Call us on
0161 941 2426

Data Subject Access Requests (DSAR) and Data Security

Posted On: 01/10/2019

In all aspects of our lives there are things that fill us with dread. For a manager or member of your HR team this could be a DSAR. Our advice would be to put in place some best practices on how to handle a subject access request. The worst thing to do is just hope that you’ll never receive one!

What is a DSAR

This is a request from someone asking to receive a copy of the personal data your organisation may hold on them, they may also ask for an explanation of how this data is being used, who will this data be disclosed to and how long the data will be retained for.

It can be requested in writing, verbally and even via social media. Unfortunately, the GDPR does not specify who an individual should address their request to, so it pays to be vigilant!

This access to personal data is not new, but changes to how they are to be treated came into force under Article 15 of the GDPR in May 2018. These changes are:

Be cautious

A person can only ask for their own personal data, so it is crucial that they prove that they are who they say they are. The only exception is when an authorised agent, parent or guardian makes a request on behalf of someone and have authority to request the data.


Your initial response

Before fulfilling the request ensure the data subject has provided all the information you require such as:

A quick and efficient process

Gathering information for a DSAR can be very time consuming, so it makes sense to have in place a process.

Be mindful that any paperwork and emails concerning the individual must be investigated too.

Reviewing data

Once you have gathered the information it must be checked before submitting to the individual, agency, parent or guardian as it may contain data on another subject. It the data relates to another individual you will have to seek their permission to disclose the information.

If it is not possible to gain the consent of the third-party, then it may still be possible to provide some information, having edited or ‘redacted’ information that would identify the third-party. Redaction can also be used to remove information which is out of scope of the subject access request because it is not the applicant’s personal data.

The formal response

The data provided to an individual must not contain jargon, codes or terms that someone outside of your organisation would not understand. Be sure to use a traceable delivery system when sending the data.

Always keep a copy of your response.

Can you say no to a subject access request?

Yes, you can. You do not have to fulfil the request if:

If, for good reason, your organisation refuses all or part of the request, you must send the requester a written refusal notice.

The Freedom of Information Act

This Act details exemptions allowing your organisation to withhold information from a requester. In some instances, your organisation will be allowed to refuse to confirm or deny if you hold the information requested. You can withhold information:

Protecting your organisation from receiving DSARs

If you do receive a DSAR it could be an indication that there is mistrust between your organisation and an employee. Many organisations will only receive DSARs when dealing with employee grievances or disciplinaries. Creating a strong and positive workplace culture where people are treated with respect and dignity and where the workforce feels trusted, valued and empowered will go a long way to prevent mistrust.

Our top tips

We’re here to help

Give our team of HR professionals a call on 0161 941 2426 if you require help with a DSAR.  We can also tell you more about our MyHR System and provide you with a no obligation quote, but if you’d like to see for yourself what the system is capable of please check out our MyHR System Demo.

Get In Touch

What Our Clients Say

“"Just a quick note to say how pleased we are with the support that Katie has provided recently. She has been a massive help with the redrafting of our contract of employment and the provision of advice relating to our HR policies and procedures. "”

Chris Ellison, 4way Consulting Ltd

Read Our Latest Blogs

Christmas Parties

Posted On: 20/11/2019

It’s that time again – the season of the Christmas party! A time for staff to let their hair down, dress up and enjoy a night of fun and frivolity.  These events are;

Read More > >

HR News Round-Up October 2019

Posted On: 05/11/2019

October was the month of ‘will we?’ or ‘won’t we?’ The uncertainty surrounding Brexit still hangs in the air, not making it easy for organisations to prepare for the future. In our;

Read More > >

Subscribe to our HR News updates

Get the latest updates from P3 and great advice on how your HR can be improved.

To Top