DSARs – what are people entitled to receive
The Right of Access is a fundamental right under data protection law in the UK and European Union. Other jurisdictions have similar rights for their citizens. Requests are commonly referred to as a Data Subject Access Request – DSAR or SAR.
I often get asked questions about what’s in scope; what are organisations expected to provide in their response to a request? And what can they exclude?
The law tells us people have the right to request a copy of their personal data and other supplementary information from any organisation acting as a Controller.
What is meant by personal data?
Personal data is any information which could directly or indirectly identify the individual. This could include contact details, images, voice and video recordings, demographic information, profiles, order history, marketing preferences, HR records, opinions expressed about the individual, other personal identifiers such as employee number… the list goes on.
What if the individual already has the information?
I am also frequently asked; ‘do we need to provide information they already have or is obvious to them?’ The short answer is, yes. Based on UK case law, organisations can’t refuse to disclose information on the grounds personal data is already known to them. (Case: Lttihadieh v 5-11 Cheyne Gardens, 2017). However, it wouldn’t need to be included if the person has made it clear they don’t want this information.
What is out of scope with DSARs?
- A DSAR isn’t a right to documentation. Just because someone’s name appears in an email, report or letter doesn’t mean they’re entitled to the whole document, if much of it doesn’t relate to them. It may be easier and relevant to provide full documents, but you would be justified in not doing so. You can extract the necessary information, or redact the irrelevant information.
- If personal identifiers have been removed from a dataset, and it’s truly anonymised (i.e. the individual cannot be reidentified), it no longer falls under the scope of data protection law.
- Personal data which is not part (or intended to be part) of a structured filing system is not in scope. For example handwritten notes in a personal notepad where there’s no intention to formally file these notes would not need to be included. However, if for example, employees write notes in ‘day books’ which are intended to be kept as a record of conversations, these would be in scope.
When can we refuse to comply with a request?
Sometimes it may seem obvious to you the individual has an ulterior motive for submitting a DSAR. In general, an individual’s motives shouldn’t affect their right to obtain a copy of their personal data, or the organisation’s duty to respond. Organisations can however refuse to comply with a request, either partially or fully, where they judge it to be manifestly unfounded or manifestly excessive.
A request might be considered manifestly unfounded if, for example, the individual…
- has no real intention of exercising their right
- offers to withdraw their request in return for some kind of benefit
- explicitly states they want to cause disruption
- makes unsubstantiated accusations or allegations
- is targeting a specific employee due to a grudge
- sends regular and targeted requests as part of a concerted campaign
A request might be considered manifestly excessive if it’s clearly or obviously unreasonable or would involve disproportionate effort.
If you rely on either of these grounds be sure to document your decision and the rationale behind it.
How much effort is required?
Organisations are expected to make all reasonable efforts to search, identify and retrieve all the personal data being requested. Regulators would expect systems to be well-designed and maintained so information can be efficiently located (including carrying out searches) and extracted.
The right of access is not new. It was around long before GDPR came into force in 2018, so organisations would be expected to be well prepared to handle requests.
What can be excluded or redacted?
Once all the information relating to the individual has been retrieved, the data collated may include information which doesn’t need to be disclosed. There may be justifiable grounds for excluding information or redacting documents, emails, video recordings and so on.
- Information relating to others: the person making the request has a right to receive a copy of their personal data, they’re not entitled to personal data about other people. The UK Data Protection Act 2018 confirms you do not need to include certain information if it means disclosing information which identifies someone else, unless the other person has given their consent or it’s reasonable to disclose without the other person’s consent. Remember in many sitiations you may have a duty to protect the identify of others.
- Confidential information: A duty of confidence may arise when another individual has genuinely shared ‘confidential’ information with the expectation that it remains confidential. Confidentiality cannot be automatically assumed and needs to be assessed on a case-by-case basis. Other information which may also be considered confidential includes, but is not limited to; trade secrets, information made confidential under another law, internal costs or commercial rates, intellectual property and information covered as part of a non-disclosure agreement
- Other exemptions: The UK’s Data Protection Act 2018 provides a number of further exemptions which may apply depending on the nature of your business and the context of the specific request. These don’t always apply in the same way. Sometimes you might be obliged to rely on an exemption (i.e. it would break another law), other times it will be a choice. Commonly used exemptions include; legal professional privilege, crime and taxation, management information, research and statistics, confidential references and journalism.
The ICO says exemptions should not be routinely relied upon or applied in a blanket fashion. And remember, you may be required to demonstrate how an exemption applies and your rationale for relying on it. The full list of exemptions can be found in Schedule 2, Data Protection Act 2018. Examples of how they apply can be found in the ICO’s guidance.
What other information should be included in a response?
Along with a copy of their personal data, people are entitled to receive other supplementary information. Where this information is clearly available in a Privacy Notice, the UICO says it’s sufficient to provide a link to this in your DSAR response. This supplementary information is as follows:
- Purpose: your purpose(s) for processing the person’s data.
- Categories: the categories of personal data you’re processing.
- Recipients: recipients or categories of recipient you have or will be disclose the personal data to (including recipients or categories of recipients in third countries or international organisations).
- International data transfer safeguards: the safeguards you have provided where personal data has or will be transferred to a third country or international organisation.
- Retention: your retention period for storing the personal data or, where this is not possible, the criteria for determining how long you will store it.
- Other privacy rights: the individual’s right to request rectification, erasure or restriction or to object to processing.
- Right to complain: the individual’s right to lodge a complaint with a Supervisory Authority, for example in the UK the Information Commissioner’s Office (ICO).
- Data source: information about the source of the data, if you didn’t collect it directly from the individual.
- Automated decisions: whether or not you use automated decision-making (including profiling) and information about the logic involved, as well as the significance and envisaged consequences of the processing for the individual;
DSARs can feel a bit of a minefield to the uninitiated and a little daunting if you don’t receive many or suddenly receive your first one. Our DSAR Guide provides more information about how to prepare and fulfil requests. The ICO also has detailed Right of Access Guidance.