Dealing with Subject Access Requests
Friday June, 2019
Parking enforcement companies are aware of the fact that they have and use people’s personal information, especially as this personal data may be used to enforce a parking charge against them. The Data Protection Act 2018 (DPA 2018) brought the provisions of the General Data Protection Regulation 2018 (GDPR) into force in the UK. And one area that has changed under the GDPR is the provision around an individual’s right to request the information an enforcement company holds about them. This right is called a data subject access request (DSAR).
What is a data subject access request?
A data subject access request is a request from any person to be told what information an organisation holds about them and why it is holding this information. This request can be verbal or written and does not have to be in any particular form as long as it’s clear that the person is requesting their own personal data.
Things to be aware of
Any person that the enforcement company has personal data about can make a request. Clearly, the main category of people, who can make a data subject access request, will be vehicle keepers. However, it also includes drivers who are not keepers and employees. As a result, each organisation will need to know how and why it holds information about each of these categories.
Parking enforcement companies can have large numbers of DSARs to deal with. And the need to trawl the data you hold and provide a response in a timely way can put a lot of pressure on your staff and processes. And unfortunately, if a parking contravention were to go to independent appeal or court action, the fact that the DSAR has not been dealt with appropriately, could put you on the back foot. Therefore, it is important to review your internal policies and procedure and ensure that they are fit for purpose.
Enforcement companies should be particularly aware of the potential for requests to be lost. For example, request that come into email accounts which are not regularly monitored. This can result in less time to respond or worse missing the deadline entirely. This raises the possibility of investigation and fines by the data protection regulator, the Information Commissioner’s Office.
The Data Protection Act (DPA) 2018 states how organisations are required to respond to this type of request. There have been a number of changes under the Data Protection Act 2018. The key changes are as follows:
1. No fee. Organisations can (in most cases) no longer charge a fee for complying with the request. The abolition of the fee for a DSAR has meant we have seen an increase in the number made once a parking ticket has been issued. A fee can be charged, but only in exceptional circumstances, where the data requested could be deemed as excessive, unfounded or repetitive.
2. One-month deadline. The time to respond to a request has been reduced. It’s now one calendar month (instead of the previous timescale of 40 days).
3. Legal Basis. One of the aims of the DSAR is to enable the requester to understand whether the data is held lawfully. So, as well as providing the actual personal data held, the response will need to include the legal basis under the DPA 2018 relied on by the enforcement company for holding and using each different type of personal data.
Top Tips for dealing with DSARs
1. Strong GDPR compliance. Having very good GDPR compliance is the most important first step. This includes making sure that you have good privacy policies and that when data is used, it is done so in the way that reflects your internal policies.
2. Create a clear process for Data Subject Access Requests. It’s essential that you have a robust process for how to manage incoming SAR requests and decide who is responsible for collecting the data and who will ensure that the response is made within the deadline.
3. Staff Training. It’s possible that a data subject access request could be sent to any of your employees, so it is important to make sure that all your staff are trained to recognise these requests and what steps they need to take next.
How can ZatPark help?
Within the ZatPark system, we have created a specific dashboard in order for you to create a pdf document containing the information stored in respect of each data subject. You can choose which data you need to include in the response.
So, in just a few clicks you can provide the data subject that they have requested. This creates a pdf on the fly (so you don’t need to be concerned that more personal data is being created) which can send out with your response letter to the requester.