Key FAQs on Data Subject Access Requests (DSARs) Artwork

Clarkslegal Law Bites

The Clarkslegal Law Bites offers guidance and insightful discussions on the latest topics for businesses and individuals covering employment, immigration, corporate, construction, property, litigation and more.

All Episodes

Clarkslegal Law Bites

Key FAQs on Data Subject Access Requests (DSARs)

November 26, 2024 • Clarkslegal

Understanding Data Subject Access Requests (DSARs) is crucial for businesses. For many companies, opening a DSAR is a daunting task, and it can be difficult to know where to start when faced with a mountain of potential documents to disclose.

In this podcast, Lucy Densham Brown and Jacob Montague, members of the Data Protection team at Clarkslegal, have narrowed down the top FAQs we receive on DSARs, including:

How should I respond to a DSAR?
When do I need to respond to a DSAR?
Can I charge a fee for responding to a DSAR?
Can I challenge a DSAR that I have received?
My response to a DSAR will contain confidential information – what can I do?

If you have any questions at all about any aspect of the DSAR process, or need advice on how to respond to one, please contact our Data Protection lawyers for advice.

Lucy Densham Brown 00:06

Hello and welcome to our latest Data Protection podcast. Today we will be discussing DSARs, or Data Subject Access Requests, and going through some of the frequently asked questions that we get on DSARs.

My name is Lucy Densham Brown, I am a solicitor in our Employment and Data Protection teams. With me is Jacob Montague, a senior solicitor in our Corporate and Data Protection teams.

Jacob Montague 00:31

Hi everyone, thank you very much for joining us.

DSARs seem to be becoming more and more prevalent, and are a time consuming and administratively burdensome task. For many companies, opening a DSAR comes with a sense of dread, and it can be really difficult to know where to start when faced with a mountain of potential documents to disclose. Our team is trained in helping client’s sort through these documents and identify what should be included in their response. From our experience, we have narrowed down the top 9 questions people have about DSARs.

So with that, Lucy lets get started. First question, can you tell me who is a data subject?

Lucy Densham Brown 01:12

Yes absolutely Jacob. So a data subject is any individual who may be identified from any form of document, whether directly or indirectly. This is a key concept used to determine what data falls under the category of ‘personal data’. Data subjects have certain rights under the UK GDPR, including the right to make a DSAR.

That leads us onto question two. Jacob, can you explain what a Data Subject Access Request is?

Jacob Montague 01:43

I will try. So a data subject access request (DSAR) is a request made by an individual who is a data subject. This request can be broadly split in to 3 distinct categories:

The first part of the request is to obtain confirmation from an organisation that it is processing their personal data.

The second is to receive a copy of that personal data held by the organisation.

The third key part is that they are required to receive details about how the data controller or processor, processing this personal data. This might include how long the data is kept for, whether it is sent outside the UK or whether this controller or processor users any automated decision making.

Clearly, this is quite a lot of information. So lets dig into the specifics a bit more.

Question three, when can a DSAR be submitted?

Lucy Densham Brown 02:40

Thanks Jacob. So, any data subject (the identified or identifiable living individual to whom personal data relates) has the right to make a DSAR as I said above. A DSAR can be submitted to any company, to ask them if they hold or process the individual’s data, and for copies of that data as Jacob just went through.

DSARs that we see are most frequently are in the employment context, whereby an employee submits a DSAR to their past or present employer. However this is not a limitation, and it is common for individuals to submit DSAR’s to, for example, banks, hospitals, and large corporations such as Google or Meta.

So question four, Jacob, lets say I receive a DSAR email. How should I respond?

Jacob Montague 03:32

As a first step you should verify the identity of the individual submitting the DSAR. This means actually asking for a certified copy of the identity of the person requesting the DSAR. You want to make sure the request is genuinely from this individual and avoid any personal data going to the wrong person.

Next, you should verify the validity of the request, for example does it tell you what information they are actually asking for. Does it include a time period. Does it include relevant people, servers or areas specific to the organisation, that they would like to be searched. The issue here is that the scope of the request is not always going to be clear and you may end up needing to clarify this request with the individual.

All relevant personal data must then be collated and provided to the data subject. Some data may need to be redacted if any of the relevant exemptions apply.

Lucy Densham Brown 04:30

Thanks Jacob. So that’s quite a lot of information to gather. Question five would be when do I need to respond to a DSAR?

Jacob Montague 04:40

Well that’s going to vary and it’s largely going to vary on the complexity of the subject access request. The standard point is that as an organisation must respond to a DSAR “without undue delay” and in any event within one month of the request being received. Now if you have asked for ID, then the date the that you have received the request starts from the day you have identified the individual.

But as I said maybe this deadline may be extended by up to three months in total if the request is a complex one, or maybe the individual has submitted several DSARs to the same organisation.

This leads us onto question six. As you can see, responding to a DSAR can be a very time consuming task. Particularly if the scope of the request is very wide. A lot of clients ask us, can we even charge a fee for responding to a DSAR?

Lucy Densham Brown 05:33

Yes it is a very common question. Unfortunately responses to DSARs must be provided free of charge, unless the requests are “manifestly unfounded or excessive”, that is a very high bar to reach and you would have to have significant evidence to prove that is the case. If that’s the case the organisation may charge a reasonable fee or refuse to act on the request entirely. But it’s worth noting that this decision may be subject to a review by the ICO. So you are going to want to be really sure that is the right choice when making that choice.

Jacob Montague 06:10

Thanks Lucy, another question often raised is if a fee can’t be charged, can I even challenge a DSAR that I have received?

Lucy Densham Brown 06:22

It is a common question that we get asked. So responding to a DSAR as we have said can be time-consuming and expensive, which is why a DSAR is sometimes made as a tactical strategy in disputes between individuals and organisations. A DSAR can be challenged in certain circumstances, and there are some exemptions that can be used where they apply or you can request to have the scope clarified. So as we have said before if the request is particularly vague you can ask for the time period to be clarified or perhaps the people to be searched against.

Moving onto question eight. So Jacob, if I’ve gathered all the evidence to responds to this DSAR, it might contain some confidential information – what do I do about that.

Jacob Montague 07:10

Thanks Lucy. As mentioned earlier there are exemptions that the organisation can rely on. In particular when it comes to certain data that might be classified as privileged or certain data which actually contains the personal data of another individual or even confidential information. Now the tools open to a organisation when faced with this data are to either not supply the data at all. It must be used in very very limited circumstances or the data could be redacted.

Another option might also be to summarise the personal data from one document into a new document, so that essentially whilst you not sending the individual full copies of correspondence you actually limiting their request to what they are entitled to which is a copy of their own personal data.

Now we what obviously stress that the data controller or processor must exercise extreme caution when doing this, because you will not be seen by the ICO as responding in full to the subject access request if you don’t disclose all of their personal data.

So that leads us onto our last question which is when you submit a DSAR and believe that information that should have been in the response was not included, what options are available to you?

Lucy Densham Brown 08:47

Thanks Jacob. So the data subject, the person who made the request can make a complaint to the Information Commissioner Office the ICO, who can then in turn investigate that, and may impose penalties on the company for failing to disclose all the personal data the person’s entitled to.

They can also apply for a court order requiring the controller to comply with the request fully, or to seek compensation. It’s worth noting that the ICO fines for failing to disclose properly can be very very large so companies should act with due caution as we have said before, in deciding whether or not disclose relevant documents.

That concludes our podcast on frequently asked questions for DSARs. If you want more information about what we have discussed, or need a member of our team to work through a DSAR with you, please get in touch and we would be happy to help.