Data Subject Access Request (DSAR)
So, how should a data controller fulfil the rights of a data subject?
Individuals whose data is being processed have the right to know what data your company is processing about them, receive a copy of that data, and obtain additional information about the nature and scope of its processing.
However, providing a copy of processed personal data often comes with challenges such as:
- What to do if the processing of the data of the requester is linked to the processing of personal data of a third party?
- What to do if personal data has been disclosed to a company in confidence, for example, from a confidential informant?
- What to do if a request for access to data is time-consuming or exceptionally extensive?
- What to do when a data subject or a third party makes a request on behalf of another data subject?
These are just some of the issues that you will need to address when responding to a DSAR, and this guide aims to help you with that.
There is no established form in which you could receive a DSAR – a request from a data subject.
Individuals whose data is concerned may make their requests verbally or in writing. Although you can advise individuals whose data is concerned to fill out a form or use a template from your website, regulations do not specify such an obligation.
The request does not have to mention the UK GDPR, the Data Protection Act 2018, or any other laws. It is your responsibility as the data controller to identify and interpret them properly.
An important thing to remember is that a DSAR can be made by a natural person or a person acting on their behalf who seeks access to their own personal data or seeks clarity on how their personal data is being processed.
Individuals whose data is concerned also often rely on the Freedom of Information Act 2000, attempting to gain access to their own personal data. It should be noted that the Freedom of Information Act 2000 only applies to public authorities (such as local governments, schools, and hospitals), so if you are not a public body, the obligation to respond to such requests does not apply.
This is obvious that despite the incorrectly specified legal basis, it is a request for access to personal data – a DSAR, and you are obliged to respond to it in accordance with the principles of the UK GDPR.
According to the PRESUMPTION OF GUILT
in data protection law
data processing companies will not pay a penalty only,
if they can prove that they have done everything to protect the data
What should you do if you receive a Data Subject Access Request (DSAR)?
The procedure for handling requests from data subjects should be described in an internal document of your company called a “Data Protection Policy”.
It is particularly important to specify who in your company will be handling such requests and who is the person responsible for all aspects of personal data protection.
When do you have to respond?
You have a period of one calendar month, starting from the day of receipt of the request, to respond to a DSAR.
However, your company may extend the time for responding by an additional two months when:
- the data subject has not provided sufficient information to identify the data requested (in this case, ask for additional information and the one-month period will start from the day you receive the necessary details); or
- the request is very complex or complicated.
After deciding to extend the response period, the data controller must inform the data subject about the extension. From that point on, the company will have two months to respond, regardless of how many days were left in the initial one-month period.
Remember to record when you received the DSAR and when you fulfilled the request. In case you need to prove that your company did not violate GDPR rules in this aspect, you can also decide to keep a record of DSAR requests, but this is not an absolute obligation.
Verification of the applicant
It is crucial to verify the identity of the individual making the DSAR before responding to the request. This is important to ensure that the data is not disclosed to an unauthorised individual and to protect the privacy and security of the personal data being processed.
The right of access is a personal right and theoretically should only be initiated by the individual whose data is being requested. However, in practice, under UK GDPR, the data subject may also transfer the rights to a person representing the individual in the course of their profession or business (e.g. a trade union representative, lawyer).
The identity of individuals can be verified in many ways, such as:
- asking them to provide a written request along with copies of official identification documents such as a passport, bank statement, utility bill, local tax bill, driver’s licence, etc.
- ensuring that the request was sent from an email address that the individual has used to correspond with you before
- calling the requester on a phone number that you have on record
- asking security questions that only the data subject would know the answer to.
Recently, several online platforms have emerged that enable individuals whose data is being processed to submit DSAR requests through them.
Examples of such companies include: TapMyData, Jumbo and Rightly.
Even if someone is using a specialised company to submit their DSAR, it’s still important to positively verify their identity and ensure they fully understand the DSAR process. This is to protect both the data subject and the company from potential privacy breaches or other issues.
As a data controller, you can always respond directly to the data subject, bypassing the representative, if you choose to do so.
In situations where a third party or organisation submits a DSAR on behalf of an individual, you should verify the legality of their authorization.
