How To Reply To A Data Subject Access Request

A data subject has gotten in touch and requested access to their data, either through your DSAR form on your Privacy Portal or any other channel.

What steps do you need to follow now?

💡 LOGGING

‍It is recommended that you maintain a record of all requests received, date of receipt and the employees responsible for certain tasks associated with the completion of the request.

A DSAR log does not have to be overly complicated, a spreadsheet would suffice, but it is important that everyone knows where the log is stored, who DSARs should be sent to and whose responsibility it is for collating, redacting and responding etc.

Step 1: Acknowledge Receipt

Step 1 is to reply to the email to acknowledge that we’ve received the request.

Hi Carey,

Thank you for your request - this message is just to confirm that we have properly received your request. We have identified this request as a Data Subject Access Request and it is our obligation under the GDPR and the Data Protection Act 2018 to comply with it.

As a way of transparency - we’d like to inform you how we proceed with these requests so that you know at which stage we’re at.
1. Verify your identity - we need to make sure that you are the person that you’re requesting data from
2. Understanding the scope of your request
3. Gathering the personal data
4. Disclose that data to you (where we can do so lawfully)
5. Answer any other concerns you may have

We aim to resolve these requests within 28 days from when we verify your identity.

Note: If you did not create this request - please let us know.

‍

Step 2: Verify Identity

Hi, We are processing your Data Subject Access Request - we're currently in Step 1.

For this step we need to verify your identity:

- We need to ask if you could please {appropriate way of identifying person}

Apologies if the steps above are inconvenient but we’re committed to protecting the data of individuals that trustus with it - therefore before we give out information we must ensure that we are giving it out to the right person.It is another step to protect data.

Example to verify the identity of a person who: (swap for “appropriate way of identifying a person” above)

• Booked a meeting with you:

- Reply to this email confirming that you acknowledge that you created a
 request on the "Date" at "Time"
‍
- Indicate your name and surname and email address with which you want
 to proceed with the request
‍
- You mentioned that you registered a meeting us - as a further means to
 verify the request - could you please give me details on the date,
 time and the method by which you booked such meeting

• Was contacted by one of your sales/marketing emails

- Reply to this email confirming that you acknowledge that you created a
 request on the "Date" at "Time"
‍
- Indicate your name and surname and email address with which you want
 to proceed with the request
‍
- You mentioned that you received an email from us - as a further means to
 verify the request - could you please forward us the email that you are
 referring to?

Step 3: Verify the scope

Once you know the person is indeed who they say they are, the next step is to understand who the individual is in relation to your company and what data they are looking for.

You are not allowed to ask them to narrow the scope of their request, as any individual is allowed to ask for “all of their data”, but it is ok to ask them to provide additional details that will help you to locate the data they are seeking.

E.g. dates when they might have engaged with your business, names of the staff they have engaged with, if they have been to any of your events, liked any of your posts, replied to any of your previous emails.

These questions don’t prolong the 28 day deadline to reply to the request, so if they don’t answer or you are running out of time you will have to comply with the request by making reasonable searches for the information covered by the request.

To help you with this process it might be useful to think:

• What type of individual are they as described in my privacy policy?
• E.g. are they a customer? a visitor to premises? a former temporary staff? It’s okay to ask them if you are not sure
• If they mention a third party or one of your partners or suppliers, it might be a good idea to reach out to them and request them for information on where they got the data. Did they get it from you? If so from where?
• If they mention any of your employees it might also be a good idea to ask them about the engagement

Once you have identified what type of individual they are you can go through your data inventory in your Privasee platform to identify the assets or third parties where you might be storing their data and what it’s used for.

Step 4: Gather information

The final step is to go through the assets where you have identified you hold data and collect the information you hold about them.

E.g. you might have their email address, name and a list of events they have assisted to on your CRM. If they are one of your customers you might have some payment information in your Accounting Software…

Depending on their request they might be asking for confirmation/explanation of the types of data you hold about them, how you collected that information and what it’s used for; or they might be asking for an actual copy of their information.

💡 When providing a copy of their information, especially when dealing with free-text format like emails or documents. It’s important to redact any information that could allow you to identify any other individual as to not share personal information from someone else.

Are there any exceptions to a DSAR?

• A company can restrict access to data subject rights including DSARs whereby it is necessary to safeguard:
• Crime and taxation
• Crime and taxation risk assessments
• Information required to be disclosed by law or in connection with legal proceedings
• Legal professional privilege
• Self-incrimination
• Disclosure prohibited or restricted by an enactment
• Immigration
• Functions designed to protect the public
• Audit functions
• Bank of England functions
• Regulatory functions relating to legal services, the health service and children’s services
• Other regulatory functions
• Parliamentary privilege
• Judicial appointments, independence and proceedings
• Crown honours, dignities and appointments
• Journalism, academia, art and literature
• Research and statistics
• Archiving in the public interest
• Health data
• Social work data
• Education data
• Child abuse data
• Corporate finance
• Management forecasts
• Negotiations
• Confidential references
• Exam scripts and exammarks

Can I ever reject a DSAR?

• You can refuse to comply with a manifestly unfounded or excessive request. The decision should be made on a case by-case basis and your rationale for this should be clearly documented in case this needs to be demonstrated to the ICO or the courts.
• Examples of requests given by the ICO which may be manifestly unfounded are:
• The individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation
• The individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption
• The request makes unsubstantiated accusations against you or specific employees
• The individual is targeting a particular employee against whom they have some personal grudge
• The individual systematically sends different requests to you as part of a campaign, e.g. once a week, with the intention of causing disruption

Step 5: Disclose data in a secure format

It is good practice to include a covering letter or accompanying explanatory material as part of your DSAR response. It must not be forgotten that the right of access does not just cover the provision of information, it also contains confirmation of the details and nature of processing, which can be included in your covering letter.

It’s not possible to provide a template to cover all circumstances but here is an indicator of what your covering template should look like:

Dear

We are processing your Data Subject Access Request - we're currently in Step 5.Your request has been considered in line with the Data Protection Act 2018 and the General Data Protection Regulation, and the personal data you are entitled to has been included with this letter. Additional to the provision of your personal data, I can confirm that [Company] processes your personal data and for more details surrounding the purposes and scope of this can be found within our Privacy Notice [PROVIDE LINK OR COPY OF PRIVACY NOTICE].

Information relating to 3rd parties:Under the right of access, Data Subjects are only entitled to their own personal data and not necessarily that relating to any 3rd parties.

As part of providing information we have had to consider your right of access and balance that against any other rights that other individuals such as protecting their own data protection or privacy rights.Information provided in confidence:There will often be occasions whereby information is provided in confidence to the company and release of such would undermine that duty of confidence potentially resulting in legal consequences for the company. Furthermore,it is important that such confidences are respected and that individuals can share matters with the company in confidence without fear that their confidence will be breached. Please rest assured that what we can share in respect of theseinstances will have been shared or anonymised appropriately.

I hope that you find the enclosed information useful. [COMPANY] now consider your request fulfilled and the matter to be closed. Should you feel this is not the case, in the first instance please let me know. If you remain dissatisfied following this, please note that you have the right to raise the issue with the Information Commissioner’s Office (ICO), who can be contacted by the following methods - <https://ico.org.uk/global/contact-us/>. You also may wish to seek to enforce your rights through the Courts.If your concerns related to procedural matters rather than the provision of information, please can I politely suggest that such matters are taken up with the relevant departments or via our complaints processes.

Along with the covering letter you can attach a file with all the personal data about the individual, this can be an excel or similar, a JSON, or a PDF with documents, emails or other potentially redacted files.