With the use of Data Subject Access Requests (DSARs) becoming increasingly common, it is important that anyone dealing with personal data understands what a DSAR is, when it can be used, how an organization should respond to the request and the timeframe for its response. Even entities which have had one or more DSARs must reflect on whether their procedures are in line with the required approach. A key trend in decisions by data protection authorities in the Channel Islands relate to failures by organizations to properly respond to DSARs and this has resulted in public reprimands being issued.
A useful starting point is either section 15 of the Data Protection (Bailiwick of Guernsey) Law, 2017 or article 28 of the Data Protection (Jersey) Law 2018 which affords individuals the right to be provided with confirmation as to whether or not an organization is holding or using their personal data and, if it is, the right to be provided with a copy of that personal data (subject to certain exceptions or exemptions). The provisions of the Channel Islands’ data protection legislation will look familiar to anyone who has dealt with DSARs in the UK, EU or any other country that has been deemed to have data protection legislation equivalent to the GDPR.
We set out below some key points which organizations may want to consider when receiving and responding to a DSAR.
What is a DSAR?
Broadly speaking DSAR outlines a request by an individual in which they ask “what do you know about me?”. Any information identified in response is likely to be the data of that individual. The DSAR captures all of the individual’s personal data and “personal data” is any information relating to an identified or identifiable individual. The DSAR can be made in any format and need not mention “data subject access request” so the organization’s staff must be able to spot a DSAR when it arrives.
First steps and identity
It is recognized good practice for an organization to send the requesting individual an acknowledgment of the DSAR and this can be combined with a request for information to verify that the DSAR is genuine. If the request for information by the individual is very wide this is also a chance to invite the individual to narrow their request to see if there is something they are particularly interested in. If the individual does not wish to narrow the scope then this cannot be used to avoid responding to a DSAR.
The first question the organization (being the “controller”) should ask itself when a DSAR is received is “are we sure this individual is who they say they are?”. In the event that the organization has any reason to doubt the requestor’s identity, it may request any additional information that is reasonably necessary to provide the verification. When the identity of the requesting individual cannot be verified despite the organization taking reasonable steps, the individual will not be entitled to exercise any data subject right and the organization will not be required to give the information. Where a third party is making a DSAR on behalf of a data subject then the organization must satisfy itself that the request being made is genuinely by the individual whose data is being sought.
Once a DSAR is received and the organization is satisfied that the request is genuinely from the individual, the clock for responding to the DSAR starts.
Organizations in Jersey have a maximum response time of four weeks and those in Guernsey have one month, although in both Jersey and Guernsey this can be extended for a period of a further eight weeks / two months (respectively) in certain circumstances.
What information should be provided?
As well as providing the individual with a copy of any personal information held by the organization (subject to certain exemptions and exceptions –see below), the organization must provide a statement setting out certain additional information relating to the use of the individual’s personal data.
The contents of this statement are very similar to the information that must be included in the organization’s privacy notice.
When the organization provides copies of information to the data subject, this information must be provided free of any charge, except in the case where the individual is asking for further copies. If the organization is not going to comply with all or any part of a request, it must notify the individual of the reasons for the organization not so complying and that the individual has the right to complain to the relevant data protection authority.
Often the key challenge for an organization responding to a DSAR is ascertaining where to search for the personal data and then subsequently sorting through the data retrieved to extract the information. Electronic storage systems and structured physical filing systems must be searched, including archived and back-up data. This can be a time consuming exercise although IT solutions are available to help with this process.
Exceptions and Exemptions
If any part of a DSAR is ‘manifestly unfounded’, the organization may refuse to give the information or take the action requested in that part of the request. Similarly if any part of the request is frivolous, vexatious, unnecessarily repetitive or otherwise excessive under the Guernsey legislation or manifestly vexatious or excessive under the Jersey legislation, the organization may either refuse to provide the information or may provide the information but charge a reasonable fee. for the administrative costs of doing so. Any organization intending to rely on these exceptions must be certain that it is entitled to do so and must be ready to evidence this to the relevant data protection authority.
The organization should keep in mind that a DSAR is ‘purpose blind’, meaning that it is a free standing right of individuals, even where that individual is in conflict with the organization. Employers in particular have faced criticism from the data protection authorities where the employer has failed to properly respond to a DSAR from a hostile former employee on the grounds that the information was going to be used in legal proceedings.
There are also a number of instances where data, although strictly within the ambit of a response to a DSAR, can be withheld by the organization because one of the exemptions in the data protection laws apply. The list of exemptions is relatively long and includes certain key exemptions which allow the organization to withhold information where the disclosure would:
- Prejudice the management forecasting or management planning of the organization;
- Prejudice current negotiations;
- Result in disclosing legally privileged information;
- Prejudice judicial proceedings.
The data protection authorities have stated that exemptions should be applied narrowly, to specific personal data in specific circumstances and should be carefully considered and their use fully justified. All decisions to rely on an exemption should be documented and the organization should be prepared to share that documentation with the relevant authority if it is asked.
Often the individual’s personal data is mixed with that of one or more other people and this places the organization in a more difficult position. The requesting individual is entitled to their own data but not to the personal data of other people. Here the organization needs to undertake a balancing exercise. With appropriate redactions the information might still be shared. Alternatively it could be appropriate for the organization to see if the other person would object to their information being disclosed.
Manner of Response
Where the organization is required to provide information in response to the DSAR, and none of the exceptions or exemptions apply, the organization must give the information to the individual in writing (unless requested to be given orally), which must be concise, transparent, easily accessible, intelligible and clearly legible. Where the DSAR was made electronically, this information must be provided by similar or commonly used electronic means, unless otherwise requested by the data subject. Organizations should note that the individual is entitled to a copy of their personal data and not to the document in which the data is held. The organization may decide that it will provide a copy of the document containing the personal data (possibly in redacted form) but the individual does not have a right to that document.
The changing landscape for DSARs?
As the GDPR and the new data protection legislation in the UK and Channel Islands bed down, the data protection authorities are refining their guidance on DSARs and issuing decisions where organizations have failed to meet their obligations. For more information about this direction of travel please see this article.
Organizations should also be aware of the other rights given to individuals contained within the data protection legislation. These rights include the right to rectification, to erasure, to restriction of processing, to data portability, to object to processing for direct marketing purposes or not to be subject to automated decision-making. In each case the organization must take all reasonable steps to facilitate the exercise of these data subject rights.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.