Data Subject Access Requests, or ‘DSARs’, have become an increasingly common phrase in the employment sector.
Although not a new concept, following the introduction of the GDPR into UK law, Data Subject Access Requests, or ‘DSARs’, have become an increasingly common phrase in the employment sector.
Whilst they are free for an employee to bring, the cost of management time to a business can be high. Our team offer a flexible retainer for businesses of all sizes which handles DSARs for you.
Whether you receive one a year or one a month, we will provide a cost-efficient service that minimises administrative stress and ensures total compliance with the law.
Contact our HR Consultants today
To find out how Ashtons HR Consulting can support you and your business with Data Subject Access Requests (DSAR), please do not hesitate to contact our experts in Bury St Edmunds, Cambridge, Ipswich, Norwich and Leeds.
You can also contact our specialist team by filling out our online enquiry form or by calling 0333 222 0989.
Click here to visit the Ashtons Legal website for information about their Employment Law services.
Frequently Asked Questions About Subject Data Access Requests
What is a Data Subject Access Request?
Under UK data protection law, people have the right to request a copy of any personal data held about them by an organisation. This is done through a Data Subject Access Request (DSAR), also sometimes called a ‘Subject Access Request’ or ‘SAR’.
Organisations are legally obliged to comply with DSARs, but there are limits to what data can be requested, and there can sometimes be grounds to refuse a request.
Data Subject Access Requests are covered by Article 15 of the GDPR, as enacted in the UK by the Data Protection Act 2018. The Information Commissioner’s Office (ICO) can penalise an organisation for failing to respond to a DSAR.
Why would someone request a DSAR?
There are various reasons why someone might request data subject access, including simply because they wish to know what information you have about them. They may wish to verify if the information is accurate, or they could be considering actions such as making a complaint and needing the information for this purpose.
The subject does not have to give a reason when requesting a copy of the data you hold about them, but they may do so if they wish, as this can help to clarify which information is relevant. If they have given a reason, you should take this into account when deciding which information to provide.
What is the difference between a DSAR and an SAR?
There is no difference between a DSAR and an SAR – they are both terms used for the process of a person requesting a copy of the information an organisation has about them.
Can you refuse to respond to a DSAR?
An organisation cannot refuse to respond to a DSAR, but this does not mean they must provide all of the requested information. For example, if the request is manifestly unfounded, malicious or excessive, the organisation may be able to refuse to provide the requested information or only provide such information as is reasonably necessary.
Under the guidelines provided by the Information Commissioner’s Office, an organisation should usually provide the information requested in a DSAR within one month of receiving the request.
However, if there is a legitimate reason why more time is needed, this time limit can be extended by up to two months. If you do wish to extend the DSAR response time, it is sensible to seek legal advice first to ensure you remain compliant with data protection rules.
What is the time limit for a Subject Access Request response?
As covered above, when you receive a DSAR, you usually have one month to respond with the requested information. However, you may be able to extend this time limit by two months if this is reasonably necessary to provide the requested information. The subject should always be informed if an extended time frame is required.
On what grounds can a DSAR be refused?
There are a number of reasons you can potentially refuse a DSAR, including:
- The information requested is outside of the scope of DSAR rules
- The subject has requested this information before in the recent past
- The request is believed to be malicious in nature
If you intend to refuse a Subject Access Request, your response must be carefully considered. Seeking expert legal advice is a good idea, as this can help you ensure your refusal is in accordance with UK data protection law and the ICO guidelines.
Can a DSAR be verbal?
A Subject Access Request can be verbal or in writing. It does not need to be a formal letter or email – even a message on social media could be considered a valid SAR. Recognising whether a valid request has been made should be part of your organisation’s DSAR process, so you should consider this as part of your data handling policies.
Any Subject Access Request you receive should be recorded when it is received, including the date of the request and the method used by the subject. This helps provide evidence that you have complied with the DSAR rules if this is questioned.
How much does a DSAR request cost?
Generally, organisations cannot charge a fee for responding to a Subject Access Request. That said, it may be possible to charge a reasonable administration fee if the request is excessive or unfounded. A fee can also potentially be charged if the subject requests the same data more than once.
Contact our DSAR Experts Today
For expert support with Data Subject Access Requests, please contact our specialists in Bury St Edmunds, Cambridge, Ipswich, Norwich or Leeds.
When you work with us, we can provide HR consultancy support, as well as a full range of employment law advice, depending on your needs.