5 essential steps for data subject access requests
Data subject access requests (DSARs) pose many challenges for organisations, and more often than not, the sheer volume of requests is too much for internal resources to handle. Another possibility is that the intricacies of a complex DSAR involve complications beyond a straightforward retrieval of personal data.
In this article, a team of data protection specialists offer 5 essential steps for processing DSARs, detailing some of the issues to watch out for – especially at the beginning of the process – and how to identify any exemptions.
Essential steps for processing
Responding to a Data Subject Access Request can be broken down into a list of five key areas, like this:
- Recognise and record
- Acknowledge receipt
- Collate the data
- Review and redact
- Share response
Let’s go through each of these stages, one by one, in a little more detail.
Recognising and receiving DSARs
What is a data subject access request?
A data subject access request (DSAR) is an inquiry from an individual (known as a data subject) to an organisation (known as a data controller), asking what personal information is held about them.
There is no specific format required to initiate a DSAR, and valid requests can include letters, emails, conversations via online chat facilities, social media posts and even verbal requests. What’s more, a DSAR doesn’t need to specifically reference the UK’s Data Protection Act (DPA) 2018 or the UK General Data Protection Regulation (UK GDPR).
You cannot and should not ask someone why they are making the request, as you have no lawful reason to ask this question. The important thing is to ensure your staff recognise a DSAR and understand what needs to be completed for an effective response.
How long have you got to respond?
You have one calendar month to respond to a DSAR, unless there are multiple requests, or the request is considered complex. It’s best to have a pre-determined person or department dedicated to receiving DSARs, in order to save them from being lost and to ensure efficiency.
Record all DSARs in a DSAR log. The log should include details of the request, the action taken, and the time taken to respond. If you need advice, you can contact your Data Protection Officer (DPO) or the UK’s Information Commissioner’s Office (ICO).
Acknowledge receipt, explain next steps
Many DSARs are straightforward to deal with, but some can be used to make vexatious requests or to extract data that the requestor is not entitled to.
Before expending considerable time and effort collecting records, remember to always:
Verify the requestor’s identity
Make sure the requestor is who they say they are, particularly if the request is not made in person. Providing personal information to somebody else is a data breach and can compound problems.
If in doubt, check the requestor’s identity. You can do this by asking to see a photo ID, such as a passport or driving licence. You could also ask for a utility bill, or in some cases, request a face-to-face meeting.
Make sure the requestor has the right to the information
DSARs are typically requested by an individual whose personal information is held. However, someone else can request an individual’s personal data on their behalf. Examples include those with parental responsibility, someone in possession of consent from the individual or with power of attorney, and from appropriately sanctioned law enforcement agencies.
You must always make sure the requestor has the legal right to receive somebody else’s personal information. Inappropriate requests can and do happen, and have been reported by (for example) schools, where estranged parents or step-parents who aren’t legal guardians have asked for a pupil’s personal information. Similarly, disgruntled customers have requested information about other customers or employees, and even potential employers have sought personal references from a candidate’s previous employer without consent or agreement from the candidate.
In such cases, the correct response is to say that without the specific authority of the individual, no information can be provided.
Requests from the police for personal data in the pursuit of their enquiries are another common type of DSAR. In these cases, accepting the request is usually the best course of action, providing the police have confirmed its basis in writing. You should also confirm the police officer making the request works at the relevant police station by calling its switchboard.
Identify exemptions
DSARs only relate to the personal information processed on the individual making the request. They are not a way to uncover additional information about an organisation, to find out about others, or to extract otherwise privileged information.
Returning to the example of schools, a parent can legitimately use a DSAR to ask for information about how their child is performing or why the school made certain decisions, but it cannot be used to request information about other pupils, or to identify any other child involved in an altercation or disciplinary process.
There may be conflicting requirements that mean you should not release some personal data. For example, when it is not in the individual’s best interest to release sensitive safeguarding information.
In the case of such conflicting requirements, you should undertake a “balancing assessment” to identify the extent of personal information that you should collate and share with the requestor.
To limit your work in collecting and preparing the information, it is always best to verify the requestor’s identity, confirm their right to the information and identify any exceptions from the outset. You can then acknowledge and reply to the requestor upfront, explaining what information you are and are not able to provide.
If there are any doubts, an experienced Data Protection Officer (DPO) can provide advice and guidance. Experienced DPOs will understand your organisation and how to apply the legislation in a practical way, which can save considerable time and resources.
Collate and review records
Once you’ve acknowledged the DSAR and identified the required information, the next step is to collate and review it.
The GDPR requires you to respond to DSARS within one calendar month of verifying the requestor’s identity. This can be an arduous task, especially since records can be in both paper and electronic format. Also, don’t forget information held by third-party data processors in your data processing chain.
In all cases, the best systems are those that store data centrally, are searchable and enable easy access and recall. Holding information in multiple physical locations, or as paper records, can greatly increase the amount of work required.
Complex DSAR requests can be extended to three calendar months, provided you advise the requester of the reasons for extending the time scale prior to the expiry of the initial month.
Review the response and implement any redactions
Before sharing any information with the requestor, you must review the response and ensure the information is complete and comprehensive. Then, it’s important to check for any personal data that could potentially identify another individual, as this will need redacting.
Redacting is a process that involves obscuring or removing any data within the documents or records that could identify another individual. For paper records, you can use a black redacting pen.
It’s best to nominate a specific person or department for redacting information, as this is a specialist task. It’s also generally a good idea for the review to be conducted by a different person than the person compiling the information.
Share the response with the requestor
The final step is to share the response with the requestor, and ensure that you reference the original request in your response.
Always keep an exact copy of the information sent, as well as a record of your response in your DSAR log.
Summary
The number of DSARs continues to increase as individuals better understand and exercise their rights under data protection laws. Handling these requests efficiently is crucial for compliance and to uphold data subject’s rights, and the first step in a robust process is to understand what a DSAR is and know what needs to be completed. The process needn’t be a painful one – for you or the requestor – as long as you are aware of how to handle them in the best way possible.