What is a GDPR DSAR?
Under Article 15 of the UK General Data Protection Regulation (GDPR) individuals, or data subjects as they are referred to, have the right to access their personal data and any supplementary information that is being processed by an organisation (or data controller as it is referred to in the Regulation). A request to receive a copy of that data is known as a data subject access request (DSAR) or subject access request (SAR) for short.
Is there any difference between a SAR a DSAR?
In a word, no. The 2 terms are used interchangeably and refer to the process by which individuals can request access to their personal data from a data controller under the UK GDPR. The term SAR is used predominantly by the Information Commissioner’s Office (ICO), but for the purpose of consistency, we shall use the term DSAR (sometimes referred to as a DSAR request) throughout this blog.
Why are DSARs so important?
The principle of being able to access personal data is absolutely central to the GDPR DSAR and is vital for transparency. Failing to respond to DSARs within the defined timescale, means that you are non-compliant with the law. As such, if organisations fail to respond to DSARs promptly, or at all, they can be subject to fines or reprimand. Since 2020, the ICO has issued a series of reprimands to a number of public and private sector organisations. From April 2022 to March 2023, over 15,000 DSAR-related complaints were received by the ICO which gives an indication of the attention that is paid to DSARs.
What information can a data subject request?
Literally anything or everything that relates to them. It could be somebody asking:
- ‘Can you please send me my HR file?’
- ‘Can I have a copy of the notes of my last appraisal?’
- ‘What information do you hold about me?’
- ‘Can I have a copy of an email that was sent to my manager?’.
It is worth noting that the request doesn't need to include the word DSAR or SAR, or mention the GDPR, it can just be ‘I want to see my information or personal data’. It is this aspect that can make it difficult for your staff to correctly identify that a DSAR has been made. (See ‘What format does a DSAR have to take?’)
How far back can a data subject go in requesting their personal data?
The UK GDPR does not specify any time limitation for a data subject requesting their personal data.
What format does a DSAR have to take?
Individuals can submit a DSAR in virtually any form. It could come from a telephone call, an email, an in-person request at your offices or somebody putting their request on a social media platform. It could even be a WhatsApp message, a text message, a Teams’ message, or through a ‘contact us’ portal. The key is recognising a DSAR without necessarily knowing the terminology.
With a DSAR, does a data subject have the right to request all information that is being held on them?
Yes, a data subject has the right to request all information that is held on them, and it is one of the enhanced rights under the Regulation. It is a given right and controllers must manage this in a particular way. It doesn't necessarily mean that a data subject is entitled to have all of the information that is held about them, but they are entitled to request it, and the data controller will need to deal with each request on a case-by-case basis. (See ‘When can you refuse to comply with a DSAR?’)
What should you do when you receive a DSAR?
A crucial first step is to validate the requester’s identification. You need to be sure that the requester is legally entitled to see that information and that it is not someone impersonating another person. So, if there’s any reasonable doubt about the identity of the requester, you are entitled to ask to ask to see their ID. Often that is a driving licence or a copy of their passport, a photographic image, a home address – potentially this will help you with your search for the data. If it’s an internal request, let’s say an employee or an ex-employee, it may well be that somebody in HR or someone in the business can reasonably verify them without seeing any ID. You do need to be pragmatic and balanced though, as it may be perceived that requesting ID can be a stalling tactic in order to give you more time to pull the data together. On the other hand, it’s imperative that you’re not making an unlawful disclosure to someone who is not entitled to see it. (See ‘Can a DSAR be made on behalf of someone else?’)
The other important thing to do when you receive and recognise a DSAR is to acknowledge it. You need to ensure that the data subject knows that you have received it and are going to do something with it. You need to formalise the acknowledgment, which could be an email, or it could be a letter or maybe you pick up the telephone to speak to somebody. Furthermore, you also need to ensure that within your acknowledgment, that you lay out the timescale for your response, so that you can manage the expectations of the requester. Remember, you only have a certain amount of time to do this in. (See ‘How long do you have to respond to a DSAR?’)
