Under the Data Protection Act 2018, most famous for incorporating the EU-wide General Data Protection Regulations (GDPR), any individual is entitled to request access to the personal data that an organisation or business holds about them. While Data Subject Access Requests (DSARs) existed before GDPR became law, the regulations improved access to personal information to make it easier for individuals to gain access to data, but potentially more complex for organisations to process the requests!
I’m A Data Controller: What Are My Responsibilities?
As a data controller, you are legally obliged to respond to all DSARs and, where appropriate, provide the required information to the applicant. It’s sensible to maintain a detailed record, so that you can justify any decisions to refuse or restrict requests. A DSAR log, containing the name of the applicant, their method of contact, the verification of their identity, and the outcome of the application, will help you prove compliance with data protection law, should your decisions be contested.
The following questions are the ones we are most commonly asked about DSARs concerning archived paper documents:
1) Can I Charge A Fee For A DSAR?
Under data protection law, applicants must not be asked to pay an arbitrary fee to make a subject access request. However, you can request reasonable reimbursement for essential costs, such as photocopying documents.
2) Can Information Be Redacted?
When fulfilling a DSAR, it’s important to protect the personal data of other individuals or company data to prevent a data breach. Documents that contain the details of individuals other than the applicant, for example, should not be provided without the data being redacted. As a data controller, you are within your rights to redact any information that pertains to people or organisations other than the DSAR applicant.
3) How Quickly Must I Respond To A DSAR?
According to GDPR, DSARs must be responded to ‘without undue delay’, and within one month at the latest. Complex requests may take longer to process, so organisations have up to three months to fulfil the request in this situation (but must inform the application within one month of the original application of the reasons for the delay).
4) How Can My Organisation Improve Response Times?
Responding to a DSAR quickly is important for the reputation of your organisation and to ensure compliance with GDPR regulations. Failure to respond promptly could lead to sanctions being imposed by the Information Commissioner’s Office (ICO), so an efficient, organised document storage system is vital for the rapid fulfilment of DSARs.
At CAS we offer a complete records management service for all your confidential documents, to ensure that you can access paperwork promptly when a DSAR is received. Our file organisation and cataloguing service ensures the systematic storage of your documents so that they can be located quickly, eliminating unnecessary and costly delays that divert your staff from more profitable tasks and fulfilling your legal obligations.
5) Can An Individual Ask For Their Data To Be Deleted?
Yes – this is a ‘Right of Erasure’ rather than a DSAR but is covered by GDPR too. If an individual requests that their personal data is deleted – and you aren’t bound by law to retain the information for a specified period – our file shredding service will ensure the total destruction of all relevant documents within the one-month timeframe allowed under data protection law.
Contact CAS To Improve Your DSAR Responsiveness
At CAS Ltd, we provide secure document storage and management for public sector, corporate, and private clients, with over two decades experience of partnership with NHS Trusts and financial service providers. We comply with UK and international law and our commitment to excellence is backed by our ISO certifications. To find out more about our document storage and shredding services, contact CAS today on 0845 50 50 003.
Image Source: Canva