{"id":2606,"date":"2025-09-01T05:16:16","date_gmt":"2025-09-01T04:16:16","guid":{"rendered":"https:\/\/21percent.org\/?p=2606"},"modified":"2025-09-01T14:42:01","modified_gmt":"2025-09-01T13:42:01","slug":"the-deluge-of-dsars","status":"publish","type":"post","link":"https:\/\/21percent.org\/?p=2606","title":{"rendered":"The Deluge of DSARs"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

The General Data Protection Regulation (GDPR)<\/strong>, introduced in 2018, was designed to give individuals greater control over their personal data. One of its key provisions is the Right of Access, which allows you to ask an organisation what information it holds about you, and to understand why and how it is being used. This process is carried out through a Data Subject Access Request (DSAR).<\/strong><\/p>\n\n\n\n

Every individual has the right to know and obtain information about how their personal data is being processed. You can exercise this right easily, at reasonable intervals, and use it to verify the lawfulness of data processing that has taken place or is ongoing.<\/p>\n\n\n\n

If you are in a dispute with your University, submitting a DSAR is highly advisable. If the University uses an external provider\u2014such as a Human Resources consultancy (e.g. B3Sixty<\/a>), a lawyer, or a barrister\u2014you may submit DSARs to them as well. Similarly, if you have appealed to external regulators such as the Information Commissioner’s Office<\/a> (ICO) or the Office for Students <\/a> (OfS), you are entitled to investigate how they handled your case.<\/p>\n\n\n\n

That said, few people hold the OfS or ICO in high regard \u2014 so submitting a DSAR to them is mainly for those who enjoy a touch of dark comedy.<\/p>\n\n\n\n

There is no legal requirement to use a form when making a DSAR, but it is recommended. A standard example \u2014 taken from the University of Cambridge \u2014 is reproduced below (also available on their website here<\/a>). The form must be accompanied by proof of identity, such as a scan of passport or driving licence.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The only tricky part of the form is the section asking for a \u201cDescription of your Request, including information to help us locate the personal data you seek.<\/em>\u201d Organisations are only required to carry out reasonable and proportionate searches, so a very broad or vague request is likely to fail.<\/p>\n\n\n\n

A useful model is:<\/p>\n\n\n\n

\n

\u201cI would like to exercise my right under the Data Protection Act to access personal data held or being processed by the University in the matter of [BRIEF DESCRIPTION]. Please provide me with copies of any correspondence, minutes, notes, Teams meetings, WhatsApp messages, or emails between 1 January 2023 and 31 December 2023 from or to [NAME OF INDIVIDUAL(S)] regarding events at [NAME OF DEPARTMENT or INSTITUTION], insofar as they include my personal data. This includes (but is not limited to) relevant correspondence with other members of the University or external advisers.<\/p>\n<\/blockquote>\n\n\n\n

It is important to name specific individuals who may hold your data (such as your Head of Department or HR staff) and to give a clear indication of the subject matter (e.g. events surrounding my promotion claim<\/em> or a grievance made against me<\/em>). A timeframe of around one year is considered reasonable.<\/p>\n\n\n\n

By law, organisations must respond to a DSAR within one calendar month of receipt. In complex cases, the deadline can be extended by up to two additional months, but the organisation must notify you within the initial month and explain the reasons for delay.<\/p>\n\n\n\n

If an employer or colleague deletes emails or messages to avoid disclosing them in response to a DSAR, this constitutes a serious GDPR violation.<\/strong> Unfortunately, not all institutions treat DSARs with the required seriousness \u2014 indeed, earlier this year, two Heads of School at Cambridge were implicated in a DSAR scandal for concealing records and keeping the secrets safe<\/a>.<\/p>\n\n\n\n

The graph at the top of the article shows the number of DSARs submitted annually to Cambridge University over the past five years (with the 2025 figure extrapolated from current data). The curve is steeply rising, which reflects a growing willingness among staff and students to challenge how their data is used. In many organisations, a sharp rise in DSARs would signal a breakdown of trust: people resort to formal legal rights when they believe ordinary processes for fairness, transparency, and accountability have failed.<\/p>\n\n\n\n

In Cambridge\u2019s case, the trend strongly suggests a deep-seated cultural problem \u2014 one where disputes are mishandled, information is withheld and staff feel compelled to use GDPR as a last line of defence.<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

The General Data Protection Regulation (GDPR), introduced in 2018, was designed to give individuals greater control over their personal data. One of its key provisions is the Right of Access, which allows you to ask an organisation what information it holds about you, and to understand why and how it is […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2606","post","type-post","status-publish","format-standard","hentry","category-blog"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/21percent.org\/index.php?rest_route=\/wp\/v2\/posts\/2606","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/21percent.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/21percent.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/21percent.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/21percent.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2606"}],"version-history":[{"count":16,"href":"https:\/\/21percent.org\/index.php?rest_route=\/wp\/v2\/posts\/2606\/revisions"}],"predecessor-version":[{"id":2627,"href":"https:\/\/21percent.org\/index.php?rest_route=\/wp\/v2\/posts\/2606\/revisions\/2627"}],"wp:attachment":[{"href":"https:\/\/21percent.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2606"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/21percent.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2606"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/21percent.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}