What can you do if a data subject makes an excessive request?
If the request, for example, asks for everything that you hold on them, which is quite a wide scope, you may be able to go back to the requester and ask them to specifically narrow down the search request and help to clarify the scope of their request. In URM’s experience, often when somebody puts in a subject access, they don’t want everything, they want something very specific. And, if you have a discussion with them about it, you may be able to encourage them to narrow down that search, which will make it easier for your disclosure officer to manage the situation and ensure the requester receives relevant, timely information. (See ‘Can you extend the DSAR response time?’)
Are there any circumstances where you can refuse to respond to a DSAR? “I’m too busy’’ for example?
No, this is a very dangerous game to play. Recent ICO interventions are evidence that being too busy is not acceptable as an excuse. Even if you can’t find someone’s personal data, i.e., you search your systems and you can’t find that person’s name or their date of birth or any of their identifiable factors in your systems, you still need to respond and tell them that that is the case. A recommended approach will be to ask them to verify their information. It may be that the requester has changed their name or moved address. As such, it is important to have that communication and try to identify them. (See ‘When can you refuse to comply with a request?’)
Can a DSAR be made on behalf of someone else?
Yes, there are occasions where a data subject can ask another individual to make the request on their behalf. It could be a relative, for example, who could be making a request on behalf of an elderly relative or a teenager. It could be Citizens Advice acting on behalf of an individual. Alternatively, it could be a solicitor, a support worker, or a youth worker. Irrespective of whoever it is making this request, you still have an obligation to ensure that you have the relevant consent. You will need to check they have been given the relevant permission to act on behalf of the data subject. And you also still need to verify identification. Often with a solicitor, they’ll send through a consent form that states, ‘We’re acting on behalf of this individual and here’s their ID’. Having validated the identification of the data subject, you are then able to process the DSAR in exactly the same way.
Can you charge for responding to a DSAR?
In most circumstances, no, you can’t. The legislation does, however, allow for a reasonable fee for some administrative costs, but only in specific circumstances. And that is where a request is manifestly unfounded or excessive or if a requester, having received a digital copy of their data, then requests to have it in paper form. With such a scenario, you may be able to charge a reasonable fee for printing and posting. However, the ICO generally takes a dim view on charging and there aren’t many instances where you could actually charge £50-£60 to release a DSAR. The fee used to be only £10, but now it’s free, and this has coincided with an enormous increase in DSARs being made.
How long do you have to respond to a DSAR?
One calendar month, irrespective of whether it is a 28-day February month or a 31-day month such as March. As such, if you receive a request on the 10th day of a month, you need to have provided the necessary information by the 10th day of the following month.
So, it’s very clear that every day counts and being on leave or away from the office is not considered a valid reason for not meeting the 1-month deadline. A very practical measure which URM recommends, is to have more than one person managing the DSARs and monitoring a generic inbox for DSARs being received. Thus, if the primary disclosure officer is out of the business for 2 weeks, there is someone else who is capable of recognising the DSAR, validating it, acknowledging it, and priming the disclosure officer on their return. But even that is leaving your timescales very tight.
When does the clock start ticking for the one-month DSAR response time?
The ICO’s view is that the clock starts ticking at the point you have validated the request. It can often be the case that it can sometimes take a number of days for an individual to produce a valid form of ID e.g., a passport, and send it in. In URM’s experience, a number of requesters do not respond when asked to provide ID. It's worth pointing out, however, that despite not receiving a response, you can’t close the DSAR. The only person who is able to close a DSAR and consider it closed is the data subject. It is possible that you could sit with an open request on your system, with no ID, for an indefinite period of time.
Can you extend the DSAR response time?
Yes, you can in certain circumstances. In order to do so, you need to speak to the data subject and agree the timescale. The legislation allows for an additional 2 months (i.e., 3 months in total) for an extremely large request, but you must be able to justify that extension. You can't just say ‘the team’s on holiday’, ‘we don't know where the records are held’, ‘we need to get archive boxes back’. The ICO will not see that as a valid excuse for extending the deadline. A valid scenario would be where, for example, a data subject has 30 years’ service and you've got 85,000 emails to review; that would be classed as an excessive request. However, you can't just apply the extra time, you would need to speak to the data subject and gain their permission.
