Knowing your DSARs from your elbow: Data Subject Access Requests
It's now over two years to the month since the biggest change in data protection law for a generation.
A great deal changed when the General Data Protection Regulation (GDPR) came into force, with many headlines written about the maximum fines (the greater of €20 million and 4% of turnover) which could be levied by data protection authorities (such as the UK's Information Commissioner's Office (ICO)) for failure to prevent data breaches. However, many of the changes were an evolution rather than a revolution of the old regime. One such example is the amendments which were made to the data subject access request (DSAR) regime.
Those people whose personal data students' unions process, known as data subjects, have long had a right to request a copy of the information that is held about them by their Students’ Union (SU). This will include employees, officers, student members and others with whom the SU interacts. However, the GDPR increased data subjects’ awareness of their rights under data protection law and made some tweaks to the DSAR regime which has resulted in increases in the number of DSARs submitted against organisations.
In light of this, and also given DSARs are notoriously time and resource consuming to manage, below we’ve set out a quick-fire Q&A to help SUs identify DSARs and some key pointers on how they might be managed.
A DSAR is a request made by an individual to access the personal data an organisation, such as an SU, holds on them.
The request doesn’t have to be identified as a DSAR and it doesn’t even have to be in writing. DSARs are effective when sent to any member of an organisation, so it’s important that everyone in the SU knows that data subjects have this right and who to contact if they think they’ve received a DSAR.
One key step to be taken is to ensure the DSAR is coming from the data subject (or their authorised representative). What identity checks are carried out will be depend on the individual circumstance, but SUs should err on the side of caution to avoid any potential breach of data to a malicious third party.
Most requests must be dealt with without charging a fee. Under the new regime, a fee can only be charged in exceptional circumstances (e.g. where a request is particularly excessive). This is a change from the old regime, which permitted a small fee to be charged.
SUs should examine the request and seek to agree parameters for any search of its records with the data subject.
For example, a data subject requesting “all correspondence relating to me” might be looking for correspondence around the time of a specific event, so the search parameters could be set to search 3 months either side of the event. This minimises the amount of data which needs to be searched through, whilst also making the exercise helpful to the data subject.
A DSAR covers all data held by the organisation. So, if the SU has paper records, these will need to be searched alongside electronic filings. A plan should be put in place in anticipation of a DSAR to identify where personal data is held and how it can be accessed and searched effectively.
No. Information about others will undoubtedly be held alongside information about the data subject. This should only be shared if the third party concerned has consented or otherwise if it is reasonable to do so.
Often, this means that details about third parties should be redacted or anonymised before the document containing their personal data is shared.
Most of the time, the SU will have one month from receipt of the DSAR (or, if relevant, any ID requested) to respond to the request, irrespective of whether the SU is open for business.
This is particularly important during the current Covid-19 climate (though the ICO have noted they will be understanding if timescales are not met precisely in the current outbreak), but also through the summer and at other times when staffing may be reduced.
SUs can extend the timescale for responding to the DSAR by an additional 2 months where the request is complex (e.g. there is lots of information to search through) or multiple requests have been sent by the data subject. Notification of this extended timescale should be given within a month of the original request and reasons must be given for the extension.
Additional information should be provided to the data subject alongside copies of the personal data to be shared as part of the request. This information explains to the data subject how their personal data is held and used by the SU (though much of this information should be able to be provided by sending a copy of the SU’s privacy notice).
The ICO has produced detailed guidance to assist organisations in responding to a DSAR, which can be found here.
We also have a dedicated data protection team at Wrigleys, who would be happy to help should you require any assistance.
If you have any questions or we can assist please contact Nick Dunn or any other member of Wrigleys data protection team on 0113 244 6100.
The information in this article is necessarily of a general nature. Specific advice should be sought for specific situations. If you have any queries or need any legal advice please feel free to contact Wrigleys Solicitors LLP.