Hannah Moran, commercial solicitor, Data Protection at law firm Irwin Mitchell, set out current DSAR requirements and how to manage them
 
 
What is a DSAR?

• A Data Subject Access Request (or a DSAR) gives living individuals the right to access their own personal data – it doesn’t apply to individuals who are deceased.
• It is not a right to commercial information (i.e. business documents that are not relating to the individual)
• What needs to be provided?
  • Access to the personal data held
  • Other information about the use of personal data (often contained in a privacy notice)

 
Recognising a DSAR
 

• A DSAR can be made in writing or verbally or even via social media
• You could provide a form for individuals to fill out when they are making a DSAR but you cannot make it compulsory
• ICO DSAR Tool: Make a subject access request | ICO
• Can you charge a fee? In most cases the answer is no, however you can charge a ‘reasonable fee’ if you choose to comply with a manifestly unfounded or manifestly excessive request or if an individual requests further copies of their data (more detail later)

 
Verifying Identity

1. If you’re unsure of the identity of the individual, you should seek proof of identity from them
2. However requests for proof of identity must be reasonable and proportionate – don’t ask for verification if you don’t need it and only ask for the documents you need to verify their identity
3. ID should be requested promptly
4. Time to respond to the DSAR will not start until the identity of the individual has been confirmed (where you need to check this).

 
Requests Made on behalf of the individual

• A DSAR is often made by someone on behalf of the individual – this can be a complex area
• If you get a DSAR from a third party on behalf of someone else, you need to check that they’re authorised or entitled to make the request
• Generally, you need to check that the third party has written authority from the individual
• Solicitors – a solicitor does not have automatic authority to make a DSAR on behalf of their client
• Parents – no automatic right to make a DSAR on behalf of child – child should make DSAR if sufficiently mature to understand what a DSAR is and the response
• Spouses – no automatic right to make a DSAR on behalf of husband/ wife
• If the individual doesn’t have capacity then you should ask whether they have a lasting power of attorney and respond to their attorney, for example

 
Timescales for Responding

• The time limit for responding to a DSAR is one calendar month, beginning on the day of receipt. It isn’t 30 days
• For example, if the DSAR is received on 3 February, you need to respond on 3 March. If 3 March is a weekend or bank holiday then you respond on the next working day
• When does time not start or is paused?
  • Verifying identity – time does not start until it has been done
  • Checking authority – time does not start until authority provided
  • Clarifying the request – time is paused
• What allows you to extend the response time?
  • Complexity

 
Complexity

• If a DSAR is complex you can extend the response deadline by up to 2 further calendar months
• What ‘complex’ means will be dependent on the facts and context of each DSAR
• Some factors that are relevant include:
  • Technical difficulties e.g. if the data was electronically archived
  • Large volumes of particularly sensitive data
  • Considering tricky exemptions
  • Needing to obtain specialist legal advice
• Requests that involve a large volume of information may add to the complexity of a request. However, a request isn’t complex solely because the individual requests a large amount of information
• You don’t need to ask for an extension
• Give a proposed date for a response – don’t automatically take the whole 2 months
• Send what you can in the initial 1-month period

 
Clarification
You can ask for a DSAR to be clarified – but clarification should not be an auto-response

• If you process a lot of information about the individual or the request is unclear, you can ask them to help you identify the personal data they specifically want e.g. additional details to help you locate the information, such as a date range or particular senders/ recipients of emails
• The clock (i.e. the time for you to respond to the request) is stopped while you wait for clarification

 
What if they don’t clarify?

• You can’t force an individual to clarify the request if they don’t want to – if they refuse, you still need to do a reasonable search.

 
What Does Manifestly Unfounded mean?

• A DSAR is manifestly unfounded where:
  • An individual has no real interest in accessing their personal data
  • The request is made maliciously, with the intention to harass and disrupt an organisation.
• Examples include:
  • Making the request to gain some form of benefit from the organisation e.g. a settlement or pay out
  • Making maliciously motivated accusations that can’t be justified against a specific employee
  • Targeting a particular individual as a result of a personal grudge
  • Systematically sending repeat requests to cause disruption
• Rude or abusive language doesn’t automatically make the request manifestly unfounded.

