How to respond to a data subject access request (DSAR)
Subject access requests or data subject access requests (SARs/DSARs) are easy for an individual to make. However, for organisations receiving a DSAR it can be a complex matter, and take many hours of work and significant resources to respond within ICO timescales and compliantly.
Any individual who is dissatisfied with the speed or content of an organisation’s SAR response can complain to the ICO.
This DSAR response guide is intended to help organisations respond to DSARs in as straightforward a manner as possible.
Further guidance is available on the ICO website: How to deal with a request for information: a step-by-step guide
How to fulfil a data subject access request
By law, people can ask you for a copy of any information that relates to them, as it is deemed to be their personal data, and they have a legal right to see it.
If someone asks you for a copy of their personal data, by phone, in person or in writing, they have made a ‘data subject access request’ (DSAR), and you need to respond.
Here is a 10-point DSAR fulfilment checklist to help you complete a data subject access request.
1: Assign a data protection lead
Large businesses generally have Compliance teams, while small businesses are expected to nominate a member of staff member to take the lead on data protection.
2: Check on the identity of the requestor
If you are not certain about the identity of the requester – i.e., that they are who they say they are – you should verify the requester’s identity before responding to the DSAR. Verification can take the form of requesting ID, asking questions to which only the authentic requester would know the answers, or asking for reference numbers, dates and locations.
3: Check that the requester is authorised
If the DSAR is made by someone other than the person the data is about (such as a relative or solicitor), check that the requester has been authorised.
You should ask for written authority to act on behalf of the person concerned, or a document showing power of attorney.
Children older than 12 can make their own DSARs, so if a parent or carer makes a request, you should usually get permission from the child first.
4: Create a DSAR fulfilment calendar
Data holders have thirty days to gather requested data and provide it to the requester in the format of their choice. The thirty days starts from the time the requester’s identity and authority have been verified.
If the DSAR is complex, or the requester has made a lot of requests, you can take an extra two months to respond. You must, however, let the requester know there will be a delay before the end of the initial fulfilment period.
5: Double check what is being requested
Requesters may ask for all the data you hold on them or they may ask for something specific. Clarify precisely what the requester is asking for.
6: Search for the relevant information
Use search functions on all devices to locate all incidents of the data being requested. Devices can include smartphones, computers, archived files, emails, external hard-drives, tablets, memory sticks, voice recordings, social media posts and CCTV records.
7: Check what you need to redact
Before providing the requester with their information, check it carefully to ensure it only contains their information.
If you discover a document, email or video that mentions people other than the person in question, you should redact (hide, mask, black out or remove) any information that does not relate to the person making the DSAR.§
Disclosing information about other people is likely to result in a breach of their personal privacy.
We covered the challenges of document data privacy in a previous article. If you are new to document data privacy, check out how to avoid the hidden pitfalls associated with data redaction.
8: Think carefully about releasing data about other people
You should avoid disclosing information about other people in a DSAR, otherwise it is classed as a data breach under data protection laws such as GDPR and the Data Protection Act.
When the personal data you gather includes information that is linked to someone else, consider the impact that disclosure could have.
For example, if all the details about the other person are already in the public domain there may not be a need for redaction. If the requester does not know particular information, there is a strong case for redacting other names and identifying information.
If the requester is likely to guess at the identity of others, you may need to consider whether it’s necessary to get the other people’s consent prior to release.
9: Choose a response format
If you received a DSAR by email or post, you should reply by email or post, unless the requester specified a preferred response format.
10: Keep a record of your reply
When you send the requester their personal data, include a copy of your privacy policy.
The privacy policy should explain why you hold data, how you acquired it, how long you’re planning to keep it, who you share it with, and how people can request changes or data deletion.
Keep dated records of the information you send as you may need to refer to it again, for example if the requester is not satisfied with your response or if they make another request.
The ICO provides a downloadable privacy notice template on its website.
File search and data removal for assured in-house data privacy compliance
In the past two years, there has been a steep increase in DSARs, and fulfilment can be overwhelming, costly and potentially risky.
Facit helps organisations worldwide to automate complex video and document data redaction in all file formats, from complex spreadsheets to lengthy video footage.
Facit privacy compliance, auto-redaction solutions remove problematic data in seconds so that you can comply with ICO deadlines with 0% risk of a privacy breach.
Related articles
What is a data subject access request?
Video redaction: A complete guide
Complete the form to find out more about fast GDPR (general data protection regulation) and data protection law compliant document and video redaction.