Now more than ever, we understand the importance of personal data. Every day, important issues are raised about how companies collect data, how long it is held for and what it is used for. Individuals have a legal right to know the answers to these questions, and businesses are legally obliged to supply the information.
Over the past few years, and especially since the pandemic, there has been a significant rise in the number of people submitting Data Subject Access Requests (DSARs).
This article, written by data protection specialists, offers background information on DSARs, and seeks to answer the commonly asked topic of what should be included in a DSAR and what can be withheld.
What is a DSAR?
Data Subject Access Requests (DSARs), also known as Subject Access Requests (SARs), are official requests made by individuals to organisations for information about their gathered and stored personal information.
Individuals have the legal right to access the personal information kept about them under the General Data Protection Regulation (GDPR) of the European Economic Area and the GDPR of the United Kingdom. A DSAR can be made verbally or in writing (including via social media and messaging systems), and it does not have to be addressed to a specific person within an organisation.
Here are some instances of DSARs:
- “I want to know what information you have about me”
- “Can I see my HR file?”
- “Can you send me a copy of my email correspondence?”
- “What are my account details?”
Why are DSARs important?
DSARs enhance transparency in data processing processes within businesses, and empower individuals to have control over their personal information. However, DSARs are frequently viewed as a burden. In-house resources are typically unavailable, and employees and supervisors lack familiarity with best practice DSAR processes.
DSARs can provide numerous benefits, and can be viewed as a useful tool for developing robust data governance. DSAR processing can improve operations, raise staff awareness, and provide an excellent opportunity to increase customer trust and satisfaction.
Trust – Fulfilling DSARs demonstrates respect for the privacy rights of consumers and employees, which fosters trust and loyalty. In the life sciences, gaining the trust of clinical trial participants is critical.
Confidence – Responding promptly to DSARs decreases the possibility of complaints and disputes, while also bolstering firm reputation.
Improved internal operations – By evaluating requested data, businesses can acquire valuable insights and make significant improvements to their data protection policies.
What information should be included in a DSAR response?
Each DSAR must be handled on an individual basis, and the information required varies depending on the specifics of the request.
In general, these are the most typical forms of DSARs that businesses need to process:
Data summary – This type of request often demands a company to produce a full list of all personal information maintained about an individual. To avoid a breach, data containing personal information about other people must be redacted.
Data processing confirmation – Individuals have the right to request confirmation of the processing of their personal information. Companies must provide this information upon request, including the purposes of data processing, the types of data gathered, and the retention term. These details are comparable to those found in a Privacy Policy.
Data correction – Sometimes people contact a company to validate their information and subsequently request adjustments, such as a new address or payment information. For this type of request, the information must first be submitted and then amended as required.
Employee requests – These are equally as important as consumer requests, and should be handled with similar urgency. Companies frequently keep sensitive information, such as medical information, which necessitates extra caution in terms of data protection.
Timelines and Deadlines
A DSAR must be addressed within one month of receiving the request. If something needs to be clarified, hit the pause button; nevertheless, this cannot be used as a delay tactic.
The response period can be extended by two months (to three months in total), but only if the request is judged complicated or several requests are submitted by the same person.
Complex requests may include:
- Technical difficulties in retrieving stored information
- Public authorities needing to search large volumes of unstructured manual records
- Clarifying confidentiality issues around the disclosure of sensitive medical information to an authorised third party
- Needing to obtain any specialist legal advice
These are not necessarily deemed complex:
- Large volumes of information (although this can add challenges to a complex case)
- High volumes of separate DSARs
- Needing to retrieve data from multiple systems
Exemptions: What are the reasons for concealing data?
DSAR exemptions have generated fair confusion for companies, with a recent misreading of guidelines resulting in over 15,000 complaints to the UK’s Information Commissioner’s Office (ICO) between April 2022 and March 2023.
Several exemptions allow organisations to withhold data in response to a DSAR. However, the individual must obtain an explanation for why the data is being withheld within one month of receiving the request. Furthermore, individuals have the right to register a complaint with a supervisory authority and seek legal relief.
Here are some of the primary reasons for valid exemptions:
Manifestly unjustified or excessive – This term refers to a request that is manifestly baseless or unreasonable, and it is decided on a case by case basis. Examples include demands made solely for the aim of annoying or disturbing, as well as undefined ones that would take an inordinate amount of time to complete.
To safeguard other people’s data – There is an exemption for disclosing data that could identify another person, unless the other person has given their permission.
To protect the rights and freedoms of others – Article 15(3) of the GDPR outlines how to defend the rights and freedoms of others. An exemption applies if giving information in response to a request could jeopardise the rights and freedoms of others, such as revealing identities or personal beliefs.
Crime prevention – Personal data processed for crime and tax-related reasons is exempt from the right of access, which includes crime prevention or detection, apprehending or prosecuting offenders, and assessing or collecting taxes or duties. The exemption only applies if complying with the right of access would likely jeopardise these objectives.
Personal data used for management forecasting or planning – Data such as sales estimates, staffing plans, and financial forecasts, are exempt from DSAR compliance. Disclosing this information could harm the firm by revealing sensitive information about its operations and future plans.
DSAR Best Practice
The key to a successful DSAR is proper planning and data control. If you are having trouble responding to a request, it may be a sign that you should assess your entire data management processes.
Here are some useful recommendations regarding DSAR best practices:
- Data mapping – Essentially, know what data is stored and being processed in the company. This can be done through a Record of Processing Activities (RoPA) and visual data maps.
- Clear internal procedures – A DSAR Policy and Procedure document is vital. This should include an explanation of what a DSAR looks like and steps for how to process a response.
- Staff training – General data protection training for staff is a crucial element of successful data management and will help to enforce a positive privacy culture. Training also ensures employees can identify a DSAR and helps them to understand their responsibilities.
- Regularly review points 1-3