At The DPO Centre, we are very fortunate to be able to work with a wide range of organisations, some of whom are considered public bodies. One of the most frequently asked questions we receive is “what is the difference between a DSAR and an FOI request?” and if they are different, “how are they different?”.
Knowing the key differences between the two is essential for any organisation (especially public bodies) who processA series of actions or steps taken in order to achieve a particular end. data on behalf of data subjects. Being equipped with this knowledge will allow you to react accordingly when such requests are submitted and allow you to deal with these requests in confidence.
In this blog, we will be discussing what a Data Subject Access RequestA verbal or written request made by a data subject to access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted. (DSAR) is, what a Freedom of Information (FOI) request is, the key differences between the two, and how to confidently respond to these requests moving forward.
In England and Wales, a FOI request is a formal request for access to information held by public authorities. This right is possible to exercise due to the Freedom of Information Act 2000 (Scotland has their own Freedom of Information (Scotland) Act 2002), which gives both individuals and organisations the right to access information held by public authorities, such as:
A Data SubjectAn individual who can be identified or is identifiable from data. Access Request (DSAR) is one of the rights afforded to individuals under the GDPR. A DSAR is a request made by an individual (a data subject) to gain insight to and access the personal dataInformation which relates to an identified or identifiable natural person. that an organisation holds about them. Article 15 of the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) gives individuals the right of access to obtain confirmation about:
In short, a DSAR allows a data subject to access their personal data.
FOI
If an individual wishes to submit an FOI request, then they must do so by submitting a written request to the relevant public authority. They must provide a clear and specific description of the information they are seeking, and the request must include the individual’s contact information. Upon receiving a request, public authorities have 20 working days to respond to the request, either by providing the information requested, or an explanation as to why the information cannot be provided.
Under the Freedom of Information Act 2000, an entire request can be refused under the following circumstances:
The Freedom of Information Act also gives a number of exemptions. These are broken down into two groups:
DSAR
Unlike an FOI request, which can only be submitted via formal writing, a Data Subject Access Request can be submitted in (almost) any way, whether that be a verbal request or in writing (including via social media); something all organisations should be aware of.
Once an individual submits a DSAR at your organisation, you must respond within one month of receiving the request. If the request is particularly complex, or if the individual has made multiple requests, this can be extended by a further two months. Aside from the timeframe, another key difference between an FOI and DSAR is that the DSAR response must be provided free of charge, unless the request is deemed manifestly unfounded or excessive.
Your organisation also needs to be aware that DSARs can only be made by individuals for their own personal data and cannot be made on behalf of someone else, except in specific circumstances.
Like FOIs, DSARs can be rejected in exceptional circumstances, including:
However, not all exemptions apply in the same way and your organisation should not routinely rely on exemptions and should consider each request on a case-by-case basis.
If you are a public authority and have received an FOI request, you will need to undertake the following steps:
If your organisation isn’t considered a public body, then your chances of receiving an FOI request are low and you would not be required to fulfil the request. However, your chances of receiving a DSAR is much greater. If you have received a DSAR, these are the steps to take to respond in a timely, efficient manner:
Failing to respond to a DSAR promptly or provide an inadequate response can result in complaints and regulatory action, which could potentially harm your organisation’s reputation. For more information on DSARs you should check out our DSAR blog or our ‘top five challenges’ blog .
All organisations (whether you are a public body or not) need to be aware of both. This is because requestors can, and often do, mix up terminology. You should be aware and know how to spot them and manage expectations accordingly.
The DPO Centre provides a comprehensive DSAR response service to assist with these types of requests. Your organisation can benefit from this service if you lack the necessary in-house resource or confidence to deal with such requests. Our dedicated DSAR team can work with you to ease the burden of DSARs and ensure you understand where your data is located, and draft responses to ensure they are compliant with the most up to date data protection guidelines. Complete the form below and we will get in touch.
Fill in your details below and we’ll get back to you as soon as possible