Data protection is a world filled with acronyms.
There are Data Subject Access Requests (DSARs), and you will also hear references to Subject Access Requests (SARS). SAR is the term used in the Data Protection Act (2018). To avoid confusion, in this blog, we will use the DSARs acronym.
From the point of view of the Data Subject (the individual whose data is held) they are the same thing. From the point of view of the organisation receiving DSARs there are some important steps to follow and take:
With the additional requirements the UK GDPR places on Data Controllers (legal owners of the data and those who decide how data is processed) to respond in a timely manner to DSARs, this step can often be missed or be rushed to ensure perceived compliance.
Verifying the Data Subjects identity is the first key step to take.
As there is no formal process for making a DSAR they can be received by phone, electronically or via social media. If the Data Controller is satisfied that the request is made by an authorised person, then the information should be made available.
The ICO’s guidance looks at the circumstances when a Third Party can make a DSAR: “An individual may prefer a third party (e.g., a relative, friend or solicitor) to make a DSAR on their behalf. The UK GDPR does not prevent this; however, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide you with evidence of this. For example, by providing a written authority, signed by the individual, stating that they give the third-party permission to make a SAR on their behalf.”
In this case the responsibility of proof lies with the Third Party.
Data Controllers can refuse requests they feel may be bogus, excessive, or otherwise unfounded, repetitive requests for instance, but in this case the Controller has the responsibility of proving that its decision is appropriate.
There is a clear flow to the process of fulfilling a DSAR.
We have covered the first three steps: recognising, validating, and managing third party requests in the section above. The next step is to redact any data exempt from disclosure.
it is crucial to cross check against the Data Protection Act (2018), regarding what data may be exempt from disclosure, particularly anything that might release information about another individual.
The final step is to maintain a register of DSARs received and the steps taken to fulfil them.
There is now a 30-day deadline to respond to a DSAR. So, having a process in place that facilitates this timeline is essential and may follow a pattern something like this:
- Week 1 – Request is received, and validation takes place. The DSAR is logged in the register and all relevant stakeholders informed.
- Week 2 – Information is gathered which may include consulting external data processors and interrogating off site archives.
- Week 3 – Data is collated, often the responsibility of the Data Protection Officer (DPO), business sensitive and Third-Party data is redacted.
- Week 4 – Review the data to be supplied and sign off. Provide data package securely (electronically or physically) to the Data Subject and record completion in the DSAR log.
The handling of DSARs is one of the areas that causes the most confusion and risk for organisations. Having a detailed DSAR Policy in place, with annual employee training, is vital for reducing any risk.
The need to connect the requirements of different pieces of UK privacy legislation and comply with the timeline expected by the ICO can lead to misunderstandings.
Have you got an expert in your organisation who can process DSARs? Have you got a robust policy in place? Have you been trained on what you need to do to comply with a DSAR?
If the answer is ‘No’ to any of the above questions, please get in touch with CSRB.
We will help you manage and protect the organisations personal data responsibly.
Please get in touch with us here or call 0117 325 0830 to learn more about how we can support your understanding of DSARs.