Verify the applicant’s identity
Before taking any action, controllers must verify the identity of the DSAR applicant, as disclosing personal information to the wrong recipient is itself a breach of the GDPR.
If controllers can demonstrate that they are not able to identify the data subject, they can refuse to act on a DSAR.
As with so many aspects of GDPR compliance, the word ‘demonstrate’ is important here. Controllers must maintain appropriate records of any decision not to respond so that they can justify their actions to the relevant supervisory authority (the ICO (Information Commissioner’s Office) in the UK) if necessary.
It is also important to note that controllers may not retain personal data solely to be able to react to potential DSARs.
If a controller has reasonable doubts concerning the identity of the person making the DSAR, they can request additional information.
Gathering the information
The most time-consuming part of responding to DSARs is locating all the relevant information. It is therefore useful to have a procedure that enables you to check the data you process and where it is stored. A data flow map and data inventory will help.
Find out more about data flow mapping and why it’s essential for assessing your organisation’s privacy risks
How to communicate with the applicant
Article 12(1) states that controllers must provide communication “in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means”.
Recital 63 provides further information: “Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.”
The ICO’s guidance explains that “This will not be appropriate for all organisations, but there are some sectors where this may work well.”
When to respond to a DSAR
Data controllers have one calendar month to respond to a DSAR.
However, Article 12(3) grants that this period “may be extended by two further months where necessary, taking into account the complexity and number of the requests”.
Data controllers must still contact the DSAR applicant within one month and inform them of any extension, explaining the reason(s) for the delay.
Information to include when responding to a DSAR
When responding to a DSAR, data controllers must provide data subjects with the following information:
- The purposes of the processing.
- The categories of personal data involved.
- The recipients (or categories of recipients) the personal data has been or will be disclosed to.
- The length of time the personal data will be retained (or, if this is not possible, the criteria for determining the retention period).
- The existence of the data subject’s right to request that the controller rectify or erase the personal data or restrict processing, or to object to processing.
- The data subject’s right to lodge a complaint with a supervisory authority.
- Where the personal data has not been collected direct from the data subject, any available information about its source.
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject of such processing.
Information to withhold – DPA 2018 exemptions
The DPA 2018 sets out the UK’s exemptions and derogations from the GDPR.
Section 45(4) of the DPA 2018 states that controllers may restrict the right of access, wholly or partly, to:
- Avoid obstructing an official or legal inquiry, investigation or procedure.
- Avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties.
- Protect public security.
- Protect national security; or
- Protect the rights and freedoms of others.
For most data controllers, the last of these points will be the most relevant. You do not have to comply with a DSAR if it would mean disclosing another data subject’s personal data unless:
- The other data subject has consented to the disclosure; or
- It is reasonable to comply with the DSAR.
The ICO explains that, when determining whether it is ‘reasonable’ to disclose the information, controllers should “take into account all of the relevant circumstances”.
If you decide not to disclose personal data, you will have to record your reason for not doing so and communicate this to the DSAR applicant within the appropriate timeframe.
Other exemptions under the DPA 2018 relate to certain forms of data processing relating to:
- Healthcare
- Taxation
- Crime prevention
- Legal professional privilege
- Specific enactments relating to:
- Human fertilisation and embryology
- Adoption
- Special educational needs
- Parental orders
- Children’s hearings
- Immigration control
- Scientific or historical research
- Statistical purposes
- Archiving in the public interest
- Social work data
- Education data
- Child abuse data
- Corporate finance
- Management forecasts
- Negotiations
- Confidential references
- Exam scripts and marks
Information about all of these can be found on the ICO’s website.
Excessive requests and reasonable administrative fees
Where DSARs are “manifestly unfounded or excessive, in particular because of their repetitive character”, controllers may either charge a reasonable fee or refuse to act on the request.
It is up to the controller to demonstrate whether requests are manifestly unfounded or excessive, so appropriate record-keeping is, again, essential.
The size of the fee should be based on the administrative cost of providing the relevant information.
