Data Subject Access Request (DSAR)

Rounce Funeral Services Limited Data Subject Access Request (DSAR) Policy
Effective Date: 17/04/2020

​

The General Data Protection Regulation (GDPR) grants data subjects the right to access any personal data an organisation holds on them. This is known as a data subject access request (DSAR).

DSARs are not a new concept, but the GDPR introduced several changes that make requesting information easier for individuals and responding to the requests more challenging for organisations.

Let’s take a look at everything you need to know about making a DSAR request, including how we (Rounce Funeral Services) respond to them in line with the GDPR’s requirements.

We will look at the following:

What are data subject access requests?
What is included in a data subject access request?
Can information be redacted?
Do individuals have to give a reason for a DSAR?
Does a request have to be in writing?
Can individuals submit a DSAR on behalf of someone else?
How long do organisations have to respond to a DSAR?
Who is responsible for responding to a subject access request?
How much can be charged for a subject access request?
What’s the difference between a freedom of information request and a DSAR?
The process for handling a DSAR
How we ensure data subject access request success

​

What are data subject access requests?
 

DSARs are the result of the GDPR’s right of access – one of eight data subject rights enshrined in the Regulation.

When an individual submits a data subject access request (or SAR, as it was known under the Data Protection Act), Rounce Funeral Services must provide them with a copy of any relevant information about them.

​

What is included in a data subject access request?
 

A request might refer to specific personal details or processes for which Rounce Funeral Services processes that information, in which case we only need to provide relevant information.

​

However, individuals may ask to see a full list of the personal data that Rounce Funeral Services stores on them.

This is not merely a case of pulling up everything we store on that person. If we did that, you’d end up with large volumes of information that aren’t considered personal data – such as internal memos about the data subject’s files – which don’t need to be shared.

Our first tasks, therefore, are to determine what information related to the individual is considered personal data under the definition of the GDPR, and whether it’s part of the data that they requested.

This information must be provided alongside other supplementary material, such as the relevant details provided in our organisation’s privacy notice.

​

Can information be redacted?
 

Although the GDPR promotes openness to the public, organisations can and, where relevant, should redact anything that’s not within the scope of the DSAR.

For example, we might have documents that include that individual’s personal data alongside the personal details of other people.

In these circumstances, we are required to redact all personal data that isn’t about the person making the request, because otherwise, we would be committing a data breach.

​

Likewise, we might have records where the individual’s personal data is stored alongside sensitive company data.

 

We are within our rights to redact that information.

​

Do individuals have to give a reason for a DSAR?
 

Individuals don’t need to state why they are submitting a DSAR. The only questions we may ask when a DSAR is submitted concern verifying the individual’s identity or helping them locate the requested information.

​

Does a request have to be in writing?
 

There is no formal process for submitting a DSAR. That means requests don’t need to be submitted in writing – or in any documented way. For example, an individual can make a request while speaking with a member of our staff.

It’s also worth noting that individuals aren’t required to use the technical term for a request (‘DSAR’ or ‘data subject access request’).

They can, for instance, simply say that they’d like to see a copy of the information that Rounce Funeral Services stores on them.

That said, requests are most likely to be submitted in writing, as it’s the most convenient method.

​

It gives individuals and Rounce Funeral Services a record of the request, the date that it was made and other relevant information, such as the specific personal information that they want a copy of and the format that it should be delivered via.

​

Can individuals submit a DSAR on behalf of someone else?
 

Yes, individuals can authorise someone else to make a request on their behalf. This is most likely to happen when:

​

• Someone with parental responsibility asks for information about a child;

• A court-appointed individual is managing someone else’s affairs;

• A solicitor is acting on their client’s instructions; and

• The data subject requests help from a relative or friend.

Rounce Funeral Services must, of course, be satisfied that the person making the request really is doing so on behalf of the data subject.

As such, we are entitled to request supporting evidence, such as written authorisation from the data subject or a more general power of attorney.

​

How long do organisations have to respond to a DSAR?
 

There is a subject access request time limit. DSARs must be fulfilled “without undue delay”, and at the latest within one month of receipt.

​

Where requests are complex or numerous, we are permitted to extend the deadline to three months. However, we must still respond to the request within a month and explain why the extension is necessary.

​

Who is responsible for responding to a subject access request?
 

Rounce Funeral Services’ data protection officer (DPO) is Mr Christopher Rounce, who is responsible for fulfilling a DSAR.

