8.1 Data Subject Access Request (DSAR)
Under data protection legislation individuals have the right to obtain confirmation, usually at no cost to themselves, that their data is being processed by the data controller and to receive copies of that personal data. In the case of security and surveillance systems this would typically be CCTV images or access control data.
It is the data controller who is legally responsible for complying with DSARs. Practical responsibility can be contracted out to a data processor. The terms of the Data Processing Agreement between data controller and data processor will usually require the data processor to pass on the DSAR to the data controller within a certain time period, and to provide reasonable assistance to the data controller so that the data controller can respond to the DSAR in sufficient detail and within the time limit.
Before sharing any personal data you must ensure you have verified the identity of the person making the request. A copy of the data subject’s photographic ID is usually sufficient, although for sensitive requests it may be proportionate to ask that the ID be certified by a solicitor. If the request is being made on behalf of another person, you should also request evidence of the requesting person’s authority and for proof of their identification. For insurers, law firms, etc. proof of authority can be a letter of instruction.
If the requested information includes CCTV footage, it is reasonable to request photographic images of the data subject to enable positive identification of them in the footage, unless they are already known to you.
Parents can make applications on behalf of young children and children who lack mental capacity. However, particular care should be taken when deciding whether to disclose a child’s personal data and we suggest taking professional advice quickly if you receive such a request.
Where data includes images or information about individuals other than the applicant, the data/images must be redacted unless it can be shown that it is reasonable to disclose those third parties’ information to the applicant, without the third parties’ consent.
Time Limit to Respond
The requested information must be provided without delay and at the latest within one month of receipt of the DSAR.
You will be able to extend the period of compliance by up to a further two months where requests are complex or numerous. If this is the case, you must inform the individual of the extension before the current time limit runs out. You should also explain why the extension is necessary.
Right to Charge
You can only charge the individual making a DSAR if, and to the extent that:
- their request is manifestly unfounded or excessive (and you haven’t already refused to comply with the request as explained below) or
- they are requesting further copies of the same information.
In either case you can charge a reasonable fee based on the administrative cost of providing the information.
Refusing to Comply
You can only refuse to comply with a DSAR in extremely limited circumstances.
If a request is manifestly unfounded or excessive, you can refuse to comply with the request provided that you notify the individual of this decision and can justify the decision to the ICO if it were investigated.
There are also limited exemptions available under the Data Protection Act 2018. We strongly suggest taking specialist advice on the availability of these exemptions before choosing to rely upon one of them. One of the exemptions applies if disclosure might prejudice an ongoing criminal investigation. We expect this to be the most common exemption used by security and surveillance providers.
If you refuse to comply with a DSAR, you must notify the individual of that fact in writing, giving the legal reasoning for your refusal. You must also inform them of their right to complain to the ICO and that they may be entitled to a judicial remedy. This notification must be given without undue delay and, at the latest, within one month from receipt of the DSAR.