Data Subject Access Requests: The Do’s and Don’ts for Charitable Organisations

Home Insights Blogs Litigation for Charities Blog Data Subject Access Requests: The Do’s and Don’ts for Charitable Organisations

This blog should be used for information purposes only. The information provided in this blog is based on current legislation and recent developments and should not be relied on as an exhaustive explanation of the law or the issues involved without seeking legal advice.

A Data Subject Access Request, or DSAR, is any request made by an individual for their own personal data. While they are quick and easy for an individual to make, many long hours and significant resources from your organisation will be needed in order to properly respond.

Personal data is broadly defined as any information relating to an individual who can be identified from that information, or in combination with other information, that your organisation possesses. This means that the information does not have to refer to an individual by name, so long as they can be identified by other means, for example, their initials or ID number. Personal data includes information that may be known to the individual or that is within the public domain. Importantly, personal data also includes any recorded opinion of that individual.

Since the GDPR[1] came into force, there has been a growing understanding and awareness of our individual rights when it comes to our personal data. With that, the Information Commissioner’s Office (ICO) has seen a steady increase of data-related concerns and complaints from May 2018. The most frequently received category of complaints continues to be DSARs which make up approximately 46% of UK GDPR casework received by the ICO, and of the data protection complaints received by the ICO 462 related to the charitable and voluntary sector (https://ico.org.uk/media/about-the-ico/documents/2620166/hc-354-information-commissioners-ara-2020-21.pdf).

While DSAR complaints continue to increase in numbers and the deadline to respond remains fixed despite practical delays brought on by COVID-19, DSAR awareness and know-how will be crucial to your organisation now and in the future.

This DSAR guide is intended to provide a list of common pitfalls when dealing with DSARs and how to improve your organisation’s response before it becomes an issue.

DON’T

… Hold data in multiple locations and / or systems across the organisation. This may lead to issues with accessibility and delay when responding to a DSAR. Providing a detailed response to a DSAR can result in a loss of time and money if gathering all of an individual’s personal data is a complex process and requires sifting through irrelevant information that has been retained too long.

…. Have good UK GDPR compliance. Put in place a system and procedures that keep track of who your organisation is holding personal data on and how. This includes knowing information about how their personal data is being processed (Article 15 UK GDPR), the purpose of processing the data, the source of the data, who the data has or will be shared with, and how long your organisation is retaining this data for. Remember that any individual that your organisation holds and processes the personal information of can be entitled to send a DSAR. As a charity this may include trustees, employees, volunteers, service users, and donors etc.

DON’T

… Leave mail (digital or physical) unchecked for too long. Requests sent to your organisation that have been left unaddressed could leave very little time to respond by the deadline or, if left too long, could be missed altogether. This could result in fines enforced by the ICO.

… Instruct your staff to regularly monitor and review less used email inboxes and received post. Train them to recognise a DSAR - remember that although it must be in writing, a request can be sent to anyone in your organisation, by any means and in any form. It does not need to mention the UK GDPR or Data Protection Act 2018 and it does not matter that the request incorrectly refers to the Freedom of Information Act 2000.

DON’T

… Delay in responding to a DSAR. The ICO has a quick and easy complaint’s procedure available to any individual dissatisfied with the speed or content of an organisation’s response. Failing to respond to a DSAR altogether and result in significant fines

… Act quickly and open lines of communication with the individual who has sent the DSAR as soon as possible. Your organisation will have 30 days to respond starting from the receipt of the DSAR. It is possible to extend this period by a further two months in complex cases, although the individual should be contacted as soon as this becomes apparent.

DON’T

… Disclose an individual’s personal data if this would adversely affect the rights of other individuals. This issue frequently arises with respect to mixed data such as email communications and meeting notes which are the personal data of the individual, as well as the others in the email chain or at the meeting.

… Identify personal data exemptions. There are a series of good reasons why personal data should not be disclosed found in Article 15 UK GDPR and schedules 2 – 4 of the Data Protection Act 2018, for example, where disclosure would prejudice defined public functions or communications are subject legal professional privilege. There are no easy rules of thumb to follow. Rather, careful consideration needs to be given to the specific content and context of this material.

Please see our related blog ‘How to respond to a subject access request: a step by step guide for organisations’. Should you have any queries relating to your organisation’s compliance with a subject access request, please contact a member of our data protection team.

([1]GDPR came into force in May 2018. Following Brexit has been replaced by UK GDPR, but there have been no material changes to the law in relation to DSARs as a result.)