Data protection legislation in the UK is complex and it can be difficult, time consuming and expensive for smaller businesses – who don’t have a dedicated specialist or internal resource, to ensure compliance.
One issue which regularly crops up is dealing correctly with the right of access to personal information. Individuals may request copies of information held about them at any time and for any reason. This includes ex-employees that have left in difficult circumstances and are advised to do so as part of an employment related dispute.
A DSAR triggers a duty to make a search for the person’s information across all data storage – including physical, digital and online. Copies of the personal information retrieved must be provided and you must tell the person where you got their information from, what you’re using it for and who you are sharing it with.
It’s important that businesses don’t get caught out when dealing with DSARs. The Information Commissioner’s Office (the regulator for data protection matters) regularly issues public reprimands and takes other enforcement action against organisations that fail to comply with DSARs.
But it’s also important that your response is proportional, so it doesn’t take too much of your team’s time.
Here are our top tips for watching out for DSARs and getting your response right:
- There is no special format for a valid DSAR – it does not even have to be in writing, it may be verbal. It could also be made by email or via social media.
- A DSAR does not have to include the phrases ‘subject access request’ or, ‘right of access’, it just needs to be clear that the person is asking for their personal information.
- Individuals can make requests to any part of your organisation, and don’t have to direct it to a specific person or contact point.
- This means that a DSAR could be missed, so you should have your own internal guidelines setting out a designated person, team or email address for DSARs from staff.
- You must respond to a DSAR within one month. However, you could extend this time limit by up to two months if the request is complex.
- If the request is unclear, you can ask for clarification about the information or processing activities the person is looking for before responding. The time limit for responding is paused until you receive clarification.
- You can refuse to comply with a DSAR if it is manifestly unfounded or excessive. Broadly, this means the request is malicious and/or is being used to harass your organisation with no real purpose other than to cause disruption.
- There are some other exemptions to the information you have to disclose. These include: information which identifies others, witness statements for internal staff disciplinaries or investigations, confidential references (given or received), legal advice, information relating to negotiations with the requester, and management forecasting and planning information. The ICO has guidance on these and other exemptions in its ‘Guide to data protection exemptions’.
- You must consider each request individually and whether any of the exemptions are relevant so that you can justify withholding information, if challenged.
- You must comply with a DSAR, even if the person has signed a settlement or non-disclosure agreement purporting to waive their right to make such a request; any such waiver is unenforceable under data protection legislation.
- You must comply with a DSAR even if the person is going through a grievance process or bringing litigation against you and you suspect the request is a ‘fishing exercise’.
- Don’t forget that data protection legislation applies to any social media activity carried out in a professional context. You must search social media such as Facebook, WhatsApp, X (Twitter) etc. or chat channels on Microsoft Teams if you use these for business purposes, for any relevant personal information.
- CCTV footage is personal data and must be disclosed. Where the footage includes images of other people you must redact this or get their permission to disclose it.
- You can no longer charge the person making the DSAR for copies of the personal information you send them. However, you can charge a ‘reasonable fee’ if they request further copies of their data (or if a request is manifestly unfounded or excessive).
The ICO published new guidance for employers on responding to DSARs in May 2023.
How can we help you?
We can help you deal with DSARs and assess whether any exemptions apply. We can also draft appropriate guidelines for managers and others dealing with DSARs and deliver training to ensure these are followed correctly.
We’ll work with you to help you understand what personal data you hold and what to do with it, as well as getting the right data protection policies, processes and documents in place to ensure you stay compliant and manage risk appropriately. Get in touch on email@example.com to find out more.