ICO DSAR guidance: preventing misunderstandings

On 24 May 2023, the UK’s Information Commissioner’s Office (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) published revised guidance to help support employers in responding to data subjectAn individual who can be identified or is identifiable from data. access requests (DSARs). The guidance clarifies key points and addresses the areas in which organisations have had regular misunderstandings. 

Using a question-and-answer format, the new guidance should be used alongside the ICO’s original right of access guidance. 

The updates were precipitated by more than 15,000 complaints, reported to the ICO between April 2022 and March 2023. Most of them involved confusion regarding the nature of subject access requests or an underestimation of their importance. DSARs can be time consuming, costly and complex, and organisations are often unsure what they should and shouldn’t be providing. 

Matt Spall, Data Protection Officer and DSAR team lead at The DPO Centre, said: 

“The updated guidance from the ICO comes at an opportune time and provides clarity to an area of the law that businesses often find challenging. DSARs can involve wide-ranging searches across various systems, sometimes both electronic and paper based. The data found may also involve others, or may be sensitive in nature, adding to the complexity. Businesses are unsure what they should be including and what they are allowed to withhold. This guidance helps and is welcomed; however, many companies still need support.” 

The importance of Data Subject Access Requests (DSARs)

Individuals have had the right to access their information long before the European General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) was implemented. Since the dawn of the digital age, data protection has been a hot topic, with MPs attempting to introduce privacy laws in the UK back in the 1970s. When the Data Protection Act of 1984 was passed, it was the first piece of legislation in the UK to give individuals the right to see information held in computerised records.  

A data subject access requestA verbal or written request made by a data subject to access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted. (DSAR), also called a subject access request (SAR) is the processA series of actions or steps taken in order to achieve a particular end. by which individuals effectuate their right to access information about themselves, and it forms part of the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. and the DPA (Data Protection Act). 

Failing to comply with a DSAR is non-compliance with the law 

The huge volume of recent complaints to the ICO has called attention to the level of misunderstandings organisations have had about their responsibilities as controllers of personal dataInformation which relates to an identified or identifiable natural person.. 

Elanor McCombe of the ICO said, “that is why we are publishing this guidance – to support employers in responding to subject access requests in a proper and timely manner, and to ensure that employees are able to access their personal data when desired.”  

Revised ICO guidance on DSARs

The updated ICO DSAR guidance has 13 sections, each with links to further information.   

We have created a handy overview for employers, with an outline of the important points to take into consideration: 

The DPO Centre has a large team of DPOs and DSAR experts who advise on and provide support for subject access requests. Whether dealing with complex DSARs involving large volumes of information needing significant redactions, or contentious requests involving sensitive data, our DSAR team can help. We also offer reviews of completed DSARs, to provide peace of mind. 

If you would like to find out more about our DSAR Response service, please complete the form below. Alternatively download our DSAR Whitepaper here.  

For more news and insights about The DPO Centre, follow us on LinkedIn