Data subject access requests - everything with their name?
Data subject access requests
Under the UK GDPR all individuals (or data subjects) have the right to obtain a copy of their personal data from you.
They can do this by making a data subjectaccess request (DSAR) which can be in a verbal or written format. Whilst you can’t insist that it’s completed, you may provide a pre-prepared form for this purpose (see The next step ).
Where a DSAR is received, you must generally respond within one month and most data subjects usually request “all” of their personal data.
Does this mean that you must you send the data subject a copy of every document which contains their name?
Many data subjects assume that they are entitled to see any document which contains their name, but this isn’t the case. That’s because a name alone isn’t necessarily personal data.
For example, you send out a general email to “all staff” and the data subject’s name is in the list of recipients. Apart from this, the email doesn’t contain any other personal information about the data subject.
Disclose or not to disclose
In this scenario, you would not need to disclose that e-mail when responding to the DSAR as it doesn’t contain the data subject’s personal data.
However, if an email was sent from, say, one manager to another about a particular employee, e.g. regarding training requirements or recent non-attendance, this document should be disclosed to the data subject as it relates to them and is personal data.
A ton of documents
In some circumstances, you may have a stack of documentation about a data subject. Here, you can enquire if the data subject is looking for a particular document or documents over a period of time.
Trap. However, a data subject is under no obligation to narrow their search. If they want all of their personal data, you must disclose it.
The Information Commissioner’s Office (ICO) states that a data controller may respond to a DSAR in the same way it was received, i.e. a DSAR sent by email can be responded to by email (see The next step ). Alternatively, you could ask the data subject who’s made the DSAR to state how they’d like the documentation sent to them.
Tip. Where hardcopy documents are requested, send them out by tracked delivery - that way you will know the data subject has received your response. Use strong and secure packaging if there are many documents.