 
What does Manifestly Excessive mean?
To be manifestly excessive, a DSAR must be clearly or obviously unreasonable
Consider:

• The personal data requested
• The nature of the relationship between you and the individual
• The context of the request
• Whether refusing to provide it will cause damage to the individual
• What resources you have
• Whether the individual has made multiple DSARS recently
• Whether it overlaps with other requests

Just because you have had a DSAR from the same person before doesn’t automatically make it excessive.
 
Acknowledgements
 

• Acknowledge receipt of DSAR
  Same method as received (e.g. by email, letter, etc.)
• Manage expectations
  • Scope
  • Complexity
  • Timescales

 
Searching

• A reasonable and proportionate search should be carried out
• What terms to search?
  • Names
  • Nicknames
  • Initials
  • Other relevant identifiers i.e. employee number (if used)
• Places to search:
• Electronic records: emails, hard drives, mobile devices, WhatsApp/SMS, Microsoft Teams o CCTV
• Paper records (if they form a filing system)
• Personal accounts/ personal phones?

 

• What about personal data due to be deleted?
• Search relates to data held at the time you receive the DSAR request
• It is an offence to make any amendment with the intention of preventing its disclosure
• Planned deletion can still happen – eg rolling deletion of CCTV footage
• What about personal data backed up or archived?
• Apply same effort as for live systems
• What about emails that the individual is cc’d into?
  • If the content is not about them the email does not need to be disclosed
• Do we have to disclose personal data created after the date we receive the DSAR?
  • ICO guidance says that the DSAR relates to the personal data held at the date on which the request is received.

 
Exemptions

• Limited exemptions to DSARs in UK GDPR and Data Protection Act 2018
• There are a considerable number of specific exemptions
• Common exemptions:
  • Third party data
  • Confidential References
  • Legal Privilege

 
Exemptions (third party data)

• Individuals are only entitled to their own personal data UNLESS:

• Third party consents; or
• Reasonable to provide without consent

• Case by case assessment should be carried out
• Redact third party data
• Keep a record of your decision and reasoning

 
Exemptions (Confidential References)

1. The references exemption applies to confidential references for the purposes of prospective or actual employment, education, training, appointment to an office
2. It applies to references received or given
3. It only applies to CONFIDENTIAL references
4. Make sure any references you give are marked confidential and request references on a confidential basis

 
Exemptions (privilege)*
Two types of privilege:

• Litigation privilege
  • Only where litigation is contemplated or in progress
  • Applies to communications between client, professional legal adviser, or third party
• Legal advice privilege
  • Must be acting in a professional capacity when giving legal advice
  • Only applies to communications between client and professional legal adviser

*Recommend you seek legal advice on applying this exemption
 
Checklist: sending out the responses

1. Finalise redactions
2. Draft a covering letter in clear and plain language (particularly if for a child)
3. Include all required information from Article 15 in addition to the copy of the personal data (generally by sending privacy notice)
4. Give an overview of the exemptions applied
5. Be clear about what is provided to manage expectations and minimise the risk of complaints

 
How should you respond?

• If DSAR received electronically, respond electronically in a commonly used format
• If DSAR received in another format (eg letter or verbally), respond in any commonly used format (electronic or paper) unless the individual has reasonably requested a particular format

• Keep a register of DSARs key dates and a short summary
• Data should be sent securely ie password access/ protected or online document portal. If sent by paper, via tracked delivery

 
Failure to Comply

• The ICO is monitoring compliance with DSARs – number of possible outcomes if ICO believes a DSAR hasn’t been handled properly i.e. could require you to fix the issue, could issue a fine
• Any action taken by the ICO will be made public – risk of reputational damage
• Practically speaking if you can’t meet the deadline, send what you can as soon as you can – be pragmatic with searches
• Ensure you have effective policies/ procedures in place for dealing with DSARs

 
Data Protection Reform

• GDPR came into force 25 May 2018
• Brexit led to GDPR being implemented into UK Law to become “UK GDPR”
• Data Protection Act 2018 remains in force and should be read together with UK GDPR (it does not replace GDPR)
• However, the Data Protection and Digital Information (No. 2) Bill was introduced to Parliament for a second reading in March 2023.
• It is currently with the House of Commons with no date set for its Report stage or third reading.
  It is positioned as a “new common-sense-led UK version of the EU’s GDPR” and wants to preserve adequacy