Don’t confuse a DSAR with a request under the Freedom of Information Act (FOIA) or similar legislation in other jurisdictions where data can be requested from a public authority.
Key changes to DSARs under GDPR
European Union (EU) data subjects were able to submit DSARs to data controllers under previous data protection legislation, but the GDPR introduces three notable differences to the DSAR process:- You aren’t allowed to charge a fee except in limited circumstances.
- You must respond to the DSAR within 30 days. (The pre-GDPR time limit in the United Kingdom was 40 days.)
- You must provide the data in electronic form wherever possible.
- Confirmation that you’re processing their personal data
- Copies of their personal data but not of data relating to other people
- Other mandatory information as specified at Article 15(1) of the GDPR, such as the purposes of the processing, the categories of personal data being processed, the recipients (or categories of recipients) to whom you disclose their personal data, and how long you will store their data
Amending the data
Data is often transient and is being updated continuously. So, what do you do if the data has changed from when you receive the request to when you’re ready to send out your response to the request? Generally, the relevant time point from which to send data is the time the request was received. If the personal data is being amended or deleted while you’re dealing with the request, however, you may send the data that you hold at the point you send the response.What you absolutely must not do is delete data that you don’t want to supply to the data subject. Under the United Kingdom's Data Protection Act 2018 (and other, similar European legislation), it’s an offense to amend requested data to prevent its disclosure, punishable by an unlimited fine.
Section 173(3) of the UK’s Data Protection Act 2018 states, “It is an offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.”
However, section 173(5) goes on to say: “It is a defence for a person charged with an offence under subsection (3) to prove that (a) the alteration, defacing, blocking, erasure, destruction or concealment of the information would have occurred in the absence of a request made in exercise of a data subject access right, or (b) the person acted in the reasonable belief that the person making the request was not entitled to receive the information in response to the request.”
Responding to a DSAR
In your response, you must provide the data in concise, clear language that the average adult person (or average child, if the request relates to a child) can understand. If the data is in some way encoded, you must provide a key to the code so that the data subject can interpret the data. However, if the data subject doesn’t understand the language you respond in, you aren’t obliged to provide a translation.If a request for a DSAR is made electronically, you should make the requested data available in a commonly used electronic format, unless the data subject has requested otherwise.
Recital 63 of the GDPR recommends that you should, where possible, provide remote access to a secure, self-service system providing direct access to the relevant data, as long as this doesn’t adversely affect the rights and freedoms of others, such as trade secrets or intellectual property.
The UK’s Data Protection Act 2018 has special provisions relating to data held by credit reference agencies. Unless otherwise specified, a DSAR to a credit reference agency applies only to information relating to the individual’s financial standing. Credit reference agencies must also inform individuals of their rights under section159 of the UK's Consumer Credit Act 2006.
Disclosing data that includes information about other people
Under the UK’s Data Protection Act 2018, you don’t have to comply with the DSAR if you would have to disclose information about another identifiable person, except if that other identifiable person has agreed to the disclosure or you can reasonably comply with the request without that person’s agreement. Similar legislation applies in other EU jurisdictions.Concerning whether it’s reasonable, you need to think about these factors:
- The type of data you would be disclosing
- Any duty of confidentiality owed to the other person
- Whether you have sought the agreement of the other person
- Whether the other person is capable of giving agreement
- Any express refusal of agreement by the other person
The crux here is to balance the rights of the data subject making the request with the rights of the other person — often, a difficult exercise. In these instances, I highly recommend that you carefully document your decision and your decision-making process and keep it on file.
You cannot refuse to provide data merely because it was obtained from another person. Only when the data inextricably involves the data of another person can you refuse to disclose it on this ground.
Regarding processors and DSARs
A data processor is a third party who processes personal data for you under your instructions. If one of your data processors receives a DSAR relating to personal data for which you’re the data controller, the data processor must pass that DSAR to you as soon as possible.Your Data Processor Agreement should include provisions obliging the processor to pass the DSAR to you as soon as possible. See Chapter 5 for details about data processors, and Chapter 10 for more on Data Processor Agreements. I advise also having suitable contractual provisions between you and your processors obliging them to assist you with a DSAR (or any other data protection rights).
You cannot fail to respond to, or request, a time extension due to data not being available because a data processor failed to act in a timely manner.
Exemptions to data being provided as part of a DSAR
Specific EU member state legislation provides for certain exemptions to the data you need to disclose in response to an DSAR. Schedule 2 of the UK’s Data Protection Act 2018 provides a number of exemptions, including- Legal professional privilege during legal proceedings or confidentiality between a legal advisor and a client.
- Self-incrimination.
- Corporate finance where compliance is likely to affect the price of corporate finance instruments or would adversely affect a person's decision in relation to corporate finance.
- Management forecasting or management planning of an organization to the extent that disclosure would be prejudicial to such forecasting or planning.
- Negotiations with the data subject if such disclosure would be likely to prejudice negotiations with the data subject. This relates only to the negotiations themselves and not to the underlying claims that are the subject of the negotiations. After the negotiations are complete, this exemption no longer applies.
- References for education, training, or employment of the data subject, the placement of the data subject as a volunteer, the appointment of the data subject to any office, or the provision by the data subject of any service.
- Copies of written exams/exam scripts and exam marks.
- Journalistic, academic, artistic, and literary purposes.
Other EU member states may have different exemptions. If you can’t determine whether you need to comply with a DSAR (or any other request from a data subject), consider contacting your supervisory authority for guidance or even a GDPR lawyer or consultant.
Responses to a Data Subject Access Request
Though a DSAR can be quite legitimate, many are used as fishing expeditions or to uncover confidential HR procedures regarding redundancy and discipline. You, therefore, must be able to respond to an DSAR in accordance with the law but also in a sensitive manner.If you have employees within your organization, I recommend that you
- Identify one person within your organization who will be responsible for handling DSARs. This is a job for the Data Protection Officer, if you have one; if you don’t, choose another suitable employee.
- Put in place a DSAR handling policy for all staff, and train relevant staff how to respond to DSARs. Remember to include the receptionist, the mail carrier, and the social media team.
- Train all staff on how to recognize an DSAR. Emphasize the importance of forwarding the DSAR to the employee who has DSAR responsibility.