Right of access (RoA) / data subject access requests (DSAR) policy and procedure

Where the applicant makes a DSAR by electronic means, and unless otherwise requested by the applicant, the evidence of identity needed could be provided in a commonly used electronic format, for example a scanned ID. Before providing the information, the Data Controller, or appointed member of staff, must verify the identity of the person making the request using “reasonable means”. If identity is not proven then an exemption may be made.

Under the UK-GDPR, organisations can withhold personal data if disclosing it would “adversely affect the rights and freedoms of others”.

Exemptions are currently available in the Act, set out in Section 24 and 26, Schedule 2 Parts 1-2 and 4-5 and Schedule 3, some of which allow a Data Controller to refuse a DSAR, also Article 23 of the UK-GDPR allows national governments to introduce exemptions to various provisions in the UK-GDPR.

The UK-GDPR does not introduce as exemption for requests that relate to large amounts of data, but a Data Controller may be able to consider whether the request is manifestly unfounded or excessive. Recital 63 permits asking the individual to specify the information the request relates to.