People are more aware than ever of the importance of protecting personal data, so HR departments can expect to receive plenty of DSARs (data subject access requests).
This is the technical term for when an individual asks to see what personal data an organisation holds on them.
The right has existed in the UK for years (with requests referred to as SARs (subject access requests)), but it has been invoked a lot more often since the GDPR (General Data Protection Regulation) took effect in May 2018.
HR departments collect personal data on current and past employees, as well as those who apply for job openings. Think about how many CVs and references you receive every time you post a job advert, and how much information each document contains.
How long do you keep that data for? Where do you store it? And what do you do with it when you no longer need it?
Those are all things you need to know when responding to a DSAR. If you’re unsure of your obligations, this blog is the perfect introduction.
What is a DSAR?
A DSAR is a request to view a copy of the personal information an organisation holds on that person.
It’s the practical application of the ‘right of access’, one of eight rights enshrined in the GDPR, giving data subjects the opportunity to see whether an organisation is processing their personal data and if it is doing it lawfully.
How are DSARs submitted?
Although ‘DSAR’ sounds like a formal term, requests don’t have to adhere to an official process.
Organisations that expect to receive a lot of requests might set up a form for individuals to fill in – but remember, you cannot make the use of the form mandatory. Other organisations should simply be on the lookout for people making a request.
This leads us to a crucial aspect of DSARs under the GDPR: requests don’t have to be made in writing or through an official channel. Requesters don’t even need to say ‘DSAR’ or ‘data subject access request’.
All they have to do is say that they want to know what personal information your organisation holds on them and what you are doing with it
As a result, everyone in your organisation who might receive a request must be able to recognise when one has been made and know how to respond.
If, say, an employee asks to see their personnel file while chatting with the HR administrator, the administrator must acknowledge the request and follow the organisation’s response procedure (which we discuss below).
Likewise, if a hiring manager gets an email from a past job applicant asking whether the organisation still has their CV on file, the manager should forward the email to whoever is responsible for DSARs.
To make sure this happens, organisations must establish a well-defined process and educate staff on how it works. The more likely it is that someone will receive a DSAR, the more you need to drill them on the response process.
Shouldn’t everyone be aware of these rules already?
Access requests aren’t new to the GDPR, so anyone who worked in HR before May 2018 will already be aware of their legal obligations for providing data subjects with copies of the personal data the organisation stores on them.
However, the Regulation introduced some key new rules that change the way you handle requests.
- You can’t charge a fee for submitting a DSAR
The GDPR scrapped organisations’ right to charge £10 to submit a DSAR, instead instructing organisations to fulfil requests free of charge.
However, organisations can reject a request or charge a “reasonable fee” if the request is unfounded, excessive or repetitive. But before you invoke this right, it’s worth noting that the GDPR doesn’t clearly define what those exceptions look like, and the burden is on you to prove your case.
- You have one month to respond
The deadline for responding to a DSAR has been reduced from 40 days to one month. That’s still ample time, but remember: collecting all the necessary information can be time-consuming, and the person responsible for handling requests might be busy or on holiday.
You should also be aware that the clock starts the day you receive the request, not when you acknowledge its receipt.
You should therefore act as quickly as possible; just because you have a month, doesn’t mean you have to wait that long.
You are permitted to extend the deadline to three months if the request is complicated, but you must inform the data subject of this when acknowledging receipt of their request and be prepared to justify your rationale to the ICO (Information Commissioner’s Office).
- Requests can be made in any form
As we noted earlier, the GDPR permits data subjects to make access requests in any form, whether that’s in person, through email, a phone conversation, voicemail or online.
Organisations aren’t required to make all of these means available, but it’s in their best interest to be as clear as possible about how individuals can make a request.
You don’t want people complaining to the ICO that they’re unable to make an access request, or for them to submit a request through an email address that you don’t monitor
This is something that educational establishments should be particularly mindful of. If someone makes a request while the school is shut for the summer, will anyone be able to respond?
How HR should handle DSARs from employees
They may be your colleagues, but when it comes to DSARs, you must treat everyone in your organisation the same way you would customers or clients.
You shouldn’t expect any leeway with the information you provide or the deadline just because you know the person making the request.
