Publish date

12 June 2024

How to handle a DSAR effectively

In an education setting, a data subject access request (DSAR) is a request made by a data subject (in this case, a student), or the data subject’s parent(s). A DSAR is made to a data controller or processor (in this case, a school, college or further education facility), for the purposes of obtaining personal information. Responding to DSARs can, and often do, mean that a large amount of information needs to be meticulously reviewed and disclosed, all within a very short timeframe. There are regulations governing the handling of data and how organisations need to respond to a DSAR, with potentially severe consequences if they are breached, following a complaint to the Information Commissioner’s Office. No wonder  DSARs are stressful to handle. But help is at hand. We are here to help support and assist you making the process less worrisome.

Nature of request

The first stage of dealing with a DSAR is to understand the nature of the request, not only to understand what data is being requested but also because students and/or parents of students, can make a request for an educational record, which may be confused for a DSAR. It is particularly important to understand the difference because the response time limitations are different, depending on what is being requested. The time to respond to an educational record is 15 school days and for a DSAR the time limit is 1 month from receipt of the request. The information to be disclosed is also going to vary, for example, information held about a pupil (including health data) may not necessarily form part of the educational record, but it may need to be disclosed as part of a DSAR response and vice versa. We will help you understand what exactly is being requested and how and when to respond by.

Time limit and refusal

If a DSAR has been received, you have 1 month from the receipt of the request to respond. Often, this is an unachievable deadline and in certain circumstances (such as where a request is complicated) the time limit can be extended by a further two months, provided that the data subject is written to within the original one-month time limit to explain the extension. Sometimes, a request can be ignored altogether, such as where it overlaps with an earlier request, where much of the latest request overlaps with the earlier request and can be ignored as being manifestly excessive. Other grounds for refusal include where a request is manifestly unfounded. Examples of which include a request which appears malicious, where the data subject is using the request to harass an organisation or making the request with no real purpose other than to cause disruption. An example of this may be a data subject requesting copies of information they knowingly already have or making a request to access all data created by one individual, which appears to be malicious and targeted.

What to disclose?

Then it comes to the DSAR disclosure exercise. Knowing what to disclose can be challenging. Disclosing too little may amount to a failure to comply with a DSAR. Disclosing too much may mean that legally privileged information, or data belonging to another data subject may be intentionally or inadvertently disclosed, which may amount to an unlawful processing of personal data belonging to that other data subject. There is an awful lot to think about and, understandably, having a DSAR land in your inbox or on your desk can cause an urge to disclose everything to get the request off your desk.

As a team that specialises in helping our clients with DSARs, we know how to help you, from establishing whether a request is manifestly excessive and/or unfounded, to identifying exactly which data needs to be disclosed, including knowing the data which needs to be redacted, de-cluttered and de-duplicated from the disclosure.

How do we do this?

Our Employment department has a state of the art piece of new secure artificial intelligence software that enables us to analyse data efficiently and effectively, in a much shorter time than it would to do so manually. Our software solution saves significant time and costs by carrying out the following:

  • Converting all document types to PDF format (whether that be manually scanned in documentation, as is often seen in the education setting, or electronic documents including Microsoft Word, Excel and images) and uploading them into a secure location

In our experience, it can take hours alone to convert various document types to PDF, resulting in hundreds, if not thousands of pounds of costs. Our software can reduce this time to an average of 30 minutes in most cases, saving huge amounts of lawyer time and expense

  • Identifying the data, using a range of key terms (such as names, email addresses, initials, addresses and contact numbers) and electronically redacting all those identifiers which do not relate to the data subject, again saving hours of time and costs for you
  • Identifying data which falls within two specific dates and electronically removing additional data outside of this (this is particularly useful when a DSAR outlines a key timeframe, such as ‘all data on Student X whilst in Year 9’)
  • Creates a report of all duplications or unnecessary documentation (for example blank documents), and allows for easy de-duplication and culling
  • Creates working copies of all data and proposed redactions for checking and approval by us and you
  • Creates a PDF bundle of redacted and disclosable documents in chronological order, ready for disclosure
  • Creates a working copy bundle to act as an audit trail, in the event of a dispute involving the Information Commissioner’s Office investigating a breach of the DSAR obligations. We can show our processes, including the original data, the redacted data and that which has been disclosed to the data subject.

Our meticulous lawyers will review the data at all stages of the process, including once the disclosure bundle has been produced, to ensure that it is fit for disclosure and to eliminate any unnecessary risks.

What is the cost?

With the amount of data each education facility holds, no two DSARs are going to be the same. Complexity of and the number of files will dictate how long the software will take to complete each stage, along with lawyer oversight. In any event, it is safe to say that our new software can reduce lawyer time by hours and even days, which has a huge knock-on cost saving impact for our clients, potentially saving thousands of pounds.

If you have a DSAR that needs responding to, or any questions, please do not hesitate to call us and we will guide and support you, with a robust and accurate de-duplicating and redaction exercise with an audit trail.

Heathervale House reception

Keep up to date with our newsletters and events