What is a Data Subject Access Request & How Long Do You Have to Respond?
In this day and age, data is everything. Most organisations need to store (‘process’) customer, employee, and client personal data for a variety of legitimate reasons.
Whilst it’s an essential and almost inescapable aspect of business, people (or “Data Subjects”) have a right to know what data a company holds on them and how it is being used. Afterall, it’s their personal data!
That’s where the General Data Protection Regulation (GDPR) comes in. Within this regulation for protecting data, there is the Right of Access.
The Right of Access ensures individuals can stay in control of their data by allowing them to request visibility as to what personal data is stored (being ‘processed’) by organisations and how it is being used by them. This request is called a Data Subject Access Request.
In this article you will learn:
- What a Data Subject Access Request is
- How to identify one
- Whose job it is to receive, log and process a Data Subject Access Request
- What information can someone request as part of a DSAR
- What information does not fall within the scope of a DSAR
- How long you have to reply to a DSAR
- What happens if you don’t reply to a DSAR within the required timeframe
- What information should be included within a DSAR
- What format a reply to a DSAR should take
- How to identify what content you hold on a Data Subject
- Rules relating to what you can charge for a DSAR
- Whether a DSAR can be submitted on behalf of other individuals
- Whether an organisation can refuse a DSAR request
- Where to go if you need help replying to a DSAR
… and more!
A Data Subject Access Request (DSAR), also known as a Subject Access Request (SAR), is a request by an individual for personal information held by an organisation, which will be either a Data Processor or Data Controller.
Due to the ‘Right of Access’, individuals have the right to obtain a copy of their personal data and other supplementary information. Its intended purpose is to help individuals to understand how and why an organisation is using their data, and to check that they are doing it lawfully.
There aren’t many rules about how an individual has to submit a Data Subject Access Request. A DSAR can be made verbally or in writing, and this doesn’t necessarily have to be through the formal channels. It can even be made through social media.
Essentially, a DSAR is valid if it is clear that the individual is asking for their own personal data - they don’t have to state specifically that it is a Data Subject Access Request. There is no specific format or wording that they need to use, no specific reference to legislation required, and no specific contact they need to direct it to.
Because of this, a DSAR can come in a range of forms, so it’s important that an organisation’s staff receive training on how to identify and handle a Data Subject Access Request. This doesn’t just relate to the employee in charge of processing the request, for example, the Data Protection Office (DPO). All staff need to know how to spot a DSAR in order for them to be able to direct it to the relevant department.
The UK GDPR requires organisations to appoint a DPO if they are a public authority or body, or if they carry out certain types of processing activities. DPOs have overall responsibility for data protection in their organisation.
For organisations for whom it isn’t mandatory to appoint a DPO, it’s still a good idea to have someone identified in the business whose responsibility it is to deal with data protection issues, including Data Subject Access Requests.
Whilst whoever is in charge of handling a DSAR might not be the one physically searching through the data to find the desired information, they will be overseeing the process to ensure that it is being completed in line with the GDPR’s requirements.
It is important for DPOs and those who deal with DSARs to be well trained in all aspects of data protection, as falling foul of the GDPR can have negative consequences for organisations.
In a DSAR, an individual is entitled to:
- Confirmation that the organisation is processing their personal data
- A copy of their personal data
- Other supplementary information
They can request all of the personal data that the organisation has on them, or a specific piece of information.
The personal data stored by organisations could include:
- Date of birth
- Employment history
They are only entitled to their own personal data, not the personal data of another individual (with a few exceptions which we’ll cover later).
As well as other people’s personal data, there is a range of information that individuals cannot receive in response to a DSAR. These exemptions include data on:
- Crime and taxation
- Legal professional privilege
- Functions designed to protect the public
- Regulatory functions relating to legal services, the health service and children’s services
- Other regulatory functions
- Judicial appointments, independence and proceedings
- Journalism, academia, art and literature
- Research and statistics
- Archiving in the public interest
- Health, education and social work data
- Child abuse data
- Management information
- Negotiations with the requester
- Confidential references
- Exam scripts and exam marks
- Information on a mobile device not owned or paid for by the organisation in receipt of the DSAR e.g. texts by an employee about the individual
For more information about how these exemptions work in practice and further exemptions, read the ICO’s detailed guidance.
According to the Information Commissioner's Office (ICO), the organisation responsible for implementing the GDPR and upholding information rights in the UK,
“You should respond [to a DSAR] without delay and within one month of receipt of the request”.
However, in some circumstances an organisation may require longer to process the request. If the DSAR is complex or multiple requests are received from the same individual, the organisation is allowed to extend this time limit by a further two months. In this case, they must clearly outline and explain why the extension is needed and inform the recipient about the extension within one month of the submission of the DSAR.
If an organisation doesn’t respond to a DSAR within the required timeframe, the requester may report this to the ICO. In some cases, particularly if they have received a number of complaints against the same organisation, the ICO may take action.
This action could take the form of a:
- Enforcement Notice
- Penalty Notice
Furthermore, the requester may apply for a court order requiring the organisation to comply with the request or seeking compensation if they feel they have suffered damage or distress because their data protection rights have been infringed.
