What is a DSAR?
The EU GDPR (General Data Protection Regulation) grants individuals (data subjects) the right to access their personal data from data controllers so that they can understand how it is processed and make sure it is processed lawfully.
A request to access personal data is known as a DSAR (data subject access request).
Subject access requests are not new, but the GDPR introduced some changes that make responding to them more challenging.
For instance, organisations may no longer charge a fee, except in certain circumstances, and now have less time to respond.
Failure to respond to DSARs can leave organisations open to the higher level of administrative fines under the GDPR: €20 million or up to 4% of annual global turnover – whichever is greater.
What is the right of access?
Article 15 of the GDPR requires data controllers to confirm to data subjects whether they are processing their personal data.
If so, controllers must provide the data subjects with a copy of that personal data (providing it does not adversely affect the rights and freedoms of others), as well as certain other information.
In most cases, controllers must provide this information free of charge, but may charge a reasonable administrative fee for additional copies requested by the data subject, or if requests are manifestly unfounded or excessive.
Where data is transferred to a third country or international organisation, data subjects also have the right to be informed of the appropriate safeguards relating to the transfer.
How to respond to a DSAR
Verify the applicant’s identity
Before taking any action, controllers must verify the identity of the DSAR applicant, as disclosing personal information to the wrong recipient is itself a breach of the GDPR.
If controllers can demonstrate that they are not in a position to identify the data subject, they can refuse to act on a DSAR.
As with so many aspects of GDPR compliance, the word ‘demonstrate’ is important here. Controllers must maintain appropriate records of any decision not to respond so that they can justify their actions to the regulator, the ICO (Information Commissioner’s Office), if necessary.
It is also important to note that controllers may not retain personal data solely to be able to react to potential DSARs.
If a controller has reasonable doubts concerning the identity of the person making the DSAR, they can request additional information.
Gathering the information
The most time-consuming part of responding to DSARs is locating all the relevant information. It is therefore useful to have a procedure that enables you to check the data you process and where it is stored. A data flow map and data inventory will help.
Find out more about data flow mapping and why it's essential for assessing your organisation's privacy risks >>
How to communicate with the applicant
Article 12(1) states that controllers must provide communication “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means”.
Recital 63 provides further information: “Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.”
The ICO’s guidance explains that “This will not be appropriate for all organisations, but there are some sectors where this may work well.”
When to respond to a DSAR
The DPA 1998 granted 40 days to respond to a SAR, but data controllers now have one month to respond to a DSAR.
However, Article 12(3) grants that this period “may be extended by two further months where necessary, taking into account the complexity and number of the requests”.
Data controllers must still contact the DSAR applicant within one month and inform them of any extension, explaining the reason(s) for the delay.
Information to include when responding to a DSAR
When responding to a DSAR, data controllers must provide data subjects with the following information:
- The purposes of the processing.
- The categories of personal data involved.
- The recipients (or categories of recipients) the personal data has been or will be disclosed to.
- The length of time the personal data will be retained (or, if this is not possible, the criteria for determining the retention period).
- The existence of the data subject’s right to request that the controller rectify or erase the personal data or restrict processing, or to object to processing.
- The data subject’s right to lodge a complaint with a supervisory authority.
- Where the personal data has not been collected direct from the data subject, any available information about its source.
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject of such processing.
Information to withhold - DPA 2018 exemptions
The DPA 2018 sets out the UK’s exemptions and derogations from the GDPR.
Section 45(4) of the DPA 2018 states that controllers may restrict the right of access, wholly or partly, in order to:
- Avoid obstructing an official or legal inquiry, investigation or procedure;
- Avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
- Protect public security;
- Protect national security; or
- Protect the rights and freedoms of others.
For the majority of data controllers, the last of these points will be the most relevant. You do not have to comply with a DSAR if it would mean disclosing another data subject’s personal data unless:
- The other data subject has consented to the disclosure; or
- It is reasonable to comply with the DSAR.
The ICO explains that, when determining whether it is ‘reasonable’ to disclose the information, controllers should “take into account all of the relevant circumstances”.
If you decide not to disclose personal data, you will have to record your reason for not doing so and communicate this to the DSAR applicant within the appropriate timeframe.
Other exemptions under the DPA 2018 relate to certain forms of data processing relating to:
- Crime prevention
- Legal professional privilege
- Specific enactments relating to:
- Human fertilisation and embryology
- Special educational needs
- Parental orders
- Children’s hearings
- Immigration control
- Scientific or historical research
- Statistical purposes
- Archiving in the public interest
- Social work data
- Education data
- Child abuse data
- Corporate finance
- Management forecasts
- Confidential references
- Exam scripts and marks
Information about all of these can be found on the ICO’s website.
Excessive requests and reasonable administrative fees
Where DSARs are “manifestly unfounded or excessive, in particular because of their repetitive character”, controllers may either charge a reasonable fee or refuse to act on the request.
It is up to the controller to demonstrate whether requests are manifestly unfounded or excessive, so appropriate record-keeping is, again, essential.
The size of the fee should be based on the administrative cost of providing the relevant information.
How we can help you meet your GDPR compliance requirements
IT Governance is a leading provider of IT governance, risk management and compliance solutions. Browse our wide range of GDPR compliance products and services to support your project.