On 26 September 2022, the UK Information Commissioner’s Office (“ICO”) issued a blog post addressing compliance with data subject access requests (“DSARs”).
A DSAR is a written request by an individual to an organisation asking for access to the personal information it holds on them. This is a legal right everyone in the UK has and can be exercised at any time for free (in most circumstances).
In their latest blog post, the ICO addressed the most common issues they see across the over 35,000 complaints from individuals they receive every year. The vast majority of those complaints are to do with the rules and obligations around accessing personal data. The ICO identified four common themes emerging:
- Delay – organisations taking too long to respond to information requests.
- Relationship break down – no responsible contacts at the organisation for dealing with DSARs or organisations providing incomplete and/or unsatisfactory responses.
- Trust – lack of trust from the individual in what they are being told.
- Understanding – organisations lack of understanding of individuals’ request.
From the themes above, the ICO prepared a set of recommendations for organisations that receive DSARs:
- Talk to your customers – customers are less likely to complain to the ICO if you handle their data protection compliant well. If you are unable to meet the DSAR deadline, inform your customer.
- Maintain a dialogue – a lot of DSARs request all of the individual’s personal information, when actually the individual only wants information relating to a specific incident. You cannot ask the individual to narrow the scope of their request, but you can ask them to provide additional details to help you locate the requested information.
- Build trust – if you are dealing with a complex or large DSAR, explain to the individual that your organisation will send information in batches and provide a timeframe for this. If any exemptions apply, you need to provide an explanation of this.
- Use plain English – data protection is complex, individuals want information that they can understand.
- Honesty – keep your privacy policy up to date where necessary and make it accessible and easy to understand.
The ICO, in particular, encourages organisations to look through their Right of Access Guidance and the Data Sharing code of practice for more information on DSARs.