Whether seeking a court order or compensation, it is up to the court to decide the outcome for each particular case. However, the individual may seek to settle the claim with the organisation before starting court proceedings.
The organisation will not be liable to pay compensation if they can prove that they are not responsible in any way for the event that led to the damage or distress.
In response to a DSAR, as well as a copy of the requested personal data (or all of the personal data held on the individual), organisations should also provide a range of information about how their data was/is used. This includes:
- Why the data was collected
- How the data was processed
- Who their personal data has been shared with
- How long the data has been held
- How much longer the organisation intends to keep the data
- If the data was used to make an automated decision about the individual
- If the data has been used to create some sort of profile about the individual
There are specific rules around how an organisation must deliver their response to a DSAR.
Written Electronic Submission Of DSAR
If the individual submitted the DSAR electronically (e.g. by email or social media), then the organisation must provide a copy of the requested information in a commonly used electronic format. The organisation may choose the format, unless the individual makes a reasonable request for it to be in a certain format (electronic or otherwise).
Verbal or Non-electronic Submission Of DSAR
If the individual submitted the DSAR by other means (e.g. verbally or by physical letter), the organisation can provide a copy of the requested information in any commonly used format (electronic or otherwise), unless the individual makes a reasonable request for it to be in a certain format. If the information is of a sensitive nature, the organisation should make sure that the response is delivered to the requester securely.
Ultimately, it is the responsibility of the organisation to provide the information to the individual. The individual should not have to take any action to receive the information (e.g. by physically collecting it themselves from the organisation), unless they agree to do so.
It is important to be prepared for a DSAR, even for organisations who don’t receive them often. Training and a good data management system will not only make it easier and quicker to identify what content is held on an individual, but it will also increase confidence in an organisation’s data handling practices.
A DSAR can relate to personal data stored both digitally and physically (e.g. paper files), so it is important that all filing and management systems are organised.
What If The Data Is Hard To Find?
Organisations should make a ‘reasonable’ effort to find and retrieve the requested information. However, they are not required to carry out searches that are unreasonable or disproportionate to the importance of providing access to the information.
Organisations must therefore determine whether a search is in fact unreasonable or disproportionate. To do this they must consider:
- The circumstances of the request
- Any difficulties involved in finding the information
- The fundamental nature of the Right of Access
In order to argue that they are not required to fulfil a DSAR, the burden of proof is on the organisation to be able to justify why a search is unreasonable or disproportionate. The individual can dispute this decision and report it to the ICO if they feel the organisation is wrong.
In the majority of cases, organisations are not allowed to charge a fee when delivering the data requested in a DSAR. Afterall, it’s the individual’s own information.
However, organisations can charge a ‘reasonable fee’ for the administrative costs involved if the request is unfounded or excessive, or if the individual requests further copies of the same information. This does not mean an organisation can charge for future requests from the same individual for different information.
Can An Organisation Request A User To Provide ID?
Yes; an organisation can request a user to provide ID. They need to be satisfied that they know the identity of the requester (or the person the request is made on behalf of - more on that later), otherwise they could be giving away someone else’s personal information.
The timeframe for responding to a DSAR doesn’t start until the identification has been received by the organisation. However, it is expected that the ID documents are requested promptly by the organisation.
Who Can Submit A Data Subject Access Request?
Anyone can submit a DSAR to an organisation.
This includes overseas individuals and non-UK citizens, as long as the DSAR is relating to personal data processed in the UK.
Even children can submit a Data Subject Access Request, as there aren’t any age requirements attached to the Right of Access. However, while individuals of any age can submit a DSAR, in the UK, 12 years old is typically the age at which young people are considered to be able to exercise their own legal rights. Therefore, should a person under 12 years of age make a DSAR, the organisation may need to ensure that the individual understands what they are doing. However, this should not be a barrier to supplying them with their information. Furthermore, if it is accepted that the child understands their rights, then the organisation should respond directly to the child (as opposed to a parent or guardian).
What If A DSAR Response Involves Information About Other People?
Personal data may relate to more than one person. When responding to a DSAR, the information sent to the requester could include another person’s personal information. This could potentially breach the GDPR.
For example, an employee may make a request to their employer for a copy of their human resources file. This file may include information about managers and other employees who have contributed to this file. By giving the requester the whole file, the employer is potentially breaching the other individuals’ rights in respect of their own personal data.
In these circumstances, organisations should consider whether it is possible to comply with the request whilst also withholding information that identifies other individuals. For the above example, by redacting any information about or identifying the managers and other employees.
If this is not possible, for example, if the redacted information would also redact parts of the requested information, then the organisation does not have to comply fully with the request (although the organisation still has to send what information they can).
This is unless:
- The other individual(s) involved give their consent to the disclosure of their personal data, or
- It is reasonable to comply with the request without the other individual’s consent.
Is The Organisation Obligated To Seek Consent?
It is not the organisation’s responsibility to see consent from the other individuals. This is because, in some cases, it may not be appropriate for the organisation to do so. For example:
- The organisation may not have the contact details for the other individuals
- It could potentially disclose personal information about the requester to the other individuals that they weren’t previously aware of
- It may not be appropriate for the other individuals to be made aware that the requester has submitted a DSAR
When Is It Reasonable To Comply Without Their Consent?
