The UK General Data Protection Regulation (UK GDPR) governs the way organisations handle personal data of people in the UK, and is key to upholding data privacy and data protection. One such aspect of data privacy is the right of access individuals may request copies of their personal information that is being processed by organisations.
Keep reading to learn more about data requests, UK GDPR stipulations, and how an organisation might respond to a request.
In this article
- What is a DSAR?
- Why would someone request a DSAR?
- What information is included in a data subject request (DSAR)?
- What is the “right of access” according to the UK GDPR?
- Can a DSAR be refused?
- Who can make a DSAR?
- In what format can an individual make a data subject access request (DSAR)?
- How do you handle a DSAR request?
What is a DSAR?
According to the UK GDPR, the “data subject” (individual/person) has the right to access any personal data that the “data controller” (organisation) holds on them. This is more commonly known as a data subject access request (DSAR). With a DSAR, data subjects can also check how their data is being used, including if it’s being used lawfully.
Why would someone request a DSAR?
There are a number of reasons why someone may submit a DSAR. The most common would be because they are unhappy or unclear on the how and why their information is being used. In most cases, after receiving a DSAR, an organisation must provide copies of the requested information. DSARs are an important tool that helps to uphold an individual’s rights, so let us explore the “right of access” and its limitations.
What information is included in a data subject access request (DSAR)?
A data subject’s request may refer to specific details, i.e., essential information, or may ask for a full list of all the information an organisation has about them. In such cases, sifting through large amounts of information can be challenging. Therefore, the first step to acting on a DSAR is to determine what information counts as “personal” under the UK GDPR, and whether the information they have requested falls under this definition.
The organisation can choose to censor any private information that is not within the scope of the DSAR. They are also not obligated to share every piece of information that refers to or mentions the data subject in question, such as internal memos or sales information. More importantly, the organisation must be sure to leave out any personal information about other subjects, to avoid a data breach.
Taking the above into account, the organisation will provide the data subject with the requested information along with other relevant supporting documents and materials.
What is the “right of access” according to the UK GDPR?
Article 15 (right of access) of the UK GDPR stipulates that individuals/data subjects have the right to request copies of any personal data that is being processed. The right of access covers a few different aspects:
- Whether or not their personal data is being processed
- A copy of their personal data if it is being processed
- If their personal data is being processed, the following additional information:
- Why their data is being processed (purpose)
- The categories of the data being processed
- The parties with whom their data will be shared
- How long their data will be kept (retention period) with reasoning
- Their right to rectification, erasure, restrict processing and objection, as well as guidance on requesting the above
- Their right to raise data privacy concerns with a supervisory authority
- The source of personal information (if it was not provided by them)
- How decisions are taken when it comes to data processing, as well as other important information
Data subjects can request a copy of their personal data any time, and organisations are typically required to provide it. However, organisations may be allowed to reject a DSAR request under certain circumstances.
Can a DSAR be refused?
If a request is found to be “manifestly unfounded or excessive” (i.e., with no real purpose or made with the intention of disrupting the organisation), the data controller (organisation) may refuse to act on the request, as stated under article 12(5) of the UK GDPR. However, this is very unlikely and must be proven for the controller to justify rejecting a request.
Additionally, receiving a copy of requested information “should not adversely affect the rights or freedoms of others”, according to article 15(4) of the UK GDPR. This means that the personal and sensitive information of other data subjects should be protected when acting on a request.
Who can make a DSAR?
Anybody can submit a DSAR. This includes, but is not limited to, employees, users, donors and contractors. Data subjects do not need to state a reason for submitting a DSAR, but are required to verify their identity and provide any details that can help in locating the information they have requested. If an organisation stores your personal data, it is within your right to submit a DSAR.
A person may also submit a DSAR on behalf of someone else, under the following circumstances:
- They are a parent or guardian requesting information about your child
- They have been appointed by a court as responsible for handling someone’s affairs
- They are requesting information on behalf of your employee or client
- They are a friend or relative from whom the data subject has sought help
In such cases, the data subject may be asked to provide evidence of this relationship, such as power of attorney documentation, birth certificates or guardianship paperwork.
In what format can an individual make a data subject access request (DSAR)?
There is no specific format to follow when submitting a DSAR — data subjects can make the request verbally, by email, by letter or even through a social media post.
An individual does not have to say they are making a DSAR for it to be a valid request. However, if they want to submit a DSAP, these are the basic steps they could take to make the process smoother:
- Identify the relevant personnel or department at the organisation from whom to make the request: this should be stated in their privacy notice.
- Be clear about what personal data you want to access to.
- Write to the organisation stating you want the copies of the personal data they hold, and include unique identification details (full name, contact details, account numbers etc.) to help them identify you and your data.
- While not required, it can be helpful to reference that you are making a data subject access request in accordance with the UK GDPR.
Now let us take a look at how the controller (organisation) may respond to the request, and the steps involved in this process.
How do you handle a DSAR?
Similar to submitting a DSAR, there is no set way to handle one. However, the following steps are considered standard across the industry:
Verify the identity of the data subject
Ensure the right information is shared with the right person to avoid a data breach.
Determine the nature of the data request
Review the request and the type of information being asked for, and decide whether you need more than a month to respond to the subject (if complex, you can extend the deadline by a maximum of two additional months).
Review the information
Make sure the information does not contain the personal details of other subjects or is otherwise exempt under the law.
Gather the requested information
Compile the requested information into an accessible file type, ideally available via remote access to a secure system, and provide reasoning in the case of withheld information.
Explain the rights of the data subject
Remind subjects of their rights – mention the right to objection, rectification and lodging a complaint with a supervisory body.
Send the response
Document all communication for auditing purposes and to hold the organisation accountable.
Data controllers are not obligated to share every piece of information requested by the data subject, and should exercise care to ensure that personal data about other subjects isn’t compromised as a result. The process of responding to a DSAR may vary across organisations, but the above must be adhered to.
Responding to a DSAR might sound straightforward, but it can be challenging for a controller to locate the information that is being requested of them, due to poor governance and management.
Data handling and responding to a DSAR requires a strong understanding of what personal data and where it is located.
For more information, speak to one of our experts about implementing strong data governance policies and managing data subject access requests.
Do individuals have to pay for a DSAR?
According to Article 15.3 of the GDPR, the DSAR initial copy must be delivered to the individual for free. However, organisations may have the right to charge a reasonable fee for additional copies of a DSAR requested by a data subject.
What should be included in a DSAR?
Some important information that you should include in a DSAR are:
- The time and date of your request
- The location (if you made it in person)
- The phone number or online form you used
- The names and contact information of anybody with whom you have communicated, and
- Any relevant notes you made regarding the requested private data
What happens if an organisation doesn’t respond to a DSAR?
If a data subject does not receive a response, they have the right to file a complaint with the ICO. However, the first step should be to file a formal complaint with the organisation. This is typically done in writing, such as through a letter or email. If they are still unhappy with the response and feel that the requested data should be provided, they can then complain to the ICO.
How long does an organisation have to respond to a DSAR?
The organisation must respond to a request as soon as possible. This means at least within one month starting from the date the request was received. They may extend this to a maximum of three months, but only in exceptional circumstances.
What is not classed as personal data?
Public information about organisations and governments doesn’t count as personal data. However, if there is information that can be used to directly identify stakeholders within the organisation, then that is classified as personal data. Stakeholders may include employees, partners or directors.