Data Subject Access Requests (DSAR) and Data Security

In all aspects of our lives there are things that fill us with dread. For a manager or member of your HR team this could be a DSAR. Our advice would be to put in place some best practices on how to handle a subject access request. The worst thing to do is just hope that you’ll never receive one!

What is a DSAR?

This is a request from someone asking to receive a copy of the personal data your organisation may hold on them, they may also ask for an explanation of how this data is being used, who will this data be disclosed to and how long the data will be retained for.

It can be requested in writing, verbally and even via social media. Unfortunately, the GDPR does not specify who an individual should address their request to, so it pays to be vigilant!

This access to personal data is not new, but changes to how they are to be treated came into force under Article 15 of the GDPR in May 2018. These changes are:

a DSAR must be actioned within one calendar month so it pays to act quickly. If the request is deemed excessive an organisation can inform the individual (within a month) that it will take longer to investigate. An organisation can extend the time by an extra 2 months.
an individual cannot be charged for this request unless it is deemed excessive, in this case an organisation can charge a ‘reasonable fee’ to cover administration costs.

Be cautious when reviewing data requests

A person can only ask for their own personal data, so it is crucial that they prove that they are who they say they are. The only exception is when an authorised agent, parent or guardian makes a request on behalf of someone and have authority to request the data.

Always:

request ID if the person is not an employee or ex-employee.
ask what their relationship is with your organisation.
if the request is from an agency, parent or guardian ask for proof of their relationship/authority to make the request.

Your initial response to a DSAR

Before fulfilling the request ensure the data subject has provided all the information you require such as:

establishing what specific data they are wanting
if relevant asking if they want to see CCTV images of themselves
do they want it in writing or in electronic form

A quick and efficient DSAR process

Gathering information for a DSAR can be very time consuming, so it makes sense to have in place a process.

Having a computerised HR system will give you quick and easy access to the information you hold on your employees. Our Online HR Systems are simple to use and will provide you with direct record access and reports in no time.
Nominate the person(s) who will deal with these requests and ensure they understand GDPR and DSARs.

Be mindful that any paperwork and emails concerning the individual must be investigated too.

Reviewing data for DSARs

Once you have gathered the information it must be checked before submitting to the individual, agency, parent or guardian as it may contain data on another subject. It the data relates to another individual you will have to seek their permission to disclose the information.

If it is not possible to gain the consent of the third-party, then it may still be possible to provide some information, having edited or ‘redacted’ information that would identify the third-party. Redaction can also be used to remove information which is out of scope of the subject access request because it is not the applicant’s personal data.

The formal response to a DSAR

The data provided to an individual must not contain jargon, codes or terms that someone outside of your organisation would not understand. Be sure to use a traceable delivery system when sending the data.

Always keep a copy of your response.

Can you say no to a subject access request?

Yes, you can. You do not have to fulfil the request if:

it will take up too much time and/or cost too much to investigate.
it is vexatious.
it repeats a previous request from the same individual.
the information is already in the public domain and accessible by other means (if this is the case, your organisation must tell the requester where they can find the information).

If, for good reason, your organisation refuses all or part of the request, you must send the requester a written refusal notice.

The Freedom of Information Act

This Act details exemptions allowing your organisation to withhold information from a requester. In some instances, your organisation will be allowed to refuse to confirm or deny if you hold the information requested. You can withhold information:

on government policy
if it would cause harm
if it is contrary to the GDPR or Data Protection Act 2018

Protecting your organisation from receiving DSARs

If you do receive a DSAR it could be an indication that there is mistrust between your organisation and an employee. Many organisations will only receive DSARs when dealing with employee grievances or disciplinaries. Creating a strong and positive workplace culture where people are treated with respect and dignity and where the workforce feels trusted, valued and empowered will go a long way to prevent mistrust.

Our top tips:

Engage with your employees and create a diverse and inclusive workplace.
Create a process document allowing your organisation to deal with DSARs swiftly.
Appoint a GDPR and DSAR expert.
Invest in a computerised HR system.
Have a communications policy stating that all employees must be mindful of what they write in emails – if writing about a colleague, only ever write things you would be prepared to share with them.