The Privacy Control Governments of USA and UK have reshaped their privacy legislations and in it they have given right to individuals over their personal data that is available on the websites. Data Subject Access Request (DSAR) is a term used for it. But, organisations are worried that a flood of data subject access requests is going to cause some headaches. The primary concern is that of SAR (Subject Access Request), where an individual can request that an organisation divulge all the information held on that particular individual.
What is DSAR?
A DSAR is a formal request made by a person (the “data subject”) to a company or other organisation for access to their personal information. The goal is to get into the company’s database of private information. When filing a DSAR, data security and privacy laws like the GDPR right of access are typically referenced.
They give people the chance to ask for access to their personal data and get answers to questions about how it is being used. Companies must react to DSARs and fulfil data subjects’ requests within the required time constraints.
Difference between Privacy act 1998 and GDPR
| Privacy Act 1998 | General Data Protection Regulation |
| Gives people the ability to just review and update their own records | GDPR rights include access, correction, erasure, transfer, and objection to data processing. |
| This framework only mandates that organisations acquire consent before collecting and processing personal data. | Imposes more stringent regulations on collecting and managing consent, such as the requirement for express permission. |
| The penalties of privacy act 1998 are not as strict as GDPR | It has a higher non-compliance penalty of €20 million or 4% of the organisation’s global yearly income. |
| It doesn’t require the Data Protection Officer (DPO) | Organisations must hire a Data Protection Officer to supervise data protection. |
| Lacks international data transfer provisions. | Limits personal data transfer outside the EU without protections. |
Limitations of Data Subject Access Requests (DSAR)
Under the old act there was a charge to request data, but the GDPR stipulates that any SARs must be “provided free of charge” (Article 12.5). Of course, there has to be some limit on the power provided to an individual. The request must be legal, and for a specific purpose; frivolous or repeated applications will be rejected as in the words of the ICO, where a SAR is “manifestly unfounded or excessive”, it can be refused.
Besides, some information is not privacy to the individual, such as legal professional privilege, i.e. documents for use in ongoing or possible future litigation including professional documents created by third parties with the aim to provide legal advice. A further exemption to the DSAR process are data concerning “national security and the prevention or detection of crime”, or the “apprehension or prosecution of offenders”.
Organisations Need To Take Extra Care
Organisations will need to tread carefully also where personal data requests contain sensitive health information.
In this case, the data controller must speak with a licensed medical professional before making any disclosures. However, this does not apply if the data subjects have volunteered their health information. Due to the new regulation, there may be a dramatic uptick in DSAR requests. It is anticipated that the primary recipients of such requests will be the National Health Service (NHS) and other public institutions such as schools and local government offices.
However, the fact that this service is now free may cause a problem for businesses with unhappy ex-employees. For example, and there is very little probability that can prevent this type of unwarranted and bureaucratic nightmare!
Organisations will just have to be prepared to deal with these requests professionally. Tough, bear in mind that any subsequent requests can occur by the same data subject. And, if dealt with correctly the first time around, can legitimately (and politely) be knocked back.
Ensure A Good Strategy Is In Place
Above all, the good idea is to have in place a strategy from the outset, with policies and procedures for dealing. In the first instance a data subject requests, with clear refusal guidelines in place across the floor of the organisation. Hence, to prevent any issues with GDPR compliance, an organisation will need precise definitions of what constitutes refusals.
GDPR states clearly, “the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.” (Article 12.5). The article goes on to ensure that the data being asked to provide passes to the correct party. An organisation can ask for identity validation of the requesting individual in case of reasonable doubt to the identity.
For example, a Gmail account or a telephone request. How would an organisation be 100% sure the recipient is who they are saying they are? Such as
- Driving licence,
- Passport,
- Other Ids.
Again, this is something to embed into the organisation’s policies and procedures and have bulletproof identification measures in place.
