What is a data subject access request (DSAR)?
A subject access request (SAR), sometimes termed a data subject access request (DSAR), is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR. UK GDPR is an update on the 2018 EU GDPR (General Data Protection Regulation).
Personal data can take many forms, including documents, text, database entries, photographs, video and audio data.
Subject access requests are one of the ways in which people can exercise their right of access. Subject access requests give individuals the right to obtain a copy of their personal data, as well as other supplementary information. A core aim of subject access requests is to help individuals to understand how and why organisations, and government and other public bodies are using their data, and check that data is being captured, processed, stored and used lawfully.
How to make a data subject access request
There is no formal set of requirements in the DSAR process for making a subject access request under UK GDPR. The regulation’s emphasis is on giving people access rights, and making it straightforward to exercise those rights. As a result, there are many ways in which an individual can make a subject access request, including verbally, in writing, and on social media.
A subject access request can be made to any part of an organisation; it does not have to be directed to a specific person or contact point. Nor does a SAR or DSAR have to include the phrase 'subject access request.' The element that must be clear is that the individual is asking for their own personal data.
How to respond to DSAR
The ICO provides an invaluable step-by-step guide on how to respond to a DSAR.
Key points in the ICO’s DSAR response guidance include:
Check that the request is valid
Set yourself reminders in order to meet response deadlines
Ask for required information early in the DSAR process
Search for the relevant information on phones, computers, email folders and video records
Check what you need to redact in order to protect people’s privacy rights
Send your reply securely and keep a record of what you’ve sent
Training required to identify and process data subject access requests
As the individual’s right of access is given a high priority under UK GDPR, organisations have a legal responsibility to identify and handle any request from an individual correctly. It is therefore advisable to give staff specific training to identify a request. Staff members who regularly interact with the public should be able to identify a subject access request and know the next steps.
The ICO suggests that it is good practice to have a policy for recording details of the subject access requests you receive. The ICO also recommends that you check with the requester that you have understood their request, as this can help to avoid later disputes.
Ask for ID when fulfilling a subject access request
The ICO’s recommendations on asking for ID, include: “To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, you need to be satisfied that:
you know the identity of the requester (or the person the request is made on behalf of); and
the data you hold relates to the individual in question (e.g., when an individual has similar identifying details to another person).”
The ICO’s advice includes operative words that appear regularly throughout UK GDPR, namely ‘reasonable’ and ‘proportionate’. So, when establishing a person’s identity, you must be reasonable and proportionate about the proof and information you ask for. You should not request more information once the requester’s identity is obvious to you, notably when you have an ongoing relationship with the individual.
Are there standard forms for a DSAR process?
There are no formal procedures or official forms for processing subject access requests. The onus is on organisations to establish how people can submit requests.
Standard forms can make it easier for organisations to identify a subject access request. Standard forms also make it easier for individuals to include all the details you might need in order to locate their information and the data they are requesting.
UK GDPR recommends that organisations “provide means for requests to be made electronically, especially where personal data is processed by electronic means.” However, a subject access request is equally valid whether it is submitted by letter, email or verbally, so it must be clear that use of available forms is not compulsory.
Handling DSARs made on social media
Individuals can make subject access requests on any social media site where an organisation has a presence. You should therefore take steps to respond effectively to requests made on social media. Usually, it will not be appropriate to use social media to supply information in response to a request for information, for security and privacy reasons. Instead, it will be necessary to ask for an alternative delivery address for the response.
Providing information securely is a major emphasis of the ICO. It therefore becomes even more important to take care when dealing with requests and considering replies on social media, given their potentially public nature.
Controllers of information are responsible for taking all reasonable steps to ensure its security. There are some basic steps that you can take to help you respond in a secure manner.
On an organisational level, try to safeguard against human error. For example:
Ensure proper systems are in place to record SARs
Ensure that those responding to a request are properly trained
Have a procedure in place to check email or postal addresses before responding to a request
Who can submit a DSAR?
