Data Subject Access Requests

Introduction

In line with the General Data Protection Regulation these guidelines have been written to assist all staff with a responsibility for dealing with requests for personal data from a Data Subject (an individual).  The request is known as a Data Subject Access Request (Dsar). 

The aim of this guidance is to ensure that the Council reacts appropriately to any DSAR received from 25 May 2018 onwards. The guidelines are to be followed by all Councillors, officers, contractors and agents of the Councils who use Council facilities and equipment, or have access to, or custody of, personal data collected by the Councils.

Description

Data Subjects have the ‘Right to Access,’ which means individuals are entitled to have access to the information we hold about them.  They will also have extended rights in relation to their personal data which includes:

  • Request for rectification of incorrect data
  • Right to be informed of what data is being processed
  • Request for erasure of data (not an absolute right)
  • Right to object to the processing of personal data
  • Right to request a restriction of processing
  • Right to data portability
  • Request related to rights to automated decision making and processing

Process for recognising a DSAR

An individual can make a Data Subject Access Request verbally or in writing (via letter, Dsar application form, email, fax or social media) for their information, which they are entitled to ask for under Articles 12-15 of the General Data Protection Regulation 2018.  The request does not have to be in any particular form, nor does it have to include the words ‘subject access’ or make any reference to the General Data Protection Regulation 2018.  A request may be a valid subject access request even if it refers to other legislation, such as the Freedom of Information Act.

The key changes affecting the Subject Access procedure is compliance with the following when disclosing information/data to the data subject:

  • Disclosure of  information/data within 1 calendar month
  • No longer being able to charge data subjects who are requesting their information

Data Subjects also have increased rights including:

  • To be informed whether  their personal data is processed, held or  stored by us;
  • A description of the data held;
  • The purposes for which it is processed and to whom the data may be disclosed;
  • A copy of the information constituting the data;
  • Information as to the source of the data.

Note: Individuals are not entitled to information relating to other people (unless they acting on behalf of that person).  Neither are they entitled to information simply because they may be interested in it.  GDPR clarifies that the reason for allowing individuals access to their personal data is so that they are aware of and can verify the lawfulness of the processing.  Dsars provide the right to see the information contained in personal data, rather than a right to see the documents that include the information.

Process for responding to a DSAR

Dsars needs to be passed to the Data Protection Officer immediately as the Council now only has one calendar month to respond.  In rare circumstances this period may be extended to two months (taking into account the complexity of the request).

If an individual asks for a large amount of information, GDPR permits you to ask the individual to specify the information it relates to.  GDPR does not introduce an exemption for requests that relate to large amounts of data but you may be able to consider whether the request is manifestly unfounded or excessive.

Importantly there are some legal considerations when handling a Dsar, for example:

  • What constitutes the “personal data” of the data subject?
  • Does the information contain personal information that identifies another individual and as such affect their rights?
  • Are there any exemptions which would entitle you to withhold disclosure? Legal Privilege/confidential references/criminal activity/data relating to negotiations etc.

The GDPR requires that the information you provide to an individual is in a concise, transparent, intelligible, in an easily accessible form and using clear and plain language.  At its most basic, this means that the additional information you provide in response to a request should be capable of being understood by the average person. 

Steps in responding

If the Dsar is received direct to your department: pass the request to the DPO as soon as possible (if the Dsar is not in writing, please include: requester’s name, contact details and any details of the request gathered).

  • The DPO will request Identification and any further required information from the requester
  • When identification is provided - the one calendar month time scale begins
  • The DPO will log and send the request out to Service Leads
  • Service Leads to prepare the data for the response, redacting any sensitive or personal information
  • Service Leads to return requester’s data to the DPO
  • The DPO to collate Dsar response and send out to requester
  • The DPO will keep a full log of requests and responses

Risks

Dsars are easy to request, but can be problematic and time consuming to deal with.  A failure to process a Dsar properly could result in a complaint to the Information Commissioners Office (ICO) and a compensation claim.

The council recognises that there are risks associated with the processing of a DSAR.  By following these guidelines, DSARs should be identified and responded to quickly and accurately.  Non-compliance could result in significant detrimental effects on individuals and the council  being heavily fined and/or its reputation being damaged.  Risk includes, but is not restricted to, the following:

  • Not validating the request
  • No 3rd party data consent
  • Information not redacted