The introduction of the General Data Protection Regulation (GDPR) has significantly raised awareness about people’s rights to make Data Subject Access Requests (or DSARs for short). As a result, there has been a significant rise in DSARs made by data subjects since May 2018 when the GDPR first came into effect.
A DSAR can be made by any individual to any other person, business or organisation that holds personal data about them. DSARs can therefore be made in any number of contexts but a large number of DSARs are made in an employment context, often by employees facing disciplinary action, redundancy or performance management, and who want to obtain information from their employer (or ex-employer) to get advance disclosure prior to raising a claim. With a number of redundancies likely to be made once the Government’s furlough scheme comes to an end in October, it is expected that there will be a spike in the number of DSARs received by businesses as employees seek to understand the reasons why they have been selected for redundancy.
Dealing with DSARs can be both costly and time consuming for businesses. This is because organisations are expected to identify all the data they hold in respect of an individual, redact or exclude any information that relates to third parties, is privileged, or otherwise exempt, and provide a copy of the individual’s data to them within 30 days (which can be extended by 2 months’ taking into account the complexity of the request). Despite obvious challenges businesses face during the current pandemic, such as accessing physical records which are located in the office, the prima facie 30 day timeframe remains unchanged. The UK Information Commissioner’s Office (ICO) has said that whilst it recognises that the reduction in resources could impact an organisation’s ability to respond to DSARs, it cannot extend statutory timescales and advises organisations to continue to comply with their data protection obligations as far as possible.
This is significant, particularly as businesses are likely to see a new surge in DSARs at a time when their resources and outlay are already fully stretched. However, data protection compliance must remain a priority. Failure to comply with a DSAR can result in significant fines from the relevant authorities, which could be as much as €20 million or 4% of the company’s annual global turnover.
Here are our top tips for managing DSARs:
1. Act straight away – There is often a huge amount of work involved in dealing with a DSAR and managing the process is likely to take longer during these difficult times. If you receive a DSAR, you should act straight away. If you hold a large amount of information about an individual, you can ask the individual to specify the information or the processing activities their request relates to in order to narrow the scope of any search. It is likely to be crucial in an employment context not least because employees usually ask for there to be an electronic search of their name; this would of course bring up 1,000s of emails that they have sent, received or been copied into during their employment; in the circumstances, narrowing the scope of any search is going to be the key to compliance. Often, employees are looking for information about a specific issue and agreeing with them what that is will help to narrow the scope. It is important to note however that any requests for clarification from the employee does not ‘stop the clock’ on the time limit for providing the response although in an employment context, particularly with long serving employees, complying with a request is likely to fall into the ‘complex’ category for the purposes of extending the time for reply.
2. Know when you can say no – There are a limited number of circumstances where you can simply say no to complying with a DSAR and it is very likely that some of them will apply in an employment context including: where legal professional privilege can be maintained, in relation to references, where the personal data is processed for the purposes of management forecasting or management planning in relation to the business or other activity where complying with the request would prejudice the conduct of the business or the activity, some regulatory matters, any negotiations with the data subject where disclosure would prejudice those negotiations or where it is manifestly unfounded or excessive (which will be interpreted narrowly by the ICO). In addition, there are likely to be issues arising with the disclosure of personal data of a third party (work colleague) in relation to which, see 5 below. It is important to apply any exemption correctly to avoid an allegation, and possible finding, of non-compliance. Importantly, it is not possible to refuse to answer a request simply because it amounts to a request for advance disclosure in contemplation of proceedings.
3. Understand what “personal data” is – “Personal data” means any information relating to an identified or identifiable natural person. This means that you need to disclose any information that you hold about that person where that person can be identified. This might include information about that person’s movements, their salary or expenses, information recorded about their performance, money they owe, transactions they have made or complaints they have made or which have been made against them (subject to the application of one of the exemptions). Most commonly you will know that it is information about that person because it will have their name on it but the identifier could include an ID number, an IP address or a genetic identifier such as biometric data.
4. Ensure you have a DSAR process in place – Delays in responding to DSARs are largely down to organisations not having a documented process in place for handling them. To help respond to a DSAR quickly and accurately, it is imperative to have a DSAR process in place that enables you to understand where your internal data resides and the internal stakeholders that need to be consulted. It is also important to understand what exemptions exist and which of them will be most relevant for your business.
5. Know what information you can/cannot disclose – A DSAR provides a right for an individual to see their own personal data, rather than a right to see copies of documents that contain their personal data. Usually the easiest way to provide the relevant information is to supply copies of original documents, but you are not obliged to do this. Often information to be provided will also relate to or name a third party. If that is the case, then there is no obligation to comply with the DSAR insofar as it would disclose the identity of the third party unless the third party consents or is it reasonable in all the circumstances to comply with the DSAR without their consent. In practice this means you need to decide whether it is appropriate to disclose information relating to a third party on a case by case basis. This decision should involve balancing the data subject’s right of access against the other individual’s rights.
6. Consider how technology can help – Digitising hard copy records and utilising technology can help reduce the amount of manpower needed to respond to a DSAR. There are now a number of AI solutions available on the market that can help businesses collect and collate structured and unstructured data allowing for efficiency and speed when managing DSARs.
7. Adopt a robust Data Retention Policy – If you limit the amount of data you hold about an individual, the less information you will have to sift through and potentially have to disclose when responding to a DSAR. Therefore by adopting a robust data retention policy you can better manage the issues caused by a DSAR. However, it is not acceptable to amend or delete the data if you would not otherwise have done so. Under the Data Protection Act 2018, it is an offence to make any amendment with the intention of preventing its disclosure.
8. It’s not all about access to data – While the majority of time spent responding to a DSAR will usually be spent searching for and reviewing personal data, a person who makes a DSAR is also entitled to far more than just a copy of their data. Under the GDPR they must also be provided with other information about the personal data which is held on them, including where it was obtained from, what will be done with it and how long it will be kept for.
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.