A DSAR can be submitted by anyone whose data is being processed by an organisation. They are not obliged to provide a reason for submitting a DSAR.
DSARs can be made by employees, customers, contractors and members of the general public.
DSARs can also be submitted on behalf of someone else if the data subject authorises the person to make a request. For example:
A parent requesting on behalf of a child
Legal representative requesting on behalf of a client
A relative or a friend
A person appointed as a guardian
The organisation has an obligation to ask for written authorisation or other documents to supporting the authorisation.
How can an individual submit a DSAR?
An individual can submit a DSAR by contacting the organisation that holds their personal data.
The request can be made in writing, via email or through an online form. The individual should specify the type and, if applicable, the timing of the data sought, for example if the request is for video footage.
The organisation is legally required to respond within a set timeframe, typically 30 days.
Who should respond to a DSAR?
Some organisations are obligated to appoint a Data Protection Officer (DPO), but it is not the case for all organisations.
Nevertheless, there should be one person within the organisation in charge of compliance who will have a high-level overview of DSAR processes and document all requests to ensure that they are resolved in a timely manner.
The DPO does not have to respond to every request personally. However, the DPO should have control over the processes and assure compliance along the way.
Making a subject access request on behalf of someone else
UK GDPR allows for a relative, friend or solicitor to make a subject access request on someone else’s behalf. The organisation receiving the request should satisfy itself that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence, such as written authority, signed by the individual, stating that they give permission to make a request on their behalf.
If there is no evidence that a third party is authorised to act on behalf of an individual, organisations are not required to comply with the subject access request. However, they should still respond to the requester and explain the reasons for denial.
Subject access requests about children
The right to access information about a child is the child’s right rather than anyone’s else’s, even if:
They are too young to understand the implications of the right of access
The right is exercised by those who have parental responsibility
They have authorised another person to exercise their right
Before responding to a subject access request for information held about a child, consider whether the child is mature enough to understand their rights. If the request is from a child and you are confident that the child can understand their rights, you should usually respond directly to the child. You may allow the parent or guardian to exercise the child’s rights on their behalf if the child has given their authority, or if it is evident that this is in the best interests of the child.
Other authorised third-parties could be an adult or a representative such as a child advocacy service, charity or solicitor. However, you should not consider a child to be competent if it is evident that they are acting against their own best interests. For example, if you have reasonable concerns that the third party is pressurising the child to make the subject access request.
Are subject access requests and freedom of information requests the same?
Subject access requests and freedom of information requests are not the same.
A subject access request may mistakenly state that it is a freedom of information (FOI) request. If a request relates to the requester’s personal data, it should be treated as a subject access request (SAR).
Freedom of information requests support the right to ask to see recorded information held by public authorities. The Freedom of Information Act (FOIA) and Freedom of Information (Scotland) Act (FOISA) provide the right to see information. The right to see environmental information is handled under the Environmental Regulations (EIRs), or Environmental Information (Scotland) Regulations (EISRs), and includes information on topics such as carbon emissions and the environment’s effect on human health.
What is the time limit for responding to a subject access request?
An organisation normally has to respond to a subject access request within one month. If an individual has made a number of requests or the request is complex, the organisation may need extra time to consider the request and it can take up to an extra two months to respond.
If an organisation is going to take longer than a month to process a subject access request, it should inform the requester within one month that more time is needed and state the reasons why.
The ICO has published useful supplementary information about SARs, such individuals’ rights to copies of their data, how the information will be received, and potential charges for SAR processing.
Can all data be shared in subject access requests?
When fulfilling subject access requests, the organisation supplying information to the requester must remove all but the personal data that relates to the requester. Failure to remove data relating to anyone but the requester is likely to lead to a breach of the privacy rights of other individuals, and in turn to public censure and a substantial fine.
Facit provides the most accurate and reliable technology to remove data from documents and video footage by redacting (completely masking) data relating to all but the subject of interest. Our redaction solutions are fast, cost-effective and simple to use in-house, and they enable organisations to respond to subject access requests compliantly.