So you are finally putting together your response to the Data Subject Access Request (DSAR), but what does it need to cover?
Supplementary information
As previously mentioned, the right of access gives individuals a right to access to and a copy of their personal data but it also gives them the right to receive certain information about the processing.
Individuals have the right to receive the following information:
- the purposes of processing
- categories of personal data
- information about the source of the personal data
- recipients/categories of recipients
- details of their rights in relation to personal data
- the right to lodge a complaint with the regulator
- information about automated decision making
- information about how their personal data is protected when it is transferred outside of the UK/EU
Most of this information may be contained in your privacy notice, in which case, rather than stating this information in your response, you can provide a link to your privacy notice. Just make sure that all the information you need to provide is contained in the notice.
How should I send it?
If the request was electronic then the response should be provided in a commonly used electronic format of your choice (e.g. spreadsheet, pdfs etc.) (unless the individual makes a reasonable request for another format). If the request was not electronic, you can still provide the response in a commonly used electronic format unless the individual reasonably requests otherwise. If instructions are needed on how to access the data, make sure you provide these in a clear, easy to understand manner.
You must ensure that you provide the personal data in a secure manner. We would recommend password protection if sending information by email or via a download, with the password being sent by a different mode of communication (e.g. text message). The important thing is that the level of security is appropriate to the processing as sending personal data in response to a DSAR is processing personal data.
What about exemptions?
As mentioned in our post on exemptions, if these apply you will still need to inform the data subject of your decision. You should be as open as you can with the individual about refusing to provide information, but you do not have to go into detail which would prejudice the exemption you are relying on.
Anything else?
A response to a DSAR should be very easy to understand. It might help to ask a colleague to look over the response and let you know if there is anything which is hard to follow. If any of the data itself needs explanation to make it understandable, make sure you provide this too.
Check before you send!
Are you sending the right information to the right person in the right way?
- Have you included all the information
- Is it the final version of the information?
- Is the method secure?
- Are you sending to the correct recipient?
Once you have sent the response, remember to record that you have completed the DSAR on your DSAR log and capture any learning points so that you can keep improving and refining your processes.
