In this blog post, we'll cover:
According to the UK GDPR, the “data subject” (individual/person) has the right to access any personal data that the “data controller” (organisation) holds on them. This is more commonly known as a data subject access request (DSAR). With a DSAR, data subjects can also check how their data is being used, including if it’s being used lawfully.
There are a number of reasons why someone may submit a DSAR. The most common would be because they are unhappy or unclear on how and why their information is being used. In most cases, after receiving a DSAR, an organisation must provide copies of the requested information. DSARs are an important tool that helps to uphold an individual’s rights, so let us explore the “right of access” and its limitations.
A data subject’s request may refer to specific details, i.e., essential information, or may ask for a full list of all the information an organisation has about them. In such cases, sifting through large amounts of information can be challenging. Therefore, the first step to acting on a DSAR is to determine what information counts as “personal” under the UK GDPR and whether the information they have requested falls under this definition.
The organisation can choose to censor any private information that is not within the scope of the DSAR. They are also not obligated to share every piece of information that refers to or mentions the data subject in question, such as internal memos or sales information. More importantly, the organisation must be sure to leave out any personal information about other subjects to avoid a data breach.
Taking the above into account, the organisation will provide the data subject with the requested information along with other relevant supporting documents and materials.
Article 15 (right of access) of the UK GDPR stipulates that individuals/data subjects have the right to request copies of any personal data that is being processed. The right of access covers a few different aspects:
Data subjects can request a copy of their personal data at any time, and organisations are typically required to provide it. However, organisations may be allowed to reject a DSAR request under certain circumstances.
If a request is found to be “manifestly unfounded or excessive” (i.e., with no real purpose or made with the intention of disrupting the organisation), the data controller (organisation) may refuse to act on the request, as stated under article 12(5) of the UK GDPR. However, this is very unlikely and must be proven for the controller to justify rejecting a request.
Additionally, receiving a copy of requested information “should not adversely affect the rights or freedoms of others”, according to article 15(4) of the UK GDPR. This means that the personal and sensitive information of other data subjects should be protected when acting on a request.
Anybody can submit a DSAR. This includes, but is not limited to, employees, users, donors and contractors. Data subjects do not need to state a reason for submitting a DSAR, but are required to verify their identity and provide any details that can help in locating the information they have requested. If an organisation stores your personal data, it is within your right to submit a DSAR.
A person may also submit a DSAR on behalf of someone else under the following circumstances:
In such cases, the data subject may be asked to provide evidence of this relationship, such as the power of attorney documentation, birth certificates or guardianship paperwork.
There is no specific format to follow when submitting a DSAR — data subjects can make the request verbally, by email, by letter or even through a social media post.
An individual does not have to say they are making a DSAR for it to be a valid request. However, if they want to submit a DSAP, these are the basic steps they could take to make the process smoother:
Now let us take a look at how the controller (organisation) may respond to the request and the steps involved in this process.
Similar to submitting a DSAR, there is no set way to handle one. However, the following steps are considered standard across the industry:
Ensure the right information is shared with the right person to avoid a data breach.
Review the request and the type of information being asked for, and decide whether you need more than a month to respond to the subject (if complex, you can extend the deadline by a maximum of two additional months).
Make sure the information does not contain the personal details of other subjects or is otherwise exempt under the law.
Compile the requested information into an accessible file type, ideally available via remote access to a secure system, and provide reasoning in the case of withheld information.
Remind subjects of their rights – mention the right to objection, rectification and lodging a complaint with a supervisory body.
Document all communication for auditing purposes and to hold the organisation accountable.
Data controllers are not obligated to share every piece of information requested by the data subject. They should exercise care to ensure that personal data about other subjects isn’t compromised as a result. The process of responding to a DSAR may vary across organisations, but the above must be adhered to.
Responding to a DSAR might sound straightforward, but it can be challenging for a controller to locate the information that is being requested of them due to poor governance and management.
Data handling and responding to a DSAR requires a strong understanding of what personal data is and where it is located.
For more information, speak to one of our experts about implementing strong data governance policies and managing data subject access requests.
Do individuals have to pay for a DSAR?
According to Article 15.3 of the GDPR, the DSAR initial copy must be delivered to the individual for free. However, organisations may have the right to charge a reasonable fee for additional copies of a DSAR requested by a data subject.
What should be included in a DSAR?
Some important information that you should include in a DSAR are:
What happens if an organisation doesn’t respond to a DSAR?
If a data subject does not receive a response, they have the right to file a complaint with the ICO. However, the first step should be to file a formal complaint with the organisation. This is typically done in writing, such as through a letter or email. If they are still unhappy with the response and feel that the requested data should be provided, they can then complain to the ICO.
How long does an organisation have to respond to a DSAR?
The organisation must respond to a request as soon as possible. This means at least within one month starting from the date the request was received. They may extend this to a maximum of three months, but only in exceptional circumstances.
What is not classed as personal data?
Public information about organisations and governments doesn’t count as personal data. However, if there is information that can be used to directly identify stakeholders within the organisation, then that is classified as personal data. Stakeholders may include employees, partners or directors.