Almost everyone is aware of the risks associated with sharing personal data – and some staff might be keeping an even closer eye on what their employer is doing. After all, organisations store huge amounts of personal data, from names, contact information and details of next of kin, to health records and bank account details.
If someone has any serious doubts that their employer isn’t adequately protecting their personal information or is violating their data subject rights, they might not hesitate to find another place of work.
Worse yet, they might go public with their complaint, exposing the organisation to a media backlash and regulatory repercussions.
You can keep your colleagues satisfied by outlining your organisation’s data processing practices in the employee handbook, along with information on how to submit a DSAR.
Line managers should also be reminded to keep an eye out for requests and how to handle them – which may simply be a case of passing on the request to HR.
How HR should handle DSARs from job applicants
Any time someone sends you their CV, you’re processing their personal data. You’ll have the applicant’s name, address, contact information and job history, and even though they sent it to you voluntarily, they have the same data subject rights.
How you handle DSARs relating to job applications depends on your data retention policy. Many organisations keep CVs in case the applicant is suitable for another opening, but this must be specified in the terms and conditions that accompany your job postings.
If you don’t hold on to CVs – or you do but the request is made after the data retention period has expired – you can tell the requester you don’t have their information on file any more. This closes the matter, because there’s no data for them to access.
As for those people whose CVs you do still have, you should forward the request to whoever is responsible for responding to a request (which we explain below).
How HR should handle DSARs from former employees
The final set of people HR should be concerned about regarding DSARs are former employees. Organisations are legally required to retain ex-employees’ personal data for certain lengths of time, so there’s a chance you’ll receive DSARs from some familiar names.
DSARs from ex-employees should operate in the same way as any access requests from any member of the public. Your organisation is required to have a public-facing privacy notice, which should tell people how to submit a DSAR.
However, there’s a possibility that former employees will bypass this route and contact the old colleagues – particularly their line managers – directly.
You should be aware of this and instruct line manager on what to do when they receive these requests.
How to respond to a DSAR
Whether a DSAR is submitted by a current, former or prospective employee, you should always follow these steps:
- Verify the data subject’s identity
Requests can only come from the data subject or an authorised representative.
If you doubt that the requester is who they say they are, you have the right to ask for proof of ID.
- Confirm the type of request
You must make sure you understand what the individual is asking for when they submit a request.
If it isn’t already clear, you should confirm the request with the data subject.
- Send the request to the relevant person
You might have someone, or a team of people, responsible for handling DSARs. Alternatively, you might need to contact the owner of the asset (most likely a database) in which the information is stored.
- Gather the necessary information
Depending on the way you process personal data, you might keep it in a single file or spread out in several places.
Either way, you should keep a master record that identifies where you can find data subjects’ personal data.
It’s not only the data itself you need to provide. You should also include:
- the purposes of your processing;
- the categories of personal data concerned;
- the recipients or categories of recipient you disclose the personal data to;
- your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards you provide if you transfer personal data to a third country or international organisation.
- Package the data
Data subjects can specify how they’d like to receive the information, which might be in hard copy or digital form.
You might therefore be required to convert the data from one format to the other.
- Add extra information
Your response to the DSAR must explain to data subjects their other data subject rights and how to exercise them.
Likewise, you must also explain that the data subject has the right to lodge a complaint with the ICO.
- Send the package to the data subject
You should provide the information in the form specified by the data subject, ensuring that the method you use is subject to adequate security measures.
Remember that if the information is lost or stolen on the way to the data subject, it’s considered a data breach.
Want help with DSARs?
The stakes are high when it comes to fulfilling DSARs, with a failure to respond adequately – or at all – attracting enforcement action from the ICO, including stern fines. Meanwhile, the reputational damage that follows a violation can be just as costly.
It’s therefore understandable that you’d want advice, and that’s where GRCI Law comes in.
Our DSAR as a Service solution lets you focus on what your business does best while we take care of access requests.
Led by our management team of expert data protection officers, lawyers, barristers and cyber security experts, we perform the DSAR response process from start to finish.
This service is available on an annual subscription basis or as smaller prepaid blocks of hours, which could help organisations with a particularly difficult DSAR or to cover staff absence.