To do this, you can send an email or make a phone call to the data subject requesting confirmation of the authorization.
If you have already received a DSAR request and verified the identity of the requester – it is good practice to send a letter confirming receipt of the request to the requester.
While this is not a mandatory requirement, it will show the data subject that your organisation attaches great importance to data protection, and you will clearly specify the waiting period.
In the UK, children over the age of 13 are free to manage their online personal information on their own
In EU countries, the age limit is 16
Personal data covered by the DSAR.
If you process large amounts of personal data concerning the data subject, you may ask them to specify the information or processing activities to which their DSAR relates.
However, it should be noted that this will not affect the one-month deadline for responding to the request.
It is not acceptable to require the data subject to narrow the scope of their request, but you may ask them to provide additional details that will help locate the requested information, such as probable dates when any processing may have occurred or the names of your employees with whom the data subject had contact.
It’s important to remember that the data subject has the right to request everything you have about them. If the data subject does not provide any constructive information that could help you locate their data, you still must fulfil their request to the best of your abilities.
Complex, excessive and unjustified DSARs
When fulfilling the right of access to personal data, you cannot charge a fee to the data subject.
However, a reasonable fee may be charged for the administrative costs of responding to a DSAR if the request is manifestly unreasonable, excessive, or if further copies are requested.
Any charges should be based on reasonable administrative costs and the data subject should be notified without delay of the decision to charge them and their amount.
Another available option, in the event of a complicated or unjustified request – is to refuse to comply with it.
This should be decided on a case-by-case basis and the justification should be clearly documented in case this needs to be demonstrated to the ICO or the courts.
Examples of DSAR requests that may be clearly unfounded, according to the ICO, include:
- A data subject clearly has a different intention than accessing their data, e.g. a data subject makes a request but then proposes to withdraw it in exchange for some form of benefit from the organisation
- A data subject clearly states in the request or in other communications that they intend to cause disruption to the organisation;
- The request contains unsubstantiated accusations against the organisation or its employees;
- The data subject is targeting a specific employee whom they have a personal grudge against;
- The data subject systematically sends various requests to the organisation, clearly intended to disrupt the normal operations of the data controller.
If you wish to rely on the fact that the request is manifestly unfounded or excessive, you must notify the applicant and explain in detail the reasons, their right to complain to the ICO and their right to go to court to enforce their rights.
Such notifications should be sent without undue delay and within a maximum period of one month.
General rules regarding third party personal data.
There will be situations where obtaining and disclosing personal data of the data subject also involves personal data of other parties, such as family members, employees who have dealt with the person, individuals who have made allegations against the person, and so on.
When identifying personal data of a third party, a balance must be struck between the right of the data subject to access the data and the protection of the privacy or other rights of the third party.
You are not required to provide information about third parties unless the third party has consented to the disclosure or it is reasonable to provide the information without their consent.
The ICO adds that all relevant circumstances should be considered in determining whether disclosure of such information is warranted, including:
– the type of information you wish to disclose;
– any confidentiality obligations you owe to the other party;
– any steps taken to obtain the consent of the third party;
– any express refusal of the other party’s consent.
The right of access resulting from a DSAR request does not necessarily take precedence over other rights or interests.
The basis for refusing to provide access to data may be confidentiality of other information. However, it should be remembered that simply adding a “CONFIDENTIAL” banner to a document or marking an email message as such does not necessarily mean that the content is confidential.
Each case should be individually assessed to determine whether the information is actually confidential or not.
To be considered confidential, information must have the characteristic of confidentiality for all parties involved, for example:
- Detailed information about the confidential information of the complainant that would allow its source to be identified;
- Information that may threaten trade secrets (such as company secrets, trade rates, intellectual property, etc.);
- Information collected in the context of a confidential relationship (such as a doctor and patient, lawyer and client);
- Information covered by a confidentiality agreement.
When responding to a DSAR request, it’s important to remember that the right of access includes not only providing information but also confirming the details and nature of the processing.
All information must be provided in a clear, concise, and easily accessible format, using clear and simple language so that the content is understandable to the average person.