Data Subject Access Requests (DSARs) present numerous obstacles for organisations, and internal resources can become frequently overwhelmed by the sheer volume of requests. Another possibility is that the intricate nature of a more complex DSAR might extend beyond the simple retrieval of personal information.

In this article, a group of data protection experts outline five crucial steps for processing DSARs, including a discussion of potential complications to avoid, particularly at the outset of the procedure, as well as guidance on identifying exemptions.

Processing and responding to a data subject access request can be categorised into the following five areas:

  • Recognise and record 
  • Acknowledge receipt
  • Collate the data
  • Review and redact
  • Share response

Let’s examine each of these stages in greater depth, individually.

Acquiring and identifying DSARs

What is a Data Subject Access Request?

A Data Subject Access Request (DSAR) is a formal request made by an individual (referred to as the data subject) to an organisation (called the data controller) for access to the personal information that is in their possession.

Initiating a DSAR does not need to follow a particular format; valid petitions may be made via social media posts, letters, emails, online chats, or even verbally. Additionally, it is not mandatory for a DSAR to make explicit mention of the Data Protection Act (DPA) 2018 or the UK General Data Protection Regulation (UK GDPR).

You have no legal authority to inquire as to why an individual is making the request, and as such, you should refrain from doing so. It is essential that your personnel are able to identify a DSAR and understand the necessary actions for carrying out an effective response.

How long have you got to respond?

A response to a DSAR is due within one calendar month, unless there are multiple requests to process or the request is considered complex. It is ideal to designate a specific individual or department with the responsibility of receiving DSARs; doing so will prevent their loss and increase efficiency.

Document every DSAR in a dedicated log. In the log, specifics regarding the request, the response time, and the actions performed should be recorded. You may seek guidance from your Data Protection Officer (DPO) or the Information Commissioner’s Office (ICO) of the United Kingdom (ICO).

Acknowledge Receipt, Explain Next Steps

A considerable number of DSARs are relatively simple to manage; however, some may be used to make vexatious requests or to extract data that the requestor is not entitled to.

Before devoting a substantial amount of time and effort to record collection, remember to always: 

Verify the identity of the requestor

Especially important if the request is not made in person, you must verify that the individual making the inquiry is who they claim to be. Giving away personal information to someone else constitutes a data violation and has the potential to exacerbate existing issues.

Verify the identity of the requestor if uncertain. Requesting to see a photo ID, such as a passport or driver’s licence, will accomplish this. Additionally, you may request a utility bill or, in certain instances, an in-person consultation.

Make sure the requestor has the right to the information

DSARs are commonly requested by the owner of the personal information that is being held. However, personal information can be requested on behalf of an individual by a third party.Examples include those with parental responsibility, authorised law enforcement agencies and someone in possession of consent from the individual, or with power of attorney.

Verify that the individual making the request possesses the lawful authority to obtain the personal information of another individual. Inappropriate requests can and do happen. Schools have received reports of inappropriate requests, including those from step-parents or estranged parents who are not legal guardians of the student, requesting personal information. In a similar vein, dissatisfied clients have inquired about the backgrounds of other clients or staff members, and prospective employers have even requested personal references from a former employer without the applicant’s consent or agreement.

In such situations, the appropriate response is to state that information cannot be provided in the absence of the specific authority of the individual.

Requests for personal information by law enforcement in the course of their investigations are another frequent form of DSAR. Accepting the request is typically the best course of action in these situations, provided the police have submitted written confirmation of its validity. Additionally, you should verify that the officer requesting assistance is employed at the appropriate police station by contacting its switchboard.

Determine Exemptions

DSARs pertain exclusively to the personal information that is being processed regarding the requestor. They are not designed to promote the discovery of supplementary information regarding an organisation, the extraction of privileged data, or determining the identities of others.

To return to the example of schools, a parent may lawfully request information regarding their child’s performance or the rationale behind certain school decisions using a DSAR; however, it is not possible to use the DSAR to identify other students or to request information about other students involved in an altercation or disciplinary process.

There may exist conflicting obligations that prohibit the disclosure of certain personal data; When it is not in the best interest of the individual, for instance, to disclose sensitive safeguarding information.

When faced with such contradictory obligations, it is advisable to conduct a “balancing assessment” in order to determine the degree of personal information that ought to be compiled and disclosed to the individual making the request.

In order to reduce the amount of effort required to gather and organise the information, it is recommended to initially validate the identity of the requestor, determine their entitlement to the information, and identify any exceptions. You are then able to respond to the requestor in advance, acknowledging their inquiry and specifying the information you can and cannot provide.

In the event of any uncertainties, guidance and direction of a seasoned Data Protection Officer (DPO) can be sought. DPOs with extensive experience will have a practical understanding of your organisation and how to implement the law, which can result in significant time and resource savings.

Compile and examine records

After the necessary information has been identified and the DSAR has been acknowledged, it is then necessary to compile and examine the data.

Responding to DSARS within one calendar month of verifying the requestor’s identity is mandatory per the GDPR. This can prove to be a laborious undertaking, particularly considering that records may exist in both physical and digital formats. Additionally, information held by third-party data processors in your data processing chain should not be overlooked.

The most effective systems are always those that centrally store data, facilitate simple access and recall, and are searchable. Information stored in paper records or in multiple physical locations can significantly increase the amount of effort required to complete a task.

Complex DSAR requests may be extended for an additional three calendar months with the proviso that the requester be duly informed of the justifications for the extension before the initial month expires.

Evaluate the reply and incorporate any necessary redactions

Before sharing any information with the requestor, you must review the response and ensure the information is complete and comprehensive. Subsequently, it is vital to conduct a thorough examination of the source material for any personal data that could potentially identify another individual, as this will need to be redacted. 

Redacting is a process that involves obscuring or removing any data within the documents or records that could identify another individual. For paper records, you can use a black redacting pen.

Redacting information is a specialised task, best handled by designating a particular individual or department to perform the responsibility. Additionally, it is recommended that the evaluation be performed by an individual other than the one responsible for assembling the data.

Provide the requestor with the response

The final step is to share the response with the requestor, and ensure that you reference the original request in your response.

It is of the utmost importance that you keep an exact duplicate of the data sent, as well as a record of your response in your DSAR log.

Summary

As individuals gain greater knowledge of and actively exercise their rights under data protection laws, the volume of DSARs continues to rise. Effectively managing these requests is of utmost importance to ensure compliance and safeguard the rights of data subjects. Establishing a reliable procedure starts with a thorough understanding of a DSAR and its associated obligations. The process needn’t be a painful one – for you or the requestor – as long as you are aware of how to handle them in the best way possible.

Enter your email address for FREE tips, offers and freebies straight to your inbox.