Under EU and UK law, individuals have the right to know what personal data an organisation processes about them and how it is used. They can exercise this right by submitting a DSAR (data subject access request).
The rules for DSARs are outlined in the GDPR (General Data Protection Regulation), and these have been carried over into UK data protection law with only a few exemptions, which are detailed in Section 45(4) of the DPA (Data Protection Act) 2018.
DSARs as a concept were not created with the GDPR, but the legislation standardised several processes that make it easier for individuals to submit requests and place a greater burden on organisations to complete them.
- What are data subject access requests?
- What is included in a data subject access request?
- Can information be redacted?
- Does a request have to be in writing?
- Can individuals submit a DSAR on behalf of someone else?
- How long do organisations have to respond to a DSAR?
- Who is responsible for responding to a subject access request?
- How much can be charged for a subject access request?
- What’s the difference between a freedom of information request and a DSAR?
- The process for handling a DSAR
- How to ensure data subject access request success
What are data subject access requests?
DSARs are the result of the GDPR’s right of access – one of eight data subject rights enshrined in the Regulation.
When an individual submits a data subject access request (or SAR, as it was known under the Data Protection Act), organisations must provide them with a copy of any relevant information about them.
What is included in a data subject access request?
A request might refer to specific personal details or processes for which the organisation processes that information. In these cases, you only need to provide relevant information.
However, individuals may ask to see a complete list of the personal data that the organisation stores on them.
This will undoubtedly be burdensome because it’s not merely a case of pulling up everything you store on that person.
If you did that, you’d end up with large volumes of information that aren’t considered personal data – such as internal memos about the data subject’s files – which don’t need to be shared.
Your first tasks, therefore, are to determine what information related to the individual is considered personal data under the definition of the GDPR, and whether it’s part of the data that they requested.
This information must be provided alongside other supplementary material, such as the relevant details provided in the organisation’s privacy notice.
Can information be redacted?
Although the GDPR promotes openness to the public, organisations can and, where relevant, should redact anything that’s not within the scope of the DSAR.
For example, you might have documents that include that individual’s personal data alongside other people’s personal details.
In these circumstances, you are required to redact all personal data that isn’t about the person making the request, because otherwise you’d be committing a data breach.
Likewise, you might have records where the individual’s personal data is stored alongside sensitive company data. You are within your rights to redact that information.
Infographic: data subject access request flowchart
Are you following the correct steps when responding to a data subject access request? Take a look at our infographic for a handy guide on the DSAR response process:
Do individuals have to give a reason for a DSAR?
Individuals don’t need to state why they are submitting a DSAR. The only questions an organisation may ask when a DSAR is submitted concern verifying the individual’s identity or helping them locate the requested information.
Does a request have to be in writing?
There is no formal process for submitting a DSAR. That means requests don’t need to be submitted in writing – or in any documented way. For example, an individual can make a request while speaking with a member of staff.
It’s also worth noting that individuals aren’t required to use the technical term for a request (‘DSAR’ or ‘data subject access request’).
They can, for instance, simply say that they’d like to see a copy of the information the organisation stores on them.
That said, requests are most likely to be submitted in writing, as it’s the most convenient method.
It gives individuals and organisations a record of the request, the date that it was made and other relevant information, such as the specific personal information that they want a copy of and the format that it should be delivered via.
Can individuals submit a DSAR on behalf of someone else?
Yes, individuals can authorise someone else to make a request on their behalf. This is most likely to happen when:
- Someone with parental responsibility asks for information about a child;
- A court-appointed individual is managing someone else’s affairs;
- A solicitor is acting on their client’s instructions; and
- The data subject requests help from a relative or friend.
Organisations must, of course, be satisfied that the person making the request really is doing so on behalf of the data subject.
As such, they are entitled to request supporting evidence, such as written authorisation from the data subject or a more general power of attorney.
How long do organisations have to respond to a DSAR?
There is a subject access request time limit. DSARs must be fulfilled “without undue delay”, and at the latest within one month of receipt.
Where requests are complex or numerous, organisations are permitted to extend the deadline to three months. However, they must still respond to the request within a month and explain why the extension is necessary.
Who is responsible for responding to a subject access request?
An organisation’s data protection officer (DPO) will generally be responsible for fulfilling a DSAR, provided the organisation has appointed one.
If you don’t have a DPO, the duty should fall to someone in your workforce with data protection knowledge.
