Warner Goodman Solicitors banner
Services
People
News and Events
Other
Blogs

How do I handle a Data Subject Access Request (DSAR)?

View profile for Employment Team
  • Posted
  • Author

Under UK GDPR, an individual can make a subject access request using any available method, including:

  • Verbally in person;
  • Over the phone;
  • In a written letter;
  • Via your website;
  • Via email; or
  • Via social media.

There is no formal way to make a request, so the individual doesn’t necessarily have to use the terms “subject access request,” “DSAR,” “Article 15,”, as long as it is clear that they are requesting their personal data. Furthermore, requests can be made to anyone within your organisation. That means that if someone verbally asks one of your frontline staff in person, this request is just as valid as a formal letter, email, or completed form.

What information can an employee request?

Article 15 of UK GDPR covers the “right of access by the data subject.” It states: The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning the data subject is processed and, where that is the case, access to the personal data as well as the following information:

  • The purposes of processing;
  • The categories of personal data concerned;
  • The recipients or categories of recipients to whom the data has been (or will be) disclosed, particularly recipients in third countries or international organisations; and
  • Where possible, the envisaged period the controller will store the data, or, if not possible, the criteria used to determine that period.

Responding to a DSAR

According to the UK data protection regulator, the Information Commissioner’s Office (ICO), the information you provide to an individual must be in a “transparent, intelligible and easily accessible form, using clear and plain language.” For example, if your business uses particular codes for different data categories, you must provide a clear, legible explanation of what these codes mean. If the request is received electronically, Article 15 states, “unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.” Meanwhile, Recital 63 of the UK GDPR recommends a best practice solution of creating remote access to a secure system where individuals can directly access the data you hold about them. However, remember that you shouldn’t do this if doing so could jeopardise the freedom of others, including trade secrets and intellectual property.

You have no more than one month to respond, starting from the day after the request is received, regardless of whether that is a working day. In other words, if you receive a request on 1st July, the clock starts ticking on 2nd July, and you have until 2nd August to comply with that request. It is possible to extend the time to reply by two months if the actual request is unduly complex or if the individual has made several requests.  If you wish to extend the response period, you must tell the individual within one month of receipt of the request and provide reasons why.

Can I Ever Refuse a Request?

The only instance when you would be able to refuse a DSAR request is if the request is deemed “manifestly unfounded or excessive,” such as if a request is highly repetitive. However, it’s worth noting that despite Article 57 of the UK GDPR requiring you to demonstrate the “manifestly unfounded or excessive” nature of the request, there are no clearly defined parameters for this threshold, making demonstrating it particularly challenging.

New Guidance

In May 2023, the ICO published new guidance to assist employers in responding to DSARs from current and former employees. DSARs have become the primary tool for employees attempting to gain leverage against employers during a dispute or grievance process.  They can be extremely time-consuming and resource intensive for employers to deal with, and it is a difficult balance to strike between upholding employees’ right of access under the UK GDPR and applying exemptions from disclosure in an appropriate way.

With more individuals becoming aware of their rights concerning the data you hold about them, your business can fully expect to see an increase in the number of requests made over the coming months.

If you have any concerns or questions about GDPR, data subject access requests or the new guidance, contract our Employment Team by emailing employment@warnegoodman.co.uk or calling 023 8071 7717.