Anonymisation Part 2: Risk Reduction for CROs, Sponsors & Partners Conducting Clinical Trials

July 24, 2023

Standard Contractual Clauses (SCCs) for data transfers

August 21, 2023

ICO DSAR guidance: Preventing misunderstandings

August 7, 2023

Tags

On 24 May 2023, the UK’s Information Commissioner’s Office (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) published revised guidance to help support employers in responding to data subjectAn individual who can be identified or is identifiable from data. access requests (DSARs). The guidance clarifies key points and addresses the areas in which organisations have had regular misunderstandings.

Using a question-and-answer format, the new guidance should be used alongside the ICO’s original right of access guidance.

The updates were precipitated by more than 15,000 complaints, reported to the ICO between April 2022 and March 2023. Most of them involved confusion regarding the nature of subject access requests or an underestimation of their importance. DSARs can be time consuming, costly and complex, and organisations are often unsure what they should and shouldn’t be providing.

Matt Spall, Data Protection Officer and DSAR team lead at The DPO Centre, said:

“The updated guidance from the ICO comes at an opportune time and provides clarity to an area of the law that businesses often find challenging. DSARs can involve wide-ranging searches across various systems, sometimes both electronic and paper based. The data found may also involve others, or may be sensitive in nature, adding to the complexity. Businesses are unsure what they should be including and what they are allowed to withhold. This guidance helps and is welcomed; however, many companies still need support.”

The importance of Data Subject Access Requests (DSARs)

Individuals have had the right to access their information long before the European General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) was implemented. Since the dawn of the digital age, data protection has been a hot topic, with MPs attempting to introduce privacy laws in the UK back in the 1970s. When the Data Protection Act of 1984 was passed, it was the first piece of legislation in the UK to give individuals the right to see information held in computerised records.

A data subject access requestA verbal or written request made by a data subject to access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted. (DSAR), also called a subject access request (SAR) is the processA series of actions or steps taken in order to achieve a particular end. by which individuals effectuate their right to access information about themselves, and it forms part of the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. and the DPA (Data Protection Act).

Failing to comply with a DSAR is non-compliance with the law

The huge volume of recent complaints to the ICO has called attention to the level of misunderstandings organisations have had about their responsibilities as controllers of personal dataInformation which relates to an identified or identifiable natural person..

Elanor McCombe of the ICO said, “that is why we are publishing this guidance – to support employers in responding to subject access requests in a proper and timely manner, and to ensure that employees are able to access their personal data when desired.”

Revised ICO guidance on DSARs

The updated ICO DSAR guidance has 13 sections, each with links to further information.

We have created a handy overview for employers, with an outline of the important points to take into consideration:

Key area

Overview of revised guidance

Responding to a data subject access request

Must respond to all DSARs from data subjects; including employees
1 month time limit from receipt of request
Can extend up to 2 months if DSAR is complex or if the individual has made several requests

Format of requests

Verbal or written format is valid
Does not have to include the phrases “subject access request” “right of access” or “Article 15 of the GDPR”

Clarifying requests

Clarification is permitted only if it is needed to complete the DSAR and;
Only if a large amount of information about the individual has been processed
Response time limit can be paused until clarification is obtained

Exemptions

Under UK data protection laws there are certain exemptions from right of access requests
Information can only be withheld if it falls within one of the exemptions
Exemptions must be judged on a case-by-case basis
Exemptions must be justified and documented

Advising about withheld information

Companies must be as transparent as possible
Should inform the requester, unless it is inappropriate to do so

NDAs & settlements, tribunals

The right of access cannot be overridden by a non-disclosure agreement or settlement document
Right of access cannot be refused unless an exemption applies
If an exemption applies, it must be clearly demonstrated along with the reason(s) for its use

Tribunals & grievances

The right of access cannot be overridden by a tribunal or grievance process
Right of access cannot be refused unless an exemption applies
If an exemption applies, it must be clearly demonstrated along with the reasons for its use

Using personal communications

Organisations should evaluate whether they are the controller for the individual’s personal communications, and if so, to include them
Policies and procedures should be in place for individuals to understand what they can and cannot do on the IT system
A reasonable use policy or personal use policy is recommended

CC email information

Copied in email info can be included or excluded, depending upon the contents of the email and the context of the information it contains

Social media searches

Data protection laws apply to any social media activity
Social media platforms include, but are not limited to, Facebook, Instagram, Twitter, LinkedIn, WhatsApp, Microsoft Teams

CCTV footage

Information from CCTV footage must be disclosed
Systems should allow for the redaction of 3rd party information where necessary
Where systems do not have a redaction functionality, compliance is still required, and footage would need to be disclosed by requesting consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. or using another lawful disclosure measure

Getting advice for a DSAR response

The ICO is an independent regulator and cannot give advice on any DSAR response
Organisations must demonstrate compliance with DSARs
DSAR specialist data protection officers can give advice and support

Negative responses to DSARs

Organisations should work with the data requester to try and resolve any complaints about a completed DSAR
In situations where no resolution can be found, the complaint can be taken to the ICO

The DPO Centre has a large team of DPOs and DSAR experts who advise on and provide support for subject access requests. Whether dealing with complex DSARs involving large volumes of information needing significant redactions, or contentious requests involving sensitive data, our DSAR team can help. We also offer reviews of completed DSARs, to provide peace of mind.

If you would like to find out more about our DSAR Response Service, please complete the form below. Alternatively download our DSAR Whitepaper here.  

For more news and insights about The DPO Centre, follow us on LinkedIn

Anonymisation Part 2: Risk Reduction for CROs, Sponsors & Partners Conducting Clinical Trials

Standard Contractual Clauses (SCCs) for data transfers

ICO DSAR guidance: Preventing misunderstandings

The importance of Data Subject Access Requests (DSARs)

Revised ICO guidance on DSARs

Related posts

GDPR DPO requirements: What qualifies as large-scale processing?

Microsoft Copilot: Privacy concerns and compliance tips for 2025

Understanding GDPR territorial scope: Essential compliance guide