The Information Commissioner’s Office (ICO) has released a new service for individuals to send a data subject access request (DSAR) to an organisation from an online form on its website. Does receiving a DSAR from the ICO change the way the request should be dealt with?
Everyone has the right to ask an organisation whether or not they are using or storing personal information about them and for a copy of any data held. DSARs are often used by employees to see the data their employer holds about them as a preliminary step before issuing a claim in the Employment Tribunal. Individuals can make a DSAR to find out:
- what personal information an organisation holds about them;
- how they are using it;
- who they are sharing it with; and
- where they got the data from.
DSARs can take a variety of forms but most organisations will be used to receiving a letter or email from an individual requesting a copy of the information held about them. The ICO has now released a new online service which will serve as an alternative to an individual sending a letter or email to the organisation directly to request information. The service enables individuals to input information into an online form, which is then sent directly from the ICO to the organisation, making the DSAR on the individual’s behalf.
Receiving a DSAR direct from the ICO has the potential to cause concern and treat a request with more urgency and priority because it is on the ICO's “radar”. It is important to note that a request via the ICO website carries no more weight than a request made from an individual directly. All DSARs, regardless of how they are received, should be treated in the same way. Of particular note is that the ICO do not receive the response from the organisation, which should be directed to the individual making the request. The ICO privacy notice states in relation to the information collected from the individual, that the request is only kept for 14 days from the date it is submitted. Therefore the ICO will not have details of a request made through the service if after 14 days from the request being sent, an individual has cause to complain to them.
When dealing with a DSAR, whether submitted through the ICO service or by other means, organisations should act quickly to ascertain the data being requested and the time it will take to review this. Unless a DSAR is considered complex, an organisation only has one month to reply, therefore it is advisable to take this step as soon as a request is received to ensure there is sufficient time to respond.
For further information on DSARs in the context of the employment relationship please contact our Employment Team.