When can you refuse to comply with a DSAR?
The legislation and the ICO are both clear in that where an exemption is applicable you can, depending on the circumstances, refuse to provide all or some of the requested information. You can also refuse to comply with a DSAR if it is manifestly unfounded or manifestly excessive. We will address exemptions in the next question, but manifestly unfounded is where somebody is basically abusing the data subject access rights. It is often connected with an ulterior motive, e.g., to create a nuisance or possibly as part of some form of negotiation (some may even call it blackmail!), but ultimately, it’s a misuse of the legislation.
In terms of what constitutes ‘manifestly excessive’, this is a tricky one as there is no definition of excessive and is open to different interpretations. Some may think 500 records is excessive, others may think 80,000 records. A lot depends on what is the norm in your organisation. You should also base your decision on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. Questions you need to be asking yourself are ‘is the request reasonable?’ ‘Does the individual really need all of the information they are requesting?’ If you feel that maybe it is a vexatious request (e.g., disgruntled ex-employee asking for excessive amounts of information and putting a drain on resources) you could refuse to process the request.
In what circumstances, do exemptions apply?
One of the key areas is where a DSAR involves information about other individuals. The advice provided by the ICO is, wherever possible, you should consider whether it is feasible to comply with the request without disclosing information that identifies another individual. This undoubtedly can be one of the most challenging aspects of responding to a DSAR. Often, a requester’s personal data is linked to the personal data of another individual. If that other individual provides consent for their information to be included in a disclosure bundle, there is no problem. However, when that consent is not forthcoming, you will often have to balance the privacy rights of one individual (requester) against another (third party). There are no hard and fast rules and each request has to be judged on its own merits and where you may be weighing up the consequences for a third party by disclosing their information, for example, imagine the scenario of a housing association where a tenant has made a complaint against another (e.g., the requester) and has made it absolutely clear that they don’t want to be identified. Here, it may not be a case of just redacting a name, but also any other context which would reveal the identity of a complainant.
Apart from the above exemptions, there are wide variety of other factors which can lead to exemptions being applied and these include crime and taxation, legal professional privilege, regulatory functions, journalism, health, social and education, management information and confidential references etc. A full list can be found on the ICO website. It should be noted, however, that care and consideration need to be taken when applying exemptions. Taking the case of health data, you are exempt from complying with a DSAR for health data to the extent that complying with the right of access would be likely to cause serious harm to the physical or mental health of any individual. However, you must have obtained an opinion from the appropriate health professional in the last 6 months that the serious harm test for health data is met.
How URM can help you
One of the areas which organisations often struggle with when dealing with DSAR redaction is understanding what legal exemptions are available and, more importantly, can be applied. Deciding on which elements of a document need to be redacted and where exemptions can be applied is a timely process and one which requires a skilled interpretation of the UK GDPR.
URM can provide such skills through its knowledgeable and experienced Team and is able to apply the appropriate redactions to any documents supplied. It is important to note that URM provides a human, rather than an automated solution, which is widely acknowledged as being far more effective and appropriate. As guided by the ICO, it’s essential to understand the context of a DSAR and this can only really be achieved where the raw material is read by a human. Following the redaction service, URM is able to package the DSAR together for disclosure. Furthermore, if required, URM is able to act as your representative with the UK regulator where a DSAR is contested.
Another area where URM can help you is in the establishment of an effective and efficient DSAR process and in training your staff to
- appropriately identify DSARs and be able to
- respond in a timely and efficient manner.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
URM’s blog outlines the DP concerns around the use of facial recognition technology (FRT), and offers guidance on making sure your FRT use is GDPR compliant.
Is there a catch-all international standard that effectively proves external verification of data protection compliance?
URM answers key questions around data transfer impact assessments (DTIAs), providing detailed guidance on the best practice approach to conducting them.