Data Subject Access Requests - When can I withhold information?
What is a data subject access request (DSAR)?
DSARs are also commonly called subject access requests or SARs. A DSAR is a request made by an individual to an organisation for any data held on them. Under the European Union’s (EU) General Data Protection Regulation (GDPR), individuals who are referred to as ‘data subjects’ have 8 key rights which empower them to have control over their personal data and how it is used by an organisation. Having access to their personal data - the right of access - is one of those key rights.
A DSAR does not have to be made in writing via letter or email, it can also be made verbally or over social media through an organisation’s business Twitter account or Instagram, for example. It also does not need to be directed at any particular person, e.g., the Data Protection Officer, for it to be valid. A third party, such as a parent, guardian or legal representative can also make a DSAR on behalf of an individual, though you should request that consent has been provided.
Examples of a DSAR or include:
I want a copy of all of my emails and Slack messages
send me a copy of all of the data you hold on me
I want to see everything on my HR file
I’d like a copy of my telephone recordings.
The key thing is that it doesn’t matter how the request is made, it will still be a DSAR.
How long does my organisation have to fulfil the DSAR?
Once a DSAR is made, the organisation must action it and has one month to do so. However if there is a lot of data or you have received several requests for different types of data, you can have a further 2 months to fulfil the request, e.g., a maximum of 3 months. You must inform the individual that you won’t be able to fulfil their request within a month as soon as possible. When you provide the data, it must be sent via a secure format and be accessible to them, i.e., clear and easy for them to read. Remember that certain sections of the population such as those who are elderly or with a sight impairment may find it difficult to access their information so you must be prepared to send them their information in a way that it easy for them to access.
Can I withhold any information?
Yes, you can refuse to comply with a DSAR request under the following 3 circumstances, if you decide that:
an exemption applies
it is unfounded
it is manifestly excessive.
Exemptions include:
legal privilege - protects certain communication from disclosure without permission
public interest - information may be withheld by a public body if it is in the ‘public interest’
safeguarding the data of other individuals - if disclosing the data meant that it would reveal information about another individual
the prevention of crime - for crime and tax related purposes
How can a DSAR be ‘unfounded’? There are several ways that you may decided that a request is unfounded, for example you decide that the DSAR has been made to harass an employee within your organisation, makes a request every week over several weeks to cause maximum disruption or that the request has been made in malice. Unfortunately there isn’t a simple tick-box you can use to decide this, it will depends on the individual facts.
I’m confused, can you help?
Yes we can! If you’d like any help with a particular DSAR your organisation has received, or would like a DSAR process put in place let us know and we’d be delighted to help.