests? Do they really know what personal identifiable data actually is? A name alone within a document is not necessarily personal data. Do you have the software and skills to pull together all the emails that mention a particular person or a particular complaint?
Training your data protection team to be experts in disclosure is not an easy task. It’s a process that takes time to learn and there is very little training and guidance on the internet to support them.
URM’s DSAR Consultancy Services
URM can provide a wide range of services from a virtual Disclosure Officer to specific access request services.
As part of its Virtual DPO service or the provision of an internal DPO resource, URM is able to offer a range of DSAR services, including validation and confirmation that the DSAR is appropriate along with validation of the data subjects.
We have found, however, that one of the most sought-after DSAR services is our Redaction Service.
DSAR Redaction Service
It is important that DSARS are handled fairly and independently, especially where the request is internal and may involve HR records.
One of the areas which organisations often struggle with when dealing with DSAR redaction is understanding what legal exemptions are available and more importantly can be applied.
This, naturally, will dictate when data can or cannot be released, e.g. where there is legal privilege between an organisation and its solicitor.
Questions that organisations find challenging when redacting documents as part of a DSAR include:
• What if personal data was provided in confidence, such as from a confidential informant, e.g. as part of a grievance and formal complaints process
• What if an access request is going to be unduly time consuming or particularly voluminous?
• How do you determine if a DSAR is vexatious? What evidence do you need to provide? Do you actually need to respond to it?
• What if someone else is requesting information on the data subject’s behalf? How do you manage 3rd party requests and manage consent?
• What if a SAR concerns a child?
• What if documents involved in the SAR contains the names of other staff or staff from other stakeholders?
Deciding on what elements of a document need to be redacted and where exemptions can be applied is a timely process and one which requires a skilled interpretation of the UK GDPR.
URM can provide such skills through its knowledgeable and experienced team, and in the process remove the distraction and resolve internal resource allocation challenges.
With this knowledge and experience at its disposal, URM is able to apply the appropriate redactions to any documents supplied.
Following the redaction, URM is able to package the DSAR together for disclosure Furthermore, if required, URM is able to act on as your representative with the UK regulator where a DSAR is contested.
One of the areas that URM really prides itself is in skills and knowledge transfer. As part of its tailored redaction service, URM can include the training and support of your own internal data protection team.
In essence, URM can do as much or as little of the process as required.
How Does URM’s Redaction Service Operate?
A typical operating model for a URM DSAR Redaction Service is as follows:
More about GDPR and DP
GDPR and DP Training
Our office is open 08:00 – 17:30 Monday to Friday.