Under the Data Protection Act 1998 (“DPA”), a person has a right to know what personal data an organisation is processing about them, the organisation’s reasons for processing the data, and details of how the organisation has or may disclose that data to others.
An individual can request details of their personal data by making a Data Subject Access Request (“DSAR”) to the organisation. When the DPA was introduced, the original purpose of a DSAR was to create a way in which individuals could check the accuracy of their personal data held by organisations.
To make a valid request, an individual will need to first do the following:
- Make a written request to the data controller of the organisation
- Pay the fee – £10.00 is usually the maximum for most requests
- If required by the organisation, provide information to enable the organisation to determine whether the request is made by the person is the person to whom the personal data relates.
Upon receipt of a DSAR, an organisation has 40 calendar days to respond.
If an organisation fails to comply with a request, then an individual can apply to the Court under Section 7(9) of the Data Protection Act 1998 for an order compelling that organisation to comply with the request.
DSARs can be a problem for organisations because they are increasingly being used by individuals to fuel litigation against organisations. This is especially the case in employment disputes, but they are common in commercial disputes as well.
Today, an individual may submit DSARs to an organisation they are in dispute with to obtain further information which may then support their case. An individual may also make the request knowing that the organisations task of searching, recovering and despatching personal data within 40 days is likely to be an onerous task in this modern day when personal data is often collected on a daily basis by various mediums of modern technology.
To comply or not to comply with a Data Subject Access Request?
Organisations may not want to comply with a DSAR because the task is onerous, and it enable an individual to gain a tactical advantage in a dispute. Organisation may therefore want to consider the following to challenge a DSAR:
- Considering the validity of the request
- Check if any of the exemptions for compliance under the Data Protection Act 1998 are engaged
- Whether the scope of the request is too wide?
- Whether the burden of complying with the request would be too disproportionate?
If it is too wide or the burden of compliance is too disproportionate, then an organisation may be able to limit the scope of the request and search.
Kerem Alev of The Brooke Consultancy LLP is here to help. Please contact him by calling 0208 880 7131 or e-mail him directly.