Our December 2018 blog post entitled “Data Subject Access Request = 4 words to fear?”, explained the need for a robust and efficient process for responding to DSARs. 6 months later our clients are indeed receiving an increasing number and variety of requests.
In this blog, we explain some of the basic steps required to recognise and handle DSARs and indicate some of the issues to watch out for, particularly at the beginning of the process.
The 5 steps involved in processing a DSAR
In our experience, handling DSARs can be broken down into the following 5-step process:
DSARs are requests from any individual (known as a data subject) asking what PII you hold on them.
There is no specific format required to initiate a request for a DSAR – we’ve seen requests made verbally, by letter, email, online chat facility and even by social media post – all are equally valid. The DSAR doesn’t need to specifically reference the DPA 2018 or GDPR either and you cannot and should not ask someone why they are making the request, you have no lawful reason to ask this question.
The important thing is to ensure your staff recognise a Data Subject Access Request when it is being made. We’d recommend having an allocated person or department to receive DSARs and save them being lost. If they aren’t sure, they can always get advice from your Data Protection Officer or the Information Commissioner’s Office (ICO).
All DSARs should be recorded in a DSAR log so that you can keep track of the details of the request, the action taken and the length of time taken to respond.
Many DSARs are straightforward to deal with but we are seeing DSARs used as a vehicle to make vexatious requests or as an attempt to extract data from organisations that the requestor is not entitled to. So before expending considerable time and effort collecting records always:
Verify the requestor’s identity
Make sure the requestor is who they say they are, particularly if the request is not made in person. Providing personal information to somebody else is a data breach in itself and will only compound any problems. If in doubt, check the requestor’s identity, this could be done by asking to see photo ID, such as a passport or driving license and also a utility bill, or in some cases request a face-to-face meeting.
Make sure the requestor has the right to the information
In most cases, Data Subject Access Requests are by made by the person you hold the personal information about, however requests for copies of someone else’s personal data can also be made by a person on their behalf. Examples include those with parental responsibility, in possession of consent from the individual or with power of attorney, and from appropriately sanctioned law enforcement agencies.
Fundamentally you must always make sure the requestor has the legal right to receive somebody else’s personal information.
Examples of inappropriate requests we’ve seen include:
In such cases the correct response is to say that, without the specific authority of the individual, no information can be provided.
Requests from the police for personal data in the pursuit of their enquiries are a common type of DSAR that we’ve seen. In these cases we’ve accepted the request providing the Police have confirmed its basis in writing and we have confirmed that the police officer making the request actually works at the relevant police station by calling it’s switchboard.
Identify any exemptions
DSARs relate to the personal information you process on the individual requesting the information. They aren’t a vehicle to be used to uncover additional information about your organisation, to find out about others or to extract otherwise privileged information.
For example, in schools, a parent can legitimately use a DSAR to ask for information about how their child is performing or why certain decisions were made. A DSAR can’t be used to request information about the performance of other individual pupils to provide a comparison or used to identify any other child involved in an altercation or disciplinary process. There may be conflicting requirements that mean some PII should not be released – for example, where it is not in the child’s best interest to release sensitive safeguarding information held by a school.
In the commercial world, we’ve experienced complainants believing they have claims against companies using DSARs as a vehicle to try extract legally privileged information.
In the case of such conflicting requirements you should undertake a “balancing assessment” to identify the extent of personal information that should be collated and shared with the requestor.
To limit your work in collecting and preparing the information it’s always best to verify (as described above) the requestor’s identity, confirm their right to the information and identify any exceptions from the outset. You can then acknowledge and reply to the requestor upfront, explaining what information you are, and are not, permitted to provide.
If there are any doubts, an experienced Data Protection Officer who understands your organisation and how to apply the legislation in a practical way can be invaluable and save you considerable time and resource.
Once you’ve acknowledged the DSAR and decided the information required, then you need to collate, from all necessary sources, and review all records holding the personal information. You only have 30 days to collate the data and share it with the requestor so this can be an arduous task – especially given that records can be in both paper and electronic format, and don’t forget information held by the third-party Data Processors that make up your data processing chain.
One particularly difficult request received by one of our clients was from an individual making a legitimate DSAR request to provide transcripts of the over 100 telephone calls and recorded messages they had made. This required considerable time and effort to collate and review the data.
In all cases, the invaluable systems are those that store data centrally, are searchable and enable easy access and recall. Holding information in multiple physical locations or as paper records can greatly increase the amount of work required to collate the data.
The GDPR requires you to respond to DSARs within 30 days of verifying the requestor’s identity. For complex requests, this can be extended to 90 days, provided that you advise the requestor of the reasons for extending the time scale prior to the expiry of the initial 30 days.
Before sharing any information with the requestor ensure you review the response. Make sure the information is complete and comprehensive, but also ensure references to other individuals have been redacted (i.e. for paper records, obfuscated using a black redacting pen), as not doing so would be a breach of the other person’s personal data. Nominate a specific person or department to be responsible for redacting information as this is specialist task.
It’s generally a good idea for the review to be conducted by a different person than the person compiling the information, with the responsibility often falling to the DPO.
The last step is simply to share the response with the requestor ensuring you reference the original request in your response. Always ensure you keep an exact copy of all the information sent and keep a record of your response in your Data Subject Access Request log.
The number of DSARs continues to increase as individuals better understand and exercise their rights under the GDPR.
The expertise of an experienced DPO in handling DSARs can be invaluable in ensuring they are responded to efficiently, effectively and lawfully.
Through our work with over 250 organisations, The DPO Centre’s team of experienced DPOs can provide the necessary advice, guidance and model documentation required to ensure timely, appropriate and lawful responses to DSARs. For further information on how we can assist your organisation, please contact us.