1. What is a Data Subject Access Request (DSAR)?
Individuals have a right, following The General Data Protection Regulation (GDPR), to access their personal data. A DSAR is a request from an individual to access or receive a copy of their personal data held by you.
A DSAR can be made verbally or in writing (including via social media channels) and can be made by third parties on behalf of the data subject (the person about whom the personal data relates). If the DSAR comes from anyone other than the data subject, you need to ensure you are satisfied the party making the request is authorised to act on behalf of the data subject. If you are unsure of this, you should ask the third party to provide evidence of their authority before disclosing any data or other information to them. Similarly, if you are unsure of the data subject’s own identify you should ask them to verify this.
2. How long do I have to reply to a DSAR?
You should provide your response as soon as possible (the phraseology used is ‘without undue delay’) but, in any event, within a calendar month of the request. If the DSAR is considered complex or if you receive a number of separate requests from the same individual, you can extend this by up to a further two months from the date of the DSAR.
If you process a large amount of data about the data subject making the DSAR, you are entitled to ask them to clarify the request, for example by confirming whether it relates to their data you process for employer disciplinary purposes or security purposes. You can also ask for clarity around the scope of the request to limit the date range you are required to search or the types of documents (for example they may say they want to see their personal data for the last year but excluding emails sent to or from them as they already have copies of those).
If you do make a request for clarification, the 1-month period for your response stops whilst you wait for a response. So, say a data subject sent you a DSAR on 1 January, you should respond to that as soon as possible but in any event by 1 February. If, however the request is unclear, and you decide to ask the data subject to clarify the request and write to them 10 days after receipt of the DSAR asking them to clarify what information they are seeking, you will have already used up 10 days of your response period. The clock will however stop at 10 days and only restart at day 11 once you receive a response to your request for clarification. The clock will also stop if you ask for identification or authority to act as referred to above, but you should make such requests as soon as possible after receipt of the DSAR.
3. What information do I need to supply and how should I supply it?
Individuals are entitled to their personal data. Personal data is data about a living individual (not a corporate body and not a deceased individual) which, either from the data itself, or in conjunction with other data, can be used to identify the data subject. Strictly speaking data subjects are entitled to their personal data and not to the entire document within which the personal data is held. The general rule in terms of how to supply the data is that you should supply it in the same way as it is asked for. So, if the DSAR was made via email then your response should be by email, unless the data subjects asks to receive it in another format. You do, however, need to ensure you are disclosing the information securely. It is good practice to ask the data subject how they want to receive the information.
If you receive or respond to DSARs verbally, you should keep full notes of the request made and the information provided.
4. Are there circumstances in which I can refuse to reply to a DSAR?
You can refuse to comply with a DSAR (either wholly or in part) in certain circumstances, such as if the data is legally privileged or if it (or part of it) is manifestly unfounded or manifestly excessive.
What constitutes manifestly unfounded or excessive is not straight forward and depends on the facts of each request. Remember, if you do refuse to comply with a request you must explain to the data subject: why you are refusing, that they have a right to enforce their right to access via the courts; and that they have a right to make a complaint to the Information Commissioner’s Office (ICO).
There are specific rules around certain categories of personal data for example credit files, education and health data and special care must be taken around these types of data.
5. What if I refuse or fail to respond?
If you refuse or fail to respond to a DSAR, unless the data subject was not serious about their request in the first place or have obtained the data by another means, such as through the disclosure process as part of Court or Employment Tribunal proceedings, the data subject is likely to make a complaint to the ICO. The ICO can take enforcement action against you. The ICO cannot award any kind of damages or compensation to the data subject.
The data subject can also issue Court proceedings seeking an order for you to comply with the DSAR and/or to compensate the data subject.
Would you like to know more?
The Thrings Commercial lawyers help businesses thrive by providing practical business advice from commercial specialists.
You can download a PDF version of this guide.
