Data Subject Access Requests

  • Posted

Data Subject Access Requests – okay, it’s never going to be anyone’s chosen specialist subject on Mastermind – but what are they, why are they likely to increase in number and why do you need to know what they are?

What is a data subject access request?

An individual has a right to make a data subject access request (DSAR) to access data which is collected about themselves. This right applies to anyone, whether employed or not. Whilst this right is not a new concept, due to the significant advances in the digital and technological platforms, the General Data Protection Regulations (GDPR) 2018 introduced new requirements when collecting and handling personal data.

In the context of employment, this means an employee has the right to obtain information from their employer as to whether or not their personal data is being processed. If this is the case, then they are entitled to be given a copy of that personal data together with details about –

  • the nature of the information
  • the purpose for which it is used
  • the identity of those with whom it is shared
  • the period for which it is stored
  • how to challenge the accuracy of the information, to have it deleted or to object to its use
  • how to complain to the Information Commissioner’s Office (ICO)
  • the source of the information
  • whether the information is used for profiling or automated decision-making and how this is done
  • the security measures taken if the information is transferred to a third country or international organisation.

Although an individual is entitled to be provided with the personal data that is held about them, there is no right to be given copies of the documents which contain their personal data.

What is personal data?

Personal data is information relating to a person who can be identified directly from it, or in combination with other information.

Examples of personal data include:

  • name
  • email address
  • identification number
  • location data
  • an online identifier, such as IT addresses

Can a fee be charged for a DSAR?

Previously, under the Data Protection Act 1998, a fee could be charged as a matter of course for dealing with a request. However, under the new legislation, information must be provided free of charge unless the request is manifestly unfounded or excessive, in which case a reasonable fee can be charged.

How long do I have to respond to a DSAR?

Requests must be handled without undue delay and, in any event, within one month of receipt of the request. It may be possible for an employer to extend this period by up to a further two months if several requests have been made or the request is complex. However, the individual must be notified within the first month and reasons for extending the period should be communicated.

What happens if I fail to respond to a DSAR?

Under the legislation, if a business fails to comply with a DSAR then they can face fines of up to 20 million euros or 4% of their annual global turnover in the preceding financial year, whichever is the higher.

Why are DSARs likely to increase?

The right for an individual to request access to their personal data is not a new concept. Under the Data Protection Act 1998, an individual could make a subject access request (SAR) but these were rare. However, under the new legislation, we have already experienced an increase in the number of people making DSAR’s. There are many reasons for this.

Firstly, with the advance of technological platforms, individuals are more aware of their rights. Secondly, there is no longer a fee payable which may have previously deterred people from submitting a request. Thirdly, given the anticipated rise in redundancies over the coming months, a DSAR can be a very useful tool. Tactically, it creates additional work for a business which, at the time the request is received, may already be under strain dealing with other commercial issues. It can also be used as a fishing expedition to see what information can be unearthed to assist an individual in pursuing an Employment Tribunal claim.

It has certainly been our experience during recent months that the number of DSAR’s that our clients have received is increasing. We would strongly advise our clients to review their existing data protection policies and procedures, and revisit their retention periods, to ensure that they remain legally compliant. Also, it’s important to retain information for as short a time period as possible, as this will assist when dealing with a DSAR.

Should you have any queries or require any assistance, then please do not hesitate to contact a member of our Data Protection team.