Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer I

Electronic Data Subject Access Requests

Hello All
I recently watched the recording of the excellent GDPR session from the Secure Summit held recently in London and it got me thinking again about subject access requests (DSAR).
I would be interested to learn what companies are doing about DSAR, especially in regard to those submitted electronically. If submitted by email, for example, how would the response be sent securely?
I'd also interested to learn how are people interpreting the ‘where possible’ element of the following two sections of the regulation please?

Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

Article 12.3 (part)


Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.

Recital 63 (part)


Does anyone have plans to provide a secure portal to allow data subjects to query their own information? 


Your thoughts welcomed!


Thanks for your help


Andy H

5 Replies
Community Champion

Few thoughts, Caveat Emptor IANAL


UK ICO has a decent at a glance:


My opinion you first should contact the submitter to identify them(Government ID please would be best option, enshrined in policy and regularly reviews by the DPO). I'd probably be inclined to do that via a person - Otherwise, well your portal could be used for deep data slurps on subjects without their consent - queue lot's of complications. If the natural person is unwilling/unable to identify themselves and allow you to confirm that then I think it's reasonable to not continue with the SAR.


Another reason to use People there might be a certain amount of recursion with a portal:


Automated Privacy Notice: "Please consent to my processing your Personal Data for me to fulfill your SAR, including name, DOB, Age, Adress, Phone number, and a jpeg of your passport "

Agitated person: "Grrr, I don't consent to your processing any of my data, because I've heard you are bad people, that's why I'm submitting the SAR!"


If your system already allows you to identify subjects, then I think you're on firmer ground with automation.


A strong magnet for submission is good thing I think. Let's say you send me a questionnaire and I fill it in, and I include a SAR in one of the free text boxes and you don't respond to it, the timeline might well elapse and it may well be deemed a breach unless you can prove that the SAR/DPO/Privacy notice was unmissable with every communication. A secure web portal or even App to do this might is a good idea, fulfill the electronic bits but I don't think it can be your only option and you have to have a good fall back plan to use people.


We certainly have plans, but I've not seen that we've implemented anything as yet.



Newcomer I

Thanks for your response Early_Adopter.


Think data subject access requests (DSAR) could give rise to some interesting situations come May next year. Especially if some of the speculation I have heard of them being the 'next thing' to follow on from no win no fee PPI claims, with companies offering to carry out DSARs for people, comes true.


Happy New Year to all.


Andy H


in terms of providing a secure portal to manage SARs I think this is unworkable as being able to provide sufficient confidence on their identification is not always straight forward. In addition to this where the information may not be provided ( a in the case of certain medical information which might cause or lead to further harm) cannot be automated.


in supplying the information securely there are a number of secure mail / file share systems such as Egress would meet the requirements additionally the use of MS Onedrive can also provide a similar solution 

Newcomer I

Thanks Tonydan


I would agree with your suggestion that it is not necessarily easy to identify and verify (ID&V) a portal user but wonder if that is sufficient in terms of the regulation for it not to be possible? Certainly the whole ID&V piece is a developing area in private companies and Government with examples such as the GOV.UK Verify. It will be interesting to see how high the ‘where possible’ threshold is set!


Thanks for the pointer about Egress, I’ll look into it a bit more. However, do you think that email requests could still present the same ID&V challenges as those raised by the use of a portal?


Kind regards



Newcomer I

We've implemented a Customer Portal that covers many of the things people ask us for (hundreds - welcome to local government!), and the SAR is one of them.


If we've verified their identity - it's called an "Enhanced Account" we can process a SAR electronically, although I am still debating with the devs the level of security on the site as it's still password authentication only 😞