Mr Christopher Rounce may not do the physical work involved in completing the request, such as combing through documents and redacting information.

Still, he will oversee the process and ensure that it is being completed in line with the GDPR’s requirements.

​

How much can be charged for a subject access request?
 

Under the GDPR’s predecessor, the DPA (Data Protection Act) 1998, organisations could charge a fee for fulfilling a DSAR, but that’s no longer the case in most instances.

Indeed, as the UK’s data protection supervisory authority, the ICO (Information Commissioner’s Office), explains, there are only two instances when organisations may now only request payment for a DSAR.

​

These are when a request is manifestly unfounded (i.e. when the individual clearly has no intent to exercise their right of access, such as when the request is an excuse to make unsubstantiated accusations against the organisation) or excessive (i.e. when the request overlaps with a recently submitted DSAR).

​

Rounce Funeral Services will base our fee that we charge on the administrative costs involved. That’s to say; we shouldn’t be profiting from requests.

​

It’s worth adding that we are within our rights to reject manifestly unfounded or excessive requests outright instead of charging a fee for them. This might be the case when we simply don’t have the time or resources to fulfil the request.

​

What’s the difference between a freedom of information request and a DSAR?
 

DSARs might sound a lot like freedom of information (FOI) requests, but in practice, they are a lot different.

​

Whereas DSARs grant EU residents access to copies of their personal data, FOI requests are specific to the UK and relate to recorded information held in the public sector.

​

This generally refers to government departments, local councils and regulators, such as the Financial Conduct Authority.

​

Additionally, personal data is not covered by the FOI Act, so there are no restrictions on who can make a request.

​

The process for handling a DSAR
 

Like many aspects of the GDPR, access requests have a formal name that organisations must be aware of for compliance purposes, but that doesn’t mean individuals need to know the terminology.

​

As the ICO (Information Commissioner’s Office), the UK’s data protection supervisory authority, notes, there’s no specific process for making a request, so someone could simply say “I’d like to see what data you have on me”, and that would be considered a legitimate request.

​

As such, it’s essential that anyone in our organisation who may receive such a request knows what to look out for and who to pass the message on to.

In many organisations including that of Rounce Funeral Services, the DPO will be responsible for handling DSARs.

Since time is of the essence when responding to a DSAR, it’s a good idea that we have ensured that we have an established DSAR process beforehand, so that we can deal with such requests quickly.

​

Verify the identity
 

One of the first steps for us is to verify the identity of the requester so that we can determine whether we have all the information we need to fulfil the request.

​

Clarify what the request is
 

Following that, we will find out a bit more about the request itself. Is it merely a request for access, or are they invoking other rights, such as rectification of the personal data being held?

​

Is the request valid?
 

We will establish whether the request is valid and if it can be completed within the one-month period. If not, we can take further steps to request an extension.

​

Inspect the data

Once we start collecting the data, we will check whether the data needs to be amended and if we need to protect the personal information of any other data subjects.

​

Choose the format 
 

Once we’ve collected all the data, we will determine the most appropriate format in which to provide the information.

​

Add extra information
 

Lastly, before sending the information, we will ensure the data subjects know their rights, including the right to lodge a complaint.

​

How we ensure data subject access request success
 

There are many steps we can take to help our organisation manage DSARs. Our first task was to create a flowchart to make sure we respond promptly, thoroughly and in line with the GDPR’s requirements.

​

There are also ways that we made our organisation more resilient to the challenges that come with responding to DSARs. For example, we have implemented measures addressing:

​

Staff training
 

Data subjects can theoretically submit a DSAR whenever they’re communicating with a member of our staff. We have, therefore, made sure that all relevant employees can recognise a request and know how to respond.

​

DSAR responsibilities
 

We have appointed Mr Christopher Rounce (our DPO) to take responsibility for responding to DSARs. If our DPO is not available due to holidays or other absences, it will be another employee who is familiar with the GDPR’s compliance requirements.

Expert advice
 

Unless we were able to appoint an experienced DPO such as Mr Christopher Rounce to oversee access requests, there’s a good chance that the person overseeing our response process is relatively new to the task.

​

In most cases that won’t be a problem, because once we are into the swing of things, it’s a relatively routine operation. However, there will be some challenging requests that require guidance, and Rounce Funeral Services have engaged the services of Croner Group in order to help us professionally in these circumstances.