Someone has gotten in touch and requested access to their data, either through your DSAR form on your Privacy Portal or any other channel.
What steps do you need to follow now?
đĄ LOGGING It is recommended that you maintain a record of all requests received, date of receipt and the employees responsible for certain tasks associated with the completion of the request.
A DSAR log does not have to be overly complicated, a spreadsheet would suffice, but it is important that everyone knows where the log is stored, who DSARs should be sent to and whose responsibility it is for collating, redacting and responding etc.
Step 1: Acknowledge Receipt
Step 1 is to reply to the email to acknowledge that weâve received the request.
Hi Carey,
Thank you for your request - this message is just to confirm that we have properly received your request. We have identified this request as a Data Subject Access Request and it is our obligation under the GDPR and the Data Protection Act 2018 to comply with it.
As a way of transparency - weâd like to inform you how we proceed with these requests so that you know at which stage weâre at.
1. Verify your identity - we need to make sure that you are the person that youâre requesting data from
2. Understanding the scope of your request
3. Gathering the personal data
4. Disclose that data to you (where we can do so lawfully)
5. Answer any other concerns you may have
We aim to resolve these requests within 28 days from when we verify your identity.
Note: If you did not create this request - please let us know.
Step 2: Verify Identity
Hi,
We are processing your Data Subject Access Request - we're currently in Step 1.
For this step we need to verify your identity:
- We need to ask if you could please {appropriate way of identifying person}
Apologies if the steps above are inconvenient but weâre committed to protecting the data of individuals that trust us with it - therefore before we give out information we must ensure that we are giving it out to the right person. It is another step to protect data.
Example to verify the identity of a person who: (swap for âappropriate way of identifying a personâ above)
Booked a meeting with you:
- Reply to this email confirming that you acknowledge that you created a request on the "Date" at "Time"
- Indicate your name and surname and email address with which you want to proceed with the request
- You mentioned that you registered a meeting us - as a further means to verify the request - could you please give me details on the date, time and the method by which you booked such meetingWas contacted by one of your sales/marketing emails
- Reply to this email confirming that you acknowledge that you created a request on the "Date" at "Time"
- Indicate your name and surname and email address with which you want to proceed with the request
- You mentioned that you received an email from us - as a further means to verify the request - could you please forward us the email that you are referring to?
Step 3: Verify the scope
Once you know the person is indeed who they say they are, the next step is to understand who the individual is in relation to your company and what data they are looking for.
You are not allowed to ask them to narrow the scope of their request, as any individual is allowed to ask for âall of their dataâ, but it is ok to ask them to provide additional details that will help you to locate the data they are seeking.
E.g. dates when they might have engaged with your business, names of the staff they have engaged with, if they have been to any of your events, liked any of your posts, replied to any of your previous emails.
These questions donât prolong the 28 day deadline to reply to the request, so if they donât answer or you are running out of time you will have to comply with the request by making reasonable searches for the information covered by the request.
To help you with this process it might be useful to think:
What type of individual are they as described in my privacy policy?
E.g. are they a customer? a visitor to premises? a former temporary staff? Itâs okay to ask them if you are not sure
If they mention a third party or one of your partners or suppliers, it might be a good idea to reach out to them and request them for information on where they got the data. Did they get it from you? If so from where?
If they mention any of your employees it might also be a good idea to ask them about the engagement
Once you have identified what type of individual they are you can go through your data inventory in your Privasee platform to identify the assets or third parties where you might be storing their data and what itâs used for.
Step 4: Gather information
The final step is to go through the assets where you have identified you hold data and collect the information you hold about them.
E.g. you might have their email address, name and a list of events they have assisted to on your CRM. If they are one of your customers you might have some payment information in your Accounting SoftwareâŚ
Depending on their request they might be asking for confirmation/explanation of the types of data you hold about them, how you collected that information and what itâs used for; or they might be asking for an actual copy of their information.
đĄ When providing a copy of their information, especially when dealing with free-text format like emails or documents. Itâs important to redact any information that could allow you to identify any other individual as to not share personal information from someone else.
Are there any exceptions to a DSAR?
Are there any exceptions to a DSAR?
A company can restrict access to data subject rights including DSARs whereby it is necessary to safeguard:
Crime and taxation
Crime and taxation risk assessments
Information required to be disclosed by law or in connection with legal proceedings
Legal professional privilege
Self-incrimination
Disclosure prohibited or restricted by an enactment
Immigration
Functions designed to protect the public
Audit functions
Bank of England functions
Regulatory functions relating to legal services, the health service and childrenâs services
Other regulatory functions
Parliamentary privilege
Judicial appointments, independence and proceedings
Crown honours, dignities and appointments
Journalism, academia, art and literature
Research and statistics
Archiving in the public interest
Health data
Social work data
Education data
Child abuse data
Corporate finance
Management forecasts
Negotiations
Confidential references
Exam scripts and exam marks
Can I ever reject a DSAR?
Can I ever reject a DSAR?
You can refuse to comply with a manifestly unfounded or excessive request. The decision should be made on a case by-case basis and your rationale for this should be clearly documented in case this needs to be demonstrated to the ICO or the courts.
Examples of requests given by the ICO which may be manifestly unfounded are:
The individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation
The individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption
The request makes unsubstantiated accusations against you or specific employees
The individual is targeting a particular employee against whom they have some personal grudge
The individual systematically sends different requests to you as part of a campaign, e.g. once a week, with the intention of causing disruption
Step 5: Disclose data in a secure format
It is good practice to include a covering letter or accompanying explanatory material as part of your DSAR response. It must not be forgotten that the right of access does not just cover the provision of information, it also contains confirmation of the details and nature of processing, which can be included in your covering letter.
Itâs not possible to provide a template to cover all circumstances but here is an indicator of what your covering template should look like:
Dear
We are processing your Data Subject Access Request - we're currently in Step 5.
Your request has been considered in line with the Data Protection Act 2018 and the General Data Protection Regulation, and the personal data you are entitled to has been included with this letter. Additional to the provision of your personal data, I can confirm that [Company] processes your personal data and for more details surrounding the purposes and scope of this can be found within our Privacy Notice [PROVIDE LINK OR COPY OF PRIVACY NOTICE]. Information relating to 3rd parties: Under the right of access, Data Subjects are only entitled to their own personal data and not necessarily that relating to any 3rd parties.
As part of providing information we have had to consider your right of access and balance that against any other rights that other individuals such as protecting their own data protection or privacy rights.
Information provided in confidence: There will often be occasions whereby information is provided in confidence to the company and release of such would undermine that duty of confidence potentially resulting in legal consequences for the company. Furthermore, it is important that such confidences are respected and that individuals can share matters with the company in confidence without fear that their confidence will be breached. Please rest assured that what we can share in respect of these instances will have been shared or anonymised appropriately.
I hope that you find the enclosed information useful. [COMPANY] now consider your request fulfilled and the matter to be closed. Should you feel this is not the case, in the first instance please let me know. If you remain dissatisfied following this, please note that you have the right to raise the issue with the Information Commissionerâs Office (ICO), who can be contacted by the following methods - <https://ico.org.uk/global/contact-us/>. You also may wish to seek to enforce your rights through the Courts.
If your concerns related to procedural matters rather than the provision of information, please can I politely suggest that such matters are taken up with the relevant departments or via our complaints processes.
Along with the covering letter you can attach a file with all the personal data about the individual, this can be an excel or similar, a JSON, or a PDF with documents, emails or other potentially redacted files.