Sometimes it may be difficult to get the other individual’s consent. For example, they may refuse or be difficult to locate, such as in the case of a deceased or ex-employee.
In these circumstances, it is up to the organisation to decide whether it is reasonable to disclose the information about the other individual anyway, without the consent of the other individuals involved.
To help with this decision, the Data Protection Act 2018 (DPA) says that organisations must take into account all the relevant circumstances, including:
- The type of information that would be disclosed
- Any duty of confidentiality owed to the other individual
- Any steps taken by the organisation to try to get the other individual’s consent
- Whether the other individual is capable of giving consent
- Any stated refusal of consent by the other individual
- The context of the information
Organisations must respond to the original requester whether or not they decide to disclose information about the other individual. They are still obliged to respond with as much of the requested information as possible without disclosing the other individuals’ identity, potentially providing edited or ‘redacted’ information, removing identifiers to the other individual.
Even if the organisation feels they can’t respond with any information without identifying the other individual, they must still inform the requester about their decision not to comply with the request.
Organisations must also be able to justify their decision to disclose or withhold information about other individuals, so should keep a record of their decision and why they made it.
There are a number of scenarios where it is appropriate for someone to submit a DSAR on someone else’s behalf. This includes:
- Where the individual has given their consent
- Where the individual has granted someone else power of attorney
- Where parents are acting on behalf of their children
The Individual Has Given Their Consent
An individual may request someone else (a third party) make a DSAR on their behalf (e.g. a relative, friend, solicitor).
Before providing the personal information to this third party, it is important that the organisation is sure that the individual making the request is entitled to act on behalf of the individual whose personal data it is.
It is the third party’s responsibility to provide evidence of their authority e.g. a written authority, signed by the individual, stating that they give the third party permission to make a DSAR on their behalf.
The Individual Has Given Someone Power Of Attorney
There are other scenarios where a third party is able to submit a DSAR on someone else’s behalf such as power of attorney.
Whilst the attorney's* particular powers and situation determine whether they can submit a Data Subject Access Request, it is reasonable to assume that an attorney with authority to manage the property and affairs of an individual has the appropriate authority to make a DSAR on their behalf.
(*This doesn’t necessarily mean attorney in the sense of a solicitor, etc. It’s a term used to define an appointed individual).
An example of this would be where an individual does not have the mental capacity to manage their own affairs, and would therefore likely have someone with power of attorney to manage their affairs. Again, It is reasonable to assume that this attorney is able to submit a DSAR on their behalf.
Parents Are Acting On Behalf Of Their Children
As stated above, children can submit their own Data Subject Access Requests.
However, parents or guardians are able to exercise this right on their behalf. If the child is 12 years old or over, the organisation should check whether the child authorises the disclosure of their personal data to their parent or guardian. Conversely, the child may authorise someone else, other than a parent or guardian, to make a DSAR on their behalf.
In some cases, an organisation can refuse a DSAR.
This includes when a Data Subject Access Request is:
- Manifestly unfounded
- Manifestly excessive
What Does ‘Manifestly Unfounded’ Mean?
A request would be considered to be manifestly unfounded if:
- The requester has no intention of exercising their Right of Access e.g. if an individual makes a request, but then withdraws it in return for some sort of benefit from the organisation
- The request is malicious in some way e.g. being used to harass the organisation or its employees, or its intent is to cause disruption
Unfortunately, this is often not straightforward. Even when a requester seems to be malicious or difficult, if they ultimately want to exercise their Right of Access, the request is unlikely to be manifestly unfounded and should be responded to. For example, while aggressive and abusive language is not acceptable, its use may not necessarily qualify a request as manifestly unfounded.
What Does ‘Manifestly Excessive’ Mean?
A request would be considered manifestly excessive if it is deemed unreasonable and disproportionate with the effort and costs involved in dealing with the request.
The organisation must consider the circumstances of the request to determine whether it is manifestly excessive, including:
- The nature of the requested information
- The relationship between the organisation and the individual
- Whether a refusal to provide the information or even acknowledge if the organisation holds it may cause substantial damage to the individual
- The resources available to the organisation
- Whether the request largely repeats previous requests from the same individual and whether a reasonable amount of time has elapsed or not
If an organisation refuses to comply with a DSAR, they must inform the individual:
- Why they are refusing the request
- Of the individual’s right to make a complaint to the ICO
- Of the individual’s ability to seek to enforce their Right of Access through the courts
Ensuring your organisation is correctly setup to smoothly process DSARs is crucial to ensure compliance and minimise impacts on your organisation.
Thankfully, Databasix offers a range of related services designed to help you address different aspects including:
- Training on handling Data Subject Access Requests, providing essential information and taught by experts
- A rapid response service to provide you with urgent DSAR support
- Training for DPOs
- GDPR & data protection consultancy services to provide proactive help and guidance in all aspects of GDPR and data management
Click on the links above to learn more or contact us for a friendly, no obligation chat.