Under the General Data Protection Regulation (GDPR), UK individuals have a legal right to request a copy of any and all data held about them by any organisation. This is done by submitting a Data Subject Access Request (DSAR).
These data access requests are important and cannot be ignored. Employers must make sure their staff are able to identify and act on such requests - and the response must be carried out carefully, in line with legislation and without opening the company to further issues.
In this article, Employment Law expert, David Morgan looks at what a Subject Access Request may contain, the rules around responding to them and how to avoid potential problems in doing so.
What is a Data Subject Access Request?
All individuals (often referred to as data subjects under data protection terminology) have a right to access their personal data - this is one of eight data subject rights specified under the GDPR (with some of the others including the right to request erasure of the data, and the right to restrict processing).
To do this, the data subject will send a Data Subject Access Request to the organisation. This can take a number of forms, but will commonly be submitted as a letter or email clearly requesting access to their personal data. In their request, they may specify the items of data they would particularly like to view, or instead request to see everything held about them.
The data subject is not required to explain or justify their request, nor do they have to explicitly use the terms ‘Data Subject Access Request’, ‘DSAR’ or ‘GDPR’. It is sufficient to simply state a wish to view their personal information, and the organisation may only ask further questions where they are necessary for fulfilling the request.
When the request is received, the organisation then has a period of one calendar month to assemble and deliver any and all relevant data they hold about that individual. This deadline can be extended to three months if the request is particularly complex - but the organisation is still obligated to give a response within one month to explain and justify the extension.
In most cases, a Data Subject Access Request cannot be refused; the only possible exceptions are in situations where it can be shown that requests are manifestly unfounded or excessive. For example, a disgruntled ex-employee might make repeated data requests with the sole aim of inconveniencing the business; in these situations it can be acceptable to charge a fee or deny the request. There are also exceptions to the disclosure of certain types of data, for example where the data is subject to legal professional privilege or may prejudice negotiations between the parties.
However, when refusing a request, the responsibility is on the organisation to establish why data is not being disclosed- and it should be prepared to explain the reasoning to the Information Commissioner if needed.
A request can sometimes be validly submitted on behalf of another individual (for example, a solicitor making a request on behalf of their client, or a parent requesting data pertaining to their child).
In these cases, the organisation in receipt of the request can and should request extra evidence where appropriate to become satisfied that the DSAR is valid (such as written confirmation from the data subject).
Responding to a Data Subject Access Request
Upon receipt of the Subject Access Request, the organisation should begin the process of response. As this can be a lengthy and time-consuming activity, it is a good idea to have an established process for dealing with DSARs.
The response will usually be dealt with by the company’s Data Protection Officer (DPO), if one has been appointed. Otherwise, the task is often given to another member of staff with good data protection knowledge. In many cases they will enlist other employees to assist them with collating the information.
In most situations, the process would begin with questions being submitted to the individual to help the organisation fulfil the request. It would be important to verify the identity of the person asking, clarify what types of information they are requesting, and determine their preferred format for delivery. The organisation should also ensure clarity as to which of the GDPR data subject rights are invoked in the request (is the individual also asking for amendment or erasure of the data, for instance?).
When sending the compiled data back to the individual, it should be in a format that is easy for them to use and with explanations provided where necessary (for example, if there are any codes or jargon used internally by employees that could be a barrier to understanding for outsiders).
Potential problems when responding to a DSAR
Responding to a Data Subject Access Request must be done with care to ensure that the reply does not create new data protection problems.
For example, any documents pertaining to the data subject that also happen to contain personal information of other individuals should have those details redacted - otherwise the organisation may be at risk of breaching data privacy laws.
However, information that does pertain to the data subject and the nature of their request cannot under any circumstances be redacted or doctored, even if it may be embarrassing to release outside the organisation (including private internal memos or emails between colleagues that make mention of the individual). It is an offence under the Data Protection Act 2018 to make any amendment to data with the goal of preventing its disclosure.
It is also important to ensure that all members of staff receive basic training in data access requests. A data subject could conceivably submit a request to any member of the team, so every employee should be able to recognise a Data Subject Access Request when one arises and pass it to the correct person or department for processing.
With a robust internal process established, an organisation needn’t fear dealing with Data Subject Access Requests.
By ensuring employees have been fully trained to recognise requests as they occur, the company’s data protection duties can be dealt with quickly and efficiently - allowing the data subject access to their data, and the organisation to return to doing what it does best.