It’s now over two years to the month since the biggest change in data protection law for a generation.
A great deal changed when the General Data Protection Regulation (GDPR) came into force, with many headlines written about the maximum fines (the greater of €20 million and 4% of turnover) which could be levied by data protection authorities (such as the UK’s Information Commissioner’s Office (ICO)) for failure to prevent data breaches.
However, many of the changes were an evolution rather than a revolution of the old regime. One such example is the amendments which were made to the data subject access request (DSAR) regime.
Those people whose personal data students’ unions process, known as data subjects, have long had a right to request a copy of the information that is held about them by their SU. This will include employees, officers, student members and others with whom the SU interacts.
However, the GDPR increased data subjects’ awareness of their rights under data protection law and made some tweaks to the DSAR regime which has resulted in increases in the number of DSARs submitted against organisations.
In light of this, and also given DSARs are notoriously time and resource consuming to manage, below we’ve set out a quick-fire Q&A to help SUs identify DSARs and some key pointers on how they might be managed.
What is a DSAR
A DSAR is a request made by an individual to access the personal data an organisation, such as an SU, holds on them.
The request doesn’t have to be identified as a DSAR and it doesn’t even have to be in writing. DSARs are effective when sent to any member of an organisation, so it’s important that everyone in the SU knows that data subjects have this right and who to contact if they think they’ve received a DSAR.
One key step to be taken is to ensure the DSAR is coming from the data subject (or their authorised representative). What identity checks are carried out will be depend on the individual circumstance, but SUs should err on the side of caution to avoid any potential breach of data to a malicious third party.
Can we charge a fee for carrying out the DSAR?
Most requests must be dealt with without charging a fee. Under the new regime, a fee can only be charged in exceptional circumstances (e.g. where a request is particularly excessive). This is a change from the old regime, which permitted a small fee to be charged.
Should we do anything else before searching for the information requested by the data subject?
SUs should examine the request and seek to agree parameters for any search of its records with the data subject.
For example, a data subject requesting “all correspondence relating to me” might be looking for correspondence around the time of a specific event, so the search parameters could be set to search 3 months either side of the event. This minimises the amount of data which needs to be searched through, whilst also making the exercise helpful to the data subject.
Where do we need to search?
A DSAR covers all data held by the organisation. So, if the SU has paper records, these will need to be searched alongside electronic filings. A plan should be put in place in anticipation of a DSAR to identify where personal data is held and how it can be accessed and searched effectively.
Should I share all the information I find with the data subject?
No. Information about others will undoubtedly be held alongside information about the data subject. This should only be shared if the third party concerned has consented or otherwise if it is reasonable to do so.
Often, this means that details about third parties should be redacted or anonymised before the document containing their personal data is shared.
How quickly do we need to respond to the data subject?
Most of the time, the SU will have one month from receipt of the DSAR (or, if relevant, any ID requested) to respond to the request, irrespective of whether the SU is open for business.
This is particularly important during the current Covid-19 climate (though the ICO have noted they will be understanding if timescales are not met precisely in the current outbreak), but also through the summer and at other times when staffing may be reduced.
SUs can extend the timescale for responding to the DSAR by an additional 2 months where the request is complex (e.g. there is lots of information to search through) or multiple requests have been sent by the data subject. Notification of this extended timescale should be given within a month of the original request and reasons must be given for the extension.
Do we just send on the personal data we have identified as being disclosable?
Additional information should be provided to the data subject alongside copies of the personal data to be shared as part of the request. This information explains to the data subject how their personal data is held and used by the SU (though much of this information should be able to be provided by sending a copy of the SU’s privacy notice).
Where can I find more information about dealing with DSARs?
The ICO has produced detailed guidance to assist organisations in responding to a DSAR, which can be found here.
We also have a dedicated data protection team at Wrigleys, who would be happy to help should you require any assistance.