The following guidance and resources are directed at Data Protection Officers or staff performing a similar function within their organisation.
To support controllers and DPOs in managing their Data Subject Access Requests (DSARs), the ODPA has developed the ‘DSAR Manager’ spreadsheet tool designed to ensure the necessary detail is recorded accurately.
Properly maintained records regarding DSARs is an invaluable tool both internally (administrative, statistical, organisational memory etc) and externally (communicating with the data subject or the Authority).
We advise that detailed records are maintained noting the controller’s decisions made during the DSAR process and any other important information that may have impacted the request or otherwise be pertinent.
The DSAR Manager is a great location to record this information and should be supported with a structured filing system, using standardised naming conventions where you can save any related correspondence and supporting documentation.
This is NOT a mandatory tool; however, it may be useful to you in processing a DSAR.
Useful Resources
Here are some other guidance articles and resources you will likely find useful in your capacity as Data Protection Officer.
Data Protection Officers (DPOs)
Properly supported DPOs can add a huge amount to any organisation’s compliance standards. For some organisations, there will be a legal requirement to have a DPO. Find out more about this important role here.
Handling Data Breaches
You may be required to report a data breach to us. Find out about your responsibilities and how to put in place an effective breach response strategy for your organisations.
Data Subject Access Requests
Individuals (aka ‘data subjects’) are at the heart of data protection legislation. One of the most commonly used rights exercised by individuals is the right of access (also sometimes referred to as a ‘subject access request’ (SAR), or ‘data subject access request’ (‘DSAR’).
Section 16 (other individuals' data)
Read a step by step guide to applying Section 16 of the Law to respond to an individual’s ‘data subject access request’ in the specific circumstances where the information the individual is requesting includes information about other people.
Exemptions
There are many exemptions and exceptions with the Law available to controllers/processors, below is a technical update on these and how they might be applied.
Data Sharing
Read our simple guidance to find out how to share information about people in an appropriate and lawful way.
Data protection by design and default
Section 32 of the Law requires data controllers to establish and carry out proportionate technical and organisational measures to effectively comply with the seven data protection principles, ensure that by default only personal data that is necessary for the purpose is processed and integrate necessary safeguards into their processing to ensure compliance with the Law and safeguard the rights of individuals.
Statutory referrals to the ODPA
There are a number of specific areas in the Law that provide for the Authority to be consulted, give approval or accreditation in certain limited circumstances. Some of these areas will be developed further in the months and years ahead and if you have any questions, please do get in touch.