In either case, the expert probably won’t do the physical work involved in completing the request, such as combing through documents and redacting information.
Still, they will oversee the process and ensure that it is being completed in line with the GDPR’s requirements.
How much can be charged for a subject access request?
Under the GDPR’s predecessor, the DPA (Data Protection Act) 1998, organisations could charge a fee for fulfilling a DSAR, but that’s no longer the case in most instances.
Indeed, as the UK’s data protection supervisory authority, the ICO (Information Commissioner’s Office), explains, there are only two instances when organisations may now only request payment for a DSAR.
These are when a request is manifestly unfounded (i.e. when the individual clearly has no intent to exercise their right of access, such as when the request is an excuse to make unsubstantiated accusations against the organisation) or excessive (i.e. when the request overlaps with a recently submitted DSAR).
Organisations should base the fee they charge on the administrative costs involved. That’s to say, they shouldn’t be profiting from requests.
It’s worth adding that organisations are within their rights to reject manifestly unfounded or excessive requests outright instead of charging a fee for them. This might be the case when they simply don’t have the time or resources to fulfil the request.
What’s the difference between a freedom of information request and a DSAR?
DSARs might sound a lot like freedom of information (FOI) requests, but in practice, they are a lot different.
Whereas DSARs grant EU residents access to copies of their personal data, FOI requests are specific to the UK and relate to recorded information held in the public sector.
This generally refers to government departments, local councils and regulators, such as the Financial Conduct Authority.
Additionally, personal data is not covered by the FOI Act, so there are no restrictions on who can make a request.
The process for handling a DSAR
Like many aspects of the GDPR, access requests have a formal name that organisations must be aware of for compliance purposes, but that doesn’t mean individuals need to know the terminology.
As the ICO (Information Commissioner’s Office), the UK’s data protection supervisory authority, notes, there’s no specific process for making a request, so someone could simply say “I’d like to see what data you have on me”, and that would be considered a legitimate request.
Therefore, anyone in your organisation who may receive such a request must know what to look out for and who to pass the message on to.
In many organisations, the DPO is responsible for handling DSARs. However, if you aren’t required to appoint one, you’ll need to find an alternative approach.
Since time is of the essence when responding to a DSAR, it’s a good idea to ensure you have an established DSAR process beforehand, so that you can deal with such requests quickly.
- Verify the identity
One of the first steps is to verify the identity of the requester so that you can determine whether you have all the information you need to fulfil the request.
- Clarify what the request is
Following that, find out a bit more about the request itself. Is it merely a request for access, or are they invoking other rights, such as rectification of the personal data being held?
- Is the request valid?
Establish whether the request is valid and if it can be completed within the one-month period. If not, you can take further steps to request an extension (read more in our downloadable guide).
- Inspect the data
Once you start collecting the data, check whether the data needs to be amended and if you need to protect the personal information of any other data subjects.
- Choose the format
Once you’ve collected all the data, determine the most appropriate format in which to provide the information.
- Add extra information
Lastly, before sending the information, ensure the data subjects know their rights, including the right to lodge a complaint.
How to ensure data subject access request success
There are many steps you can take to help your organisation manage DSARs. Your first task is to create a flowchart to make sure you respond promptly, thoroughly and in line with the GDPR’s requirements.
There are also ways you can make your organisation more resilient to the challenges that come with responding to DSARs. For example, you should implement measures addressing:
- Staff training
Data subjects can theoretically submit a DSAR whenever they’re communicating with a member of your staff. You must, therefore, make sure that all relevant employees can recognise a request and know how to respond.
- DSAR responsibilities
You should appoint someone or a team of people to take responsibility for responding to DSARs. This might be your DPO, or it could be another employee who is familiar with the GDPR’s compliance requirements.
If only one person takes on this task, you must make sure other employees know how to complete a request so that they can fill in during holidays or other absences.
- Expert advice
Unless you were able to appoint an experienced DPO to oversee access requests, there’s a good chance that the person handling your response process is relatively new to the task.
That won’t be a problem in most cases, because once you get into the swing of things, it’s a relatively routine operation. However, there will be some challenging requests that require guidance, such as through one-off consultancy services.
Free download: DSAR guide
You can learn more about organisations’ DSAR obligations and individuals’ rights by downloading our free green paper.
Our Concise Guide to Data Subject Access Requests contains essential advice to ensure that an adequate system in place to manage requests effectively and in line with the GDPR’s requirements.
A version of this blog was originally published on 14 August 2019.