View Current

Data Subject Access Request (DSAR) Management Procedure

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Introduction

Purpose and Parent Policy

(1) This procedure outlines the steps involved in managing a Data Subject Access Request (DSAR) received by Hibernia College in order to fulfil the College’s obligation to provide individuals with access to data being held by the College pertaining to them. The parent Policy is the Personal Data and Records Policy.


Staff, Faculty and Adjunct Faculty Responsibilities 

(2) The Data Protection Officer (DPO) is responsible for the management and implementation of the Procedure.  

(3) The Data Protection Officer is responsible for ensuring that all DSARs are responded to within the required one-month period, or any necessary and notified extension period (as described below). 

(4) Where applicable, all Staff, Faculty, Adjunct Faculty and students are responsible for engaging with and adhering to this procedure as required and within the defined time frame.

(5) Where Staff other than the Data Protection Officer receive a DSAR, they must inform the Data Protection Officer immediately and furnish a copy of the DSAR received. 

Third-Party Processor

(6) All third-party processors are required to provide the necessary technical and operational assistance to enable the College to respond to a DSAR within the permitted time frame.

Top of Page

Section 2 - Procedure

Part A - Procedure for Managing a DSAR

Submitting an Application

(7) A data subject can make a request to obtain personal data held in relation to them by the College at any time.

(8) Applications may be made via email to the Data Protection Officer at and must include a completed application form, available under the resources section of the Hibernia College Quality Framework, and official photographic identification, e.g. passport or driver's licence. 

Receipt and Acknowledgment

(9) The Data Protection Officer will verify that the request has been made using the correct application form and is accompanied by photographic identification. 

(10) The Data Protection Officer will send the data subject an acknowledgment email, normally within two working days.  

(11) Where the College holds a large quantity of information concerning the data subject, the College may request that the data subject specify the information or processing activities to which the request relates before the information is delivered. If the data subject refuses to clarify the request, the College must still respond to the request except where it is considered manifestly unfounded or excessive by the College. 

(12) Where a DSAR is considered manifestly unfounded or excessive by the College, having undertaken a detailed assessment, the College may refuse to act on the request in line with Article 12(5) of the GDPR. If this is the case, the College will inform the data subject of its decision. 

Time Frame for Delivering Request

(13) The College must respond to all DSARs within one month.

(14) The date of receipt of the DSAR is the beginning of the one-month period.

(15) Where a request is complex, or multiple requests are received from the same individual, the College can extend this time up to a further two months. 

(16) When an extension is sought, the data subject will be notified within the one-month period of this and will be informed of the expected time frame to complete the request and an explanation why the extension is necessary.

Notification of Departments

(17) The Data Protection Officer will contact any departments required to assist in the preparation of a response to the DSAR, without delay. This may include contacting: 

  1. The Information Technology department to request a search of the College servers, and any relevant data archives for any data pertaining to the request using the data subject’s name and any other appropriate identifier.   
  2. Any member of Staff, Faculty, Adjunct Faculty or students identified as relevant to the completion of the request to request any required information. 
  3. Relevant Heads of Department:
    1. Advising them that a DSAR has been made pertaining to data held within their department 
    2. Advising them of any specific members of their department whose assistance may be required 
    3. Enquiring, to the best of the Head of Department’s knowledge, if there are any other relevant team members who can be of assistance with the request 

Data Gathering and Collation of Data

(18) The Data Protection Officer will set up a secured location for any relevant person to submit requested information. 

(19) All relevant persons are given a deadline of no more than two weeks to provide the requested data.

(20) The Data Protection Officer sends a reminder to all relevant persons one week before the deadline. 

(21) Each department, or individual, is required to notify the Data Protection Officer of any anticipated delays or complications in delivering the data.    

(22) When all relevant data has been collected, it is formally recorded and categorised by the Data Protection Officer. 

(23) Omissions and redactions may be applied by the Data Protection Officer to the information as necessary, e.g. to retain data privacy of other data subjects, to protect legally privileged information, intellectual property or commercially sensitive information. Where this occurs, the data subject will be notified of the reason for the omissions/redactions.   

Completion of Request

(24) When all data relevant to the request has been prepared, it is shared with the data subject using a secure electronic medium or another secure medium if explicitly requested.

(25) The Data Protection Officer will issue a response letter to the data subject accompanying the data  

Records and Evaluation

(26) The Data Protection Officer retains central records of all subject DSARs. 

(27) The Data Protection Officer conducts an annual review of all DSARs to:  

  1. Ensure the steps taken during each incident were appropriate and effective 
  2. Identify any areas for improvement

(28) The report is shared with the Executive Management Team.