Response to media query: fair and impartial approach to DSARs

The ODPA has been approached by local media to comment on DSARs ('data subject access requests')* and how they might be being viewed by employers. 

We recently ran a webinar about this subject (a recording of it is available here: How to respond to 'subject access requests') This is a complex area and the webinar specifically addresses employment issues, and whether you can refuse to respond to a DSAR if you think it's 'vexatious'. 

Our Commissioner, Emma Martins, provided the following comment to the journalist who requested it:  

“A person’s right of access which helps them understand how information about them is used is central to data protection laws both locally and globally. It is not a weapon, and should not be viewed as such. It is a legal right that every one of us has, regardless of the relationship we may have with the organisation we are submitting a ‘data subject access request’ (DSAR) to.

Organisations may refuse to respond to a DSAR if they can demonstrate that the request is genuinely ‘vexatious’ (which is very different than seeking to refuse it because it’s from a person the organisation is in a dispute with). Where an organisation has refused to respond to a request, the person could complain to the ODPA who can then look into whether the refusal was appropriate.

Regardless of the relationship between the parties, organisations who receive a DSAR should focus on the human being who is making the request, and appreciate that that person has a legal right to know what is being done with information about them. Processes in place to respond to individuals seeking to exercise their legal rights should be fair and impartial. Positive engagement, and seeking to repair any tricky relationships with the person concerned is a win-win situation.”

* A data subject access request (DSAR) is when a person asks:
- what do you know about me?
- what do you think about me?
- what do you think you know about me?
- what are you doing with it all?
 

Related resources:

• Webinar: How to respond to 'subject access requests' (recording of a Zoom webinar held on 8 November 2021)
• ODPA guidance on exemptions (which can be used in certain circumstances, sparingly, when responding to DSARs)
• People’s rights under data protection law
• Podcast: What has Data Protection ever done for us? (Summary of people’s rights)