Navigating Data Subject Access Requests (DSARs): Ensuring ICO Compliance

We live in a data-driven world. From healthcare to career opportunities, the information we provide to organisations can have an impact on the decisions made for and about us. Which is why it’s imperative that we are able to trust our precious data will be used lawfully. In the same way that our employees, clients and customers should be able to trust us to process their data correctly. As well as being a legal requirement, responding promptly to DSARs can build on that trust.

What are Data Subject Access Requests and Why are they Important

A DSAR is a formal request made to an organisation by an individual who is known as a “data subject.” This request asks for copies of any personal data that the organisation holds about that individual, which they have a right to access. The right to a DSAR is established under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. More information can be found through the Information Commissioner's Office (ICO). The ICO provides detailed guidance on how organisations should handle these requests to ensure compliance with data protection laws.

Compliance with DSARs is critical for businesses, as it not only upholds an individual’s right to their information, but also demonstrates a company's commitment to data protection and privacy. Failing to comply with these requests can lead to significant legal consequences, including fines and reputational damage. In a world where data privacy is becoming increasingly important, adhering to DSAR requirements is a legal obligation that should not be ignored.

Key Rights of the Data Subject Requesting a DSAR

Under GDPR, individuals have several rights relating to their personal data, including:

• The right to access. Individuals can request copies of their personal data and details of how it is processed. This includes any instances where an individual has been named in documentation, such as email exchanges or direct messages.
• The right to rectification. If data is incorrect or incomplete, individuals can request for it to be corrected.
• The right to erasure. In certain circumstances, individuals can request to have their data deleted.
• The right to restrict processing. Individuals can ask for the processing of their data to be limited, under certain conditions.
• The right to data portability. Individuals have the right to obtain their data in a machine-readable format.

What to Look Out for in a DSAR

When an organisation receives a DSAR, there are specific elements that must be considered in order to ensure compliance.

Identification of the Request

It is crucial to determine whether the request explicitly asks for personal data. Requests might not always be titled as "DSAR," but could still qualify if they pertain to personal information.

Identity Verification is Crucial with a DSAR

Before processing a DSAR, the organisation must verify the identity of the data subject to prevent unauthorised access to data. This is especially important when the data includes sensitive personal information.

Scope of the Request

Clarify what specific data the individual is requesting. While a DSAR may seek "all data" held by an organisation, sometimes the data subject may only be interested in particular data, and narrowing the scope may streamline the process.  

Exceptions and Exemptions

Certain types of information may be exempt from disclosure. For example, data containing information about other individuals, legally privileged information, or data that could cause harm to the data subject or others may be withheld.

Third-Party Data

If a DSAR involves personal data that also relates to another individual, organisations must consider whether it is reasonable to disclose it. Balancing the rights of the data subject with third-party rights is essential.

DSAR Fees 

Under the GDPR, organisations generally cannot charge a fee for fulfilling a DSAR unless the request is manifestly unfounded, excessive, or repetitive. Even in these cases, fees must be reasonable and justified.

Managing DSARs Correctly

To manage DSARs effectively and in accordance with the ICO guidelines, organisations should follow these steps:

1. Acknowledge the request promptly. A DSAR must be responded to without undue delay and within one month of receipt. This deadline can be extended by an additional two months in complex cases, but the data subject must be informed of the delay.
2. Create a process. Organisations should have a well-documented procedure for handling DSARs, from receipt to response. This includes designating responsible staff, maintaining records of DSARs, and tracking deadlines.
3. Communicate clearly. If the organisation cannot provide the requested data, or if it needs more time, it must inform the data subject promptly, providing clear reasons and explaining their rights to complain to the ICO if dissatisfied.
4. Maintain records. Keep thorough records of the DSAR, including the date received, the data provided, and any communication with the data subject.
5. Data minimisation. When responding to a DSAR, provide only the personal data that the individual is entitled to access. Ensure that any third-party data or unnecessary details are redacted.
6. Train staff. Staff who may be involved in receiving or handling DSARs should be properly trained to recognise and process these requests in compliance with GDPR and ICO guidelines.

Why It’s Important to Respond to a DSAR

Effectively managing DSARs is essential to ensure that you comply with data protection laws. By understanding the rights of individuals, recognising valid requests, verifying identity, and adhering to the ICO's guidelines, organisations can ensure they handle DSARs responsibly and legally. Proper processes, communication, and training are key to managing these requests efficiently.

DSAR requests are often made in conjunction with existing or threatened employment tribunal proceedings. Our team of employment law experts can assist you with DSAR requests to ensure that you avoid any pitfalls.

Contact us today to learn more about how we can help you with DSARs.