DATA PROTECTION - 08.04.2021

Data subject access requests - everything with their name?

When a person makes a data subject access request (DSAR), they can ask to see all their personal data which you hold. Does this mean that you must provide them with a copy of every document that includes their name?

Data subject access requests

Under the UK GDPR all individuals (or data subjects) have the right to obtain a copy of their personal data from you.

They can do this by making a data subjectaccess request (DSAR) which can be in a verbal or written format. Whilst you can’t insist that it’s completed, you may provide a pre-prepared form for this purpose (see The next step ).

Disclosing documents

Where a DSAR is received, you must generally respond within one month and most data subjects usually request “all” of their personal data.

Does this mean that you must you send the data subject a copy of every document which contains their name?

An example

Many data subjects assume that they are entitled to see any document which contains their name, but this isn’t the case. That’s because a name alone isn’t necessarily personal data.

For example, you send out a general email to “all staff” and the data subject’s name is in the list of recipients. Apart from this, the email doesn’t contain any other personal information about the data subject.

Disclose or not to disclose

In this scenario, you would not need to disclose that e-mail when responding to the DSAR as it doesn’t contain the data subject’s personal data.

However, if an email was sent from, say, one manager to another about a particular employee, e.g. regarding training requirements or recent non-attendance, this document should be disclosed to the data subject as it relates to them and is personal data.

A ton of documents

In some circumstances, you may have a stack of documentation about a data subject. Here, you can enquire if the data subject is looking for a particular document or documents over a period of time.

Trap. However, a data subject is under no obligation to narrow their search. If they want all of their personal data, you must disclose it.

Sending data

The Information Commissioner’s Office (ICO) states that a data controller may respond to a DSAR in the same way it was received, i.e. a DSAR sent by email can be responded to by email (see The next step ). Alternatively, you could ask the data subject who’s made the DSAR to state how they’d like the documentation sent to them.

Tip. Where hardcopy documents are requested, send them out by tracked delivery - that way you will know the data subject has received your response. Use strong and secure packaging if there are many documents.

Where a document only includes a data subject’s name, e.g. they are a recipient of an “all staff” email, it doesn’t have to be disclosed when responding to a DSAR. However, where a document includes a data subject’s name and/or other identifiable personal information it must be disclosed to them.

© Indicator - FL Memo Ltd

Tel.: (01233) 653500 • Fax: (01233) 647100

subscriptions@indicator-flm.co.ukwww.indicator-flm.co.uk

Calgarth House, 39-41 Bank Street, Ashford, Kent TN23 1DQ

VAT GB 726 598 394 • Registered in England • Company Registration No. 3599719