What is a DSAR?

A Data Subject Access Request (DSAR) is a formal request made by an individual (the “data subject”), to obtain access to the personal data that an organisation holds about them. This is a fundamental right granted under UK data protection laws. DSARs allow individuals to understand how their personal information is being used, processed, and stored by companies, employers, or any data controller (the company/person holding the data).

DSARs play a crucial role in ensuring transparency and accountability in data processing. They enable individuals to exercise control over their personal information and can be especially important in employment disputes, consumer rights cases, or when individuals wish to understand how their data is being used. Failure to properly handle DSARs can lead to complaints to the Information Commissioner’s Office (ICO) and potential legal consequences.

Who Can Make a DSAR?

Any individual whose personal data is being processed can submit a DSAR. In some cases, authorised representatives such as solicitors or family members or parents and guardians may submit a DSAR on behalf of the data subject, provided they have the necessary permission or authority. 

What Information Can Be Requested?

A DSAR does not require any specific form or wording. Requests can be submitted verbally, in writing, via email, or even through social media. The key requirement is that the individual clearly expresses their intention to access their personal data.

When submitting a DSAR, individuals can ask for:

• Confirmation that their personal data is being processed.
• Access to the actual personal data held.
• Details about the purpose and legal basis for processing the data.
• The categories of personal data involved.
• Information about any third parties with whom the data has been shared.
• The source of the data if it was not collected directly from the individual.
• Data retention periods.
• Information on whether any automated decision-making or profiling has been applied.

Organisations Responsibilities

Organisations are legally required to respond to a DSAR within one calendar month of receiving the request. If the request is complex or involves multiple requests from the same individual, this period can be extended by up to two additional months by notice to the individual. In most cases organisations must provide the information free of charge. However, if a request is considered unfounded, excessive, or repetitive, the organisation can charge a reasonable fee to cover administrative costs or even refuse to respond.

Organisations must take reasonable steps to verify the identity of the data subject before releasing any personal data. They should respond clearly and comprehensively. It is also best practice for organisations to keep detailed records of all DSARs received and how they were managed to demonstrate compliance.

 What are the Limitations and Exemptions?

While individuals have broad rights to access their data, individuals are not always entitled to everything held on file. Information that must not be disclosed  includes:

• Data relating to another individual (unless consent is provided or it is reasonable to disclose).
• Information that would prejudice ongoing legal investigations or proceedings.
• Data protected by legal privilege.
• Certain confidential information, such as trade secrets or intellectual property.

Information that is excluded from the disclosure requirement must be redacted (i.e removed) before releasing records.

Conclusion

DSARs are a powerful right under UK data protection laws, enabling individuals to see what information organisations hold about them and how it is processed. Organisations should be prepared to handle DSARs promptly and carefully to maintain compliance and foster trust with their data subjects.