DATA SUBJECT ACCESS REQUESTS: MANAGING COMPLIANCE


Data Subject Access Requests (DSARs) can become quite complex particularly in situations where multiple categories of personal data are processed (used and / or stored). Despite this, following a structured yet flexible approach in managing DSARs can be the panacea to your organisation if ever reported to the Information Commissioner Office (ICO). Below is a snapshot of key themes to remember in dealing with DSARs:

Streamline the basics

Article 15 of the General Data Protection Regulation (GDPR) & S 45 Data Protection Act 2018 (DPA 2018) make clear that a controller is obliged to provide a data subject with confirmation that his/her personal data is being processed. This enables individuals to find out what personal data you hold about them, why you hold it and who you disclose it to. 

Implicit in this is how fundamental adequate controls and processes are to good information-handling practices.  

Therefore, companies must train their staff in recognising a DSAR; have a policy on the steps to be taken when responding to a DSAR (avaliable on both the company intranet and in hard copy for quick reference) and have buy-in from senior stakeholders in executing the DSAR within one month.

  

Going Granular

It is not enough to simply confirm (as a data controller) that you process a data subject's data. A definite theme concerns transaprency (Art. 5(1)(a) GDPR / S35 (1) DPA 2018)  and accountability (Art. 5(2) GDPR / S 34(3) DPA 2018). In line with this, when carrying out a DSAR, a data subject is entitled to:
  • the purposes of and legal basis for the processing; 
  • the categories of personal data concerned; the recipients or categories of recipients to whom the personal data has been disclosed (including recipients or categories of recipients in third countries or international organisations); 
  • the period for which it is envisaged that the personal data will be stored or, where that is not possible, the criteria used to determine that period;
  • the existence of the data subject’s rights to request from the controller— rectification of personal data, and erasure of personal data or the restriction of its processing; 
  • the existence of the data subject’s right to lodge a complaint with the Commissioner and the contact details of the Commissioner; 
  • communication of the personal data undergoing processing and of any available information as to its origin.

Understand the risks

The importance of assessing the risks involved when dealing with a DSAR cannot be understated. the DPA 2018 does contain certain exemptions that may be relevant to litigation (located within Schedule 2). 

The exemptions are from a list of GDPR requirements including notifying the data subject. The exemptions may apply, for example, where disclosure of data is required by law or an order of a court or tribunal. Another example of when these exemptions may apply is where the disclosure is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings). 

While these exemptions do not remove the need for a legal basis for processing, they would be relevant, for instance, to whether a transfer may be lawful in the absence of an adequate privacy notice. They may also vary between EU Member States, notwithstanding GDPR.

This can result in varying levels of complexity regarding different Member States. When conducting the DSAR it is essential to keep this in mind.

Manage the risk

The risk for many companies is that actual and potential litigants often use DSARs as a tactic in litigation. A so-called “fishing expedition” to obtain either pre-action disclosure or disclosure whilst proceedings are on-going. 

This may allow potential litigants access to information they should not be privy to. The UK Court of Appeal has made clear in Dawson - Damer & Ors v Taylor Wessing LLP [2017] EWCA Civ 74 (at 91) that the actual motivation for executing a DSAR is irrelevant. Furthermore (at 93), that the court is well placed to deal with any abuse of process. That is not to say that “absence of a legitimate reason” won’t be given probative weight by a court exercising its discretion to order compliance with the DSAR as shown by Lewison LJ (at 86-90) in Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v The University of Oxford with The Information Commissioner intervening [2017] EWCA Civ 121. Finally, there is now a considerable body of case law in England and Wales which recognises that it is no objection to a DSAR that it is made in connection with actual or contemplated litigation.

As such, ensure that your systems, processes and people can recognise and act on any request. Be pragmatic and empathetic towards data subjects needs but don't fall trap to failing to "see the forest for the trees". The risk of failing to adequately deal with a DSAR and / or replying late can bring ICO scrutiny to the fore, which adds strain to business resources and expenditure. So long as you can show regulators that you follow a structured, yet flexible approach - both in managing personal data processing and its subsequent record-keeping you will be viewed favourably. 

   

Privacy-conscious solutions: simple, EFFICIENT, manageable. 

If you have any further, queries or need help understanding your privacy and network architecture, look out for more content or click the contact button below