This informal CPD article Help! I have a Data Subject Access Request was provided by Essex County Council, a county council that governs the non-metropolitan county of Essex in England.
Often referred to as SARs or DSARs, there has been a steady increase in these requests since the introduction of the General Data Protection Regulations in 2018. It is believed this is due to individuals increased awareness of their data protection rights, which can only be a good thing.
Data Subject Access Request
The right of access under the UK GDPR, applied by the Data Protection Act 2018, is designed to help individuals understand how and why an organisation is using their personal data and to check that they are doing so lawfully. This isn’t too challenging for some organisations however for large organisations, especially those in the public sector, it can involve collating and preparing thousands of documents for each request.
When making a DSAR, individuals have a right to obtain the following information:
- confirmation that you are processing their personal data
- a copy of their personal data
- other supplementary information:
- your purposes for processing
- categories of personal data being processing
- recipients/categories of recipient you have or will be disclosing the personal data to
- recipients outside the UK
- how long you will retain the personal data
- the individual’s right to request rectification, erasure, restriction or to object to processing
- the individual’s right to lodge a complaint with the Information Commissioner’s Office (ICO)
- information about the source of the data, if you did not obtain it directly from them
- whether you use automated decision-making (including profiling), the logic involved, and potential consequences for the individual
- the safeguards you have provided where personal data has or will be transferred outside the UK.
Most of the supplementary information should be available in your privacy notices, so this element should be fairly easy to manage. It is the collation of the personal data itself which can be more problematic, especially where requests include communications such as emails.
The right of access
The right of access only applies to the individuals own personal data, unless someone is making the request on behalf of someone else, for example a solicitor, family member, friend or other legal representative. Guidance is provided by the ICO to assist organisations to comply with the law.
There are exemptions which allow you to withhold information from your disclosure. These exemptions can be found at Schedule 2 of the Data Protection Act 2018. You should read the exemption carefully to ensure that it is applicable to the data you wish to withhold and is therefore engaged.
Any disclosure must be provided within one month, or three months if the request is particularly complex or multiple requests from the same person are received. Disclosure must be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. If the requester submitted their request electronically you should make disclosure in the same way, ensuring adequate security is applied. Subject Access can be a very complex area of work.
We hope this article was helpful. For more information from Essex County Council , please visit their CPD Member Directory page. Alternatively please visit the CPD Industry Hubs for more CPD articles, courses and events relevant to your Continuing Professional Development requirements.