Learn what data subject access requests are, how to handle them and some best practices for managing them effectively.
Introduction
Within England and Wales there is a suite of of legislation, including the UK General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“the DPA 2018”) (collectively the “Data Legislation”), introduced to protect individuals’ personal data. In this context individuals are known as “Data Subjects” and how their data is processed by those holding the data (the “Data Controllers”) is highly regulated.
One of the rights granted by the Data Legislation is the right of Data Subjects to access their personal data. Individuals have the ability to send what is known as a Data Subject Access Request (“DSAR”) to an organisations or other Data Controller in order to establish what information is held about them, how this is held and how it is used/processed. Over the years, businesses have seen an increase in the number of DSARs received, with an EY Law survey in 2023 stating that 60% of respondents in disputes reported an increase in DSARs between 2022-2023.
Litigation lawyers have found that DSARs are a popular and tactical way for individuals to gather information from an organisation (whether it be their employer or otherwise) in anticipation of bringing a claim against a Data Controller. This may be more of a fishing exercise than a request made to understand what data is held. It can provide a claimant with an opportunity to see if any suspicions or grievances they have are supported by evidence — allowing them to see the lie of the land before a formal litigation process is initiated.
The Data Legislation imposes a number of obligations on those receiving a DSAR. Not handling a DSAR properly can lead to complaints, reputational damage and enforcement action including large fines which can amount, in some cases, up to £17.4 million or 4% of an employer’s worldwide turnover.
What is a DSAR?
There is no prescribed form of DSAR under the Data legislation. As such, these requests may be made in writing or orally. Furthermore, they may be made in hard copy or electronic form (such as via email or even through social media platforms). It therefore may not be clear, at the outset, that a DSAR has actually been made — so it is important to clarify this, as well as the requester’s identity, as soon as possible when any form of request is received.
Any individual whose personal data is being processed can make a DSAR to a Data Controller — so the pool of people who are in a position to launch a DSAR is wide. Requests may come from customers, clients, current and former employees and even job applicants. Third parties may make a request on behalf of another party. However, the ICO advises that evidence of entitlement to act on behalf of the data subject (such as written authority) should be sought.
It should be noted that if a DSAR is received, you must respond to this without undue delay and in any event within one month of receipt of the request. The time to respond can be extended by two further months, dependent on the complexity and number of the requests. This must, however, be communicated to the requester within one month of receipt of the DSAR, together with reasons for the delay.
You’ve received a DSAR — what should you do?
Stage 1
The first stage is identifying that the communication received is definitely a DSAR. Once this has been confirmed, action should be taken immediately to ensure compliance with the one month time limit. You should also need to be clear on what data the request relates to, for example is this all the information held about an individual, data between certain dates or otherwise. Where necessary clarification should be sought as soon as possible.
Stage 2
The business will then need to take steps to find and gather data which falls within the scope of the request. This will involve searching all relevant IT and paper filing systems, including email inboxes, HR software, storage and archiving facilities, for any relevant data. Organisations are expected to make reasonable efforts to find and retrieve the requested information. What is considered “reasonable” is dependent on the circumstances of the request and any difficulties involved in locating the data. Once the data is obtained, this will need to be examined to ensure:
- any irrelevant data is removed;
- any third party's personal data is redacted (unless they have consented/ it is reasonable to do so); and
- any legally privileged or confidential information is excluded.
Stage 3
Prepare and send out your response. The data should be provided to the requesting party in a secure manner and should include information about data, if any, which has been withheld and reasons why. The data should be provided in a clear and structured format.
Pre-litigation fishing exercise?
It is not uncommon for individuals to issue DSARs prior to the commencement of litigation against an organisation. This can sometimes be done as a tactical way to obtain information from the company, ahead of the formal requirement to do so within the disclosure stage of the litigation process. Complying with a DSAR can be onerous and put pressure on a party to settle early, in order to avoid the need to continue to deal with the request.
Some DSARs are clearly intended as a means of applying pressure on a potential respondent of a claim. They can also be used aggressively to harass and cause disruption to an organisation, particularly where significant costs will need to be incurred in order to obtain the information requested. In these cases, it may be held that the request can be refused, however the burden of proof will be on the Data Controller to prove that the request is manifestly excessive/unfounded. A reasonable fee can be charged for administrative costs in these situations (where the request is excessive but is not refused).
Best practices for managing DSARs efficiently
Whilst DSARs are free for a Data Subject to make, they can end up being costly in both time and resources for businesses. What can you do to maximise efficiency and remain compliant in what may be a difficult situation?
- Implement a clear DSAR Policy — have formal process in place which includes information such as how requests will be dealt with, by whom, how long records will be retained, steps for locating and retrieving personal data and how this data will be reviewed.
- Utilise automated DSAR Management tools — there is software available which can help organisations track and respond to DSARs efficiently in-house. These can provide you with pre-built response templates, as well as secure file-sharing capabilities which can help ensure compliance with all relevant requirements under the legislation.
- Implement staff training — ensure employees and all relevant staff understand the importance of DSARs, how to identify them and their role in compliance. It is useful for staff to be aware that all data which identifies a data subject (including Teams chats, WhatsApp messages, etc.) can fall within the scope of a request and may be disclosable and therefore, care should be taken when communicating on such platforms.
- Maintain an updated data inventory — Have an up-to-date record of where personal data is stored and how to retrieve it quickly.
Here at Weightmans, we are happy to assist you with any queries you may have in respect of the complex world of DSARs.
Please do not hesitate to get in touch with a member of our team of commercial litigation lawyers for further information as to how we can assist.