How To Respond To A Data Subject Access Request

ICO Fine Software Provider

Under the UK General Data Protection Regulation (UK GDPR), Data Subjects have the right to obtain copies of their personal data. This is known as the right of access.

A data subject can request their personal data by making a data subject access request (DSAR). The data subject does not need to use a specific form, refer to legislation, or direct the request to a specific contact. For a DSAR to be valid, a data subject simply needs to ask for their personal data.

You should respond to a DSAR within 1 calendar month of receipt of the request. If the request is complex or several requests have been received, you can ask for a further 2 months to respond to the DSAR.

Before responding to a DSAR, you need to satisfy yourself that the person making the request is who they say they are. You could do this by asking questions that only the data subject would know, or in some circumstances it may be appropriate to ask for ID. ID should only be requested where it is necessary and proportionate to do so.

You then need to consider who has made the request. If the DSAR has been made by someone other than the data subject (i.e. a friend, relative, or solicitor), you need to see written authority authorising the person to act on behalf of the data subject.

What information needs to be provided in response?

This depends on the nature of the request. A data subject may ask for all their personal data. Alternatively, they may restrict their request. You need to consider exactly what information the data subject is actually requesting. For the purposes of this blog, I have assumed that the data subject has requested copies of all of their personal data.

Once you have established what information has been requested, you need to do a search of your systems. Think about where the information could be, for example, on your smartphones, computers, email folders, external hard drives, tablets, memory sticks, social media posts, and CCTV files.

Once you have done a search of your system and collated the information, you need to consider whether the information is personal data.

Personal Data” is defined by the UK GDPR as:

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier…” [emphasis added].

If the information fits the above definition, you should be disclosing it in response to the DSAR. In certain circumstances, you can withhold some or all of the data subject’s personal data by relying on an exemption or if you consider that the request is manifestly excessive or unfounded.

It is important to remember that the information has to actually relate to the data subject for it to be considered personal data. If the information simply refers to the person by name and does not relate to them, you do not need to disclose this in your response.

You also need to carefully review any personal data to ensure that it does not contain anyone else’s personal data. If it does, you need to get the person’s consent or alternatively, you should consider whether it is possible to redact the other person’s information.

Once you have done the above, you need to prepare your reply to the DSAR. If you received the DSAR by email, you should reply by email, unless the data subject asked for the response in a different format.

Comment

It can be difficult to know what information to disclose in response to a DSAR. If you are unsure, it is important to seek legal advice to ensure that you are complying with your obligations.

How can we help? Data Subject Access Request

Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.

If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.

  • Email us

Contact us today

We're here to help.

Call us on 0800 024 1976

Main Contact Form

Used on contact page

  • Email us