Autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et dolore feugait

Subject access requests and what you need to know

A DSAR is a right that individuals have under the Data Protection Act 2018 to request a copy of the data that an organisation holds about them.  The individual can request to see a copy of such data, as well as ask:

  • Why the data is being processed;
  • What type of data it is;
  • The recipients of that data;
  • How long it is stored;
  • How the data has been collected; and
  • Evidence to show that the data is being appropriately safeguarded.

Under the legislation, organisations must provide the requested information without delay and within one month.  Where requests are complex or numerous, organisations are permitted to extend the deadline to 3 months, however they must still respond within the month and explain why the extension is necessary. 

Things to consider as an organisation

The changes brought in by the General Data Protection Regulations to DSAR’s mean that organisations have to provide a lot more information and respond quicker. So what can organisations do?  As with anything, preparation is always the key.  So …

1. Put in place a process

The act of documenting how you would deal with a DSAR will force an organisation to think about the steps that need to be taken, by who and how.  As part of this process put together templates that can be used at various stages.  This will speed up the process, save effort and allow for effective delegation.

2. Cleanse, Cleanse, Cleanse

The more data you hold, the more of a nightmare it will be when you get a DSAR.  A common example of this, which is becoming increasingly more frequent, is the receipt of an employee DSAR.  Such a request often arises in the context of an employee dispute, when an ex-employee goes on a fishing expedition, trying to find supporting evidence for its claim in the organisations data.  Such a request will often seek access to personal data within emails between third parties, namely other employees and managers.  In such circumstances, organisations will often be left with no option but to conduct key word searches across the firm’s emails.  This undoubtedly will throw up thousands upon thousands of emails which will need to be sifted through, one by one, to work out if they contain personal data.

The easiest solution is therefore to cleanse the data you hold on a regular basis, and only hold what is absolutely necessary, for sensible periods of time.  Put in place data retention policies and adhere to them.

3. Once you receive a request what should you do?

In most cases you cannot charge a fee to comply with a subject access request. However, you can charge a “reasonable fee” for the administrative costs of complying with the request if:

  • it is manifestly unfounded or excessive; or
  • an individual requests further copies of their data following a request.

You should base the reasonable fee on the administrative costs of complying with the request.

If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.

Alternatively, you can refuse to comply with a manifestly unfounded or excessive request.

4. Can we clarify the request?

If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding – you must still respond to their request within one month. You may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests

5. What should we do if the data includes information about other people?

Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual.

The DPA 2018 says that you do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information, except if:

  • the other individual has consented to the disclosure; or
  • it is reasonable to comply with the request without that individual’s consent.

In determining whether it is reasonable to disclose the information, you must take into account all of the relevant circumstances, including:

  • the type of information that you would disclose;
  • any duty of confidentiality you owe to the other individual;
  • any steps you have taken to seek consent from the other individual;
  • whether the other individual is capable of giving consent; and
  • any express refusal of consent by the other individual.

6. Can we refuse to comply with a request?

If an exemption applies, you can refuse to comply with a subject access request (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request.

7. What should we do if we refuse to comply with a request?

You must inform the individual without undue delay and within one month of receipt of the request.

You should inform the individual about:

  • the reasons you are not taking action;
  • their right to make a complaint to the ICO or another supervisory authority; and
  • their ability to seek to enforce this right through a judicial remedy.

You should also provide this information if you request a reasonable fee or need additional information to identify the individual.

If you need help and advice on this topic, please do not hesitate to contact us on 0113 350 4030 or at hello@scesolicitors.co.uk.

If you have enjoyed this article and would like to be kept updated on HR and Employment Law issues please subscribe to our monthly newsletter.

SCE Solicitors is a boutique employment law and litigation practice based in Leeds which advises clients nationwide. Please note that the information in this blog is to provide information of general interest in a summary manner and should not be construed as individual legal advice. Readers should consult with SCE Solicitors or other professional counsel before acting on the information contained here.

%d bloggers like this: