Data PrivacyData Subject Access Request vis-à-vis UK Information Commissioner’s New Guidance

INTRODUCTION

The implementation of the General Data Protection Regulation (hereinafter referred to as “GDPR”) in the European Union in the year 2018 aimed to restore individuals’ authority over their personal data.

This objective is achieved by granting eight data subject rights, one of which is the right of access. Although the right to access is not a new concept, the GDPR expands upon it by introducing mandatory categories of information that organisations must provide.

This right enables individuals, referred to as data subjects, to obtain details about how their personal data is managed by the organisation, including the reasons for its collection, how it is utilised, and other relevant information, by submitting a Data Subject Access Request (hereinafter referred to as “DSAR”) to a company, making access requests the most common among the various types existing.

Therefore, to comply with the GDPR, organisations must have efficient procedures in place to promptly handle access requests, verify the identity of the requesters, and supply the requested information within the specified timeframe. By honouring the right of access, organisations demonstrate their dedication to transparency, accountability, and adherence to the GDPR’s principles, thus empowering individuals to take control of their personal data.

The United Kingdom Information Commissioner’s Office on May 24, 2023, announced that it had published new guidance for businesses and employers on responding to subject access requests. The new guidance is intended to assist employers in responding to subject access requests correctly and within statutory timelines, as well as to ensure that employees have access to their personal data when they want it.

This article will explore the applicable data protection laws and regulations, along with the procedure to file a DSAR.

CONCEPT OF DATA SUBJECT ACCESS REQUEST

DSAR has been a feature of data protection law since the Data Protection Act of 1998 in the United Kingdom (UK) and continues to be so.

A DSAR refers to a request made by a data subject to access and obtain information about the personal data that an organisation holds about them. The purpose of a DSAR is to allow individuals to have more control over their personal data and to ensure transparency and accountability in data processing practices.

By submitting a DSAR, individuals can seek information about various aspects of their personal data, including the purposes for which it is being processed, the categories of data being processed, the recipients of the data, the sources of the data, and any other relevant details regarding the processing of their personal data.

Under data protection laws, organisations are generally required to respond to DSARs within a specified timeframe and provide the requested information to the data subject. This allows individuals to understand how their personal data is being used and to exercise their rights, such as rectification, erasure, or restriction of processing, if necessary.

Most importantly, the specific procedures and requirements for submitting a DSAR can vary depending on the jurisdiction and the applicable data protection regulations. To ensure compliance with the relevant requirements when making a DSAR, it is pertinent to note that specific laws and regulations shall be referred to in the specific jurisdiction where the company is located.

DATA SUBJECT ACCESS REQUEST – RELATION TO CCPA AND GDPR

DSAR and CCPA

The California Consumer Privacy Act (hereinafter referred to as “CCPA”), and its follow-up, the California Privacy Rights Act (hereinafter referred to as “CPRA”), uphold similar rights as to data access. To comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125 of the CCPA, a business must ensure that certain information is easily understandable and accessible to consumers. Key highlights are-

1. It provides multiple designated methods for the consumers to submit information requests for information to be disclosed pursuant to Sections 1798.110 and 1798.115 of the CCPA, including a toll-free phone number. Online businesses having a direct relationship with a consumer from whom they collect personal information is only required to provide an email address for such requests pursuant to Sections 1798.110 and 1798.115 of the CCPA.

2. Disclose and deliver the requested information to consumers without charge within 45 days of receiving a verifiable consumer request. The business should promptly verify the request but must deliver the information within the initial 45-day period.

If necessary, the business can extend the time by an additional 45 days and must notify the consumer of the extension within the initial 45-day period. The information should cover the preceding 12-month period and be provided in writing through the consumer’s account (if available) or by mail or electronic means in a usable format that allows easy transmission between entities. The business may require reasonable authentication, but not the creation of an account, for a verifiable consumer request submitted by a consumer with an account.

DSAR and GDPR

The GDPR has afforded consumers DSAR rights the longest by officially explaining DSAR in Recital 63 of GDPR as

“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

Article 15 of the GDPR grants individuals the right to receive confirmation from the data controller about the processing of their personal data. In simpler terms, individuals have the right to know whether their personal data is being processed by the organisation responsible for it.

According to the regulations, businesses have a timeframe of 30 days to respond to a DSAR request, with the possibility of extending it by an additional 30 days in specific situations. The guidelines do not specify any format for DSARs. This means that if a consumer contacts the concerned helpline and simply requests access to their data, the organisation is obligated to grant that request.

SUBMISSION, RESPONSE, AND TIMELINE FOR RESPONSE FOR DSAR

Who can submit a DSAR?

Any individual who is the subject of personal data held by an organisation has the right to submit a DSAR. This right is provided by data protection and privacy laws.

DSARs can be submitted in various ways, either in writing or verbally. For instance, individuals can make a request over the phone, fill out a form on a website, or communicate through channels like social media.

They can address the request to any person within the organisation, such as the marketing department, and they are not required to explicitly mention it as a DSAR or refer to GDPR or any specific right, and the organisation has an obligation to acknowledge and respond to the request regardless of how it is presented.

Given this, it is crucial for key personnel and departments within the organisation to be well-informed about data subject rights, verify their identity either via email or photo identification, and refrain from requesting formal identification documents. They should be able to recognise DSARs and understand the necessary steps to take when receiving such requests.

Who should respond to a DSAR and what is the timeline for response?

In some organisations, the appointment of a Data Protection Officer (hereinafter referred to as “DPO”) is mandatory, while in others, it may not be required. However, regardless of whether a DPO is appointed or not, it is essential for the organization to designate an individual responsible for compliance. This person will have a holistic understanding of DSAR processes and will ensure that all requests are documented and resolved in a timely manner.

It is not necessary for the DPO to personally handle every request, but they should have oversight and control over the DSAR processes to ensure compliance. Implementing automation can greatly enhance the efficiency of managing DSARs and minimise the risk of requests being inadvertently overlooked or neglected.

The key personnel first authenticate the DSAR, verify the subject’s identity, collect personal information, review such information, and then deliver the information to the customers along with explaining the subject’s rights. Also, DSARs can be rejected on the grounds that data is manifestly not found, or the request is excessive.

DSARs must be addressed promptly and within 30 days of receiving the request, without any unnecessary delays. In cases where the requests are numerous or complex, there is flexibility to extend the response time by an additional 30 days (or 45 days as per CCPA/CPRA). Failure to meet these deadlines can result in substantial fines and regulatory penalties, which can significantly damage the organisation reputation.

CHALLENGES FACES IN RESPONDING TO A DSAR

Responding to a DSAR poses various challenges for organisations. Firstly, identifying relevant data scattered across multiple platforms and formats can be complex and time-consuming. Subsequently, ensuring data security throughout the process adds an additional layer of complexity and requires stringent measures to protect personal data from unauthorised access or disclosure. Thirdly, handling third-party data and coordinating with external parties to obtain requested information within the specified timeframe can be logistically challenging.

Additionally, legal considerations also play a role in responding to DSARs. Understanding and complying with exemptions, restrictions, and data protection regulations applicable to specific jurisdictions can be complex. Resource allocation is another significant challenge, as dedicated personnel, time, and technology are required to handle DSARs efficiently. Organisations with limited resources or a high volume of requests may struggle to allocate sufficient resources to meet the response deadlines.

To overcome these challenges, organisations can implement robust data management practices, establish streamlined DSAR processes, leverage automation and technology tools for data retrieval and redaction, provide comprehensive training to personnel, and ensure ongoing compliance with data protection regulations.

By effectively addressing these challenges, organisations can fulfil their obligations, protect individuals’ data privacy rights, and mitigate the risk of fines and reputational damage associated with non-compliance.

 ICOs NEW DETAILED GUIDANCE ON DSAR

The Information Commissioner’s Office (hereinafter referred to as “ICO”) has released updated guidance on handling DSARs under GDPR. The new guidance provides clarity on certain aspects of the law that were previously unclear. For employers dealing with employee DSARs, there are specific developments to consider:

1. Stopping the clock: The guidance explains that organisations can pause the response time limit if they require clarification on the scope of the DSAR. However, this clarification request must be genuine and made promptly, especially when dealing with a large amount of information about the individual. Organisations should not seek clarification indiscriminately to delay the response.

2. Definitions: The guidance also provides further clarification on the terms “manifestly unfounded” and “manifestly excessive.” An organisation can refuse to comply with a DSAR if it falls under these categories. “Manifestly unfounded” refers to instances where the individual has no genuine intention to exercise their right of access or if the DSAR is maliciously used to harass the organisation without a valid purpose. “Manifestly excessive” requires organisations to assess whether the request is proportionate considering the burden of costs involved and other circumstances surrounding the DSAR.

3. Reasonable Fee: The guidance acknowledges that a “reasonable fee” can be charged for administrative costs if the DSAR is manifestly unfounded or excessive, or if the individual requests additional copies of data. Determining a reasonable fee involves considering various factors, such as the activities involved in processing the information, locating and retrieving it, providing copies, and communicating the response to the individual. Organisations should be cautious not to double charge individuals and should include costs like photocopying, printing, postage, and staff time in the fee.

AMLEGALS Remarks

The updated guidance from the ICO on handling DSARs provides valuable insights for organisations navigating the requirements of GDPR. The guidance addresses specific challenges faced by employers when responding to employee DSARs.

With clarification on pausing the response time for DSARs requiring scope clarification, organisations can ensure efficient handling of requests while maintaining compliance. It also highlights the option of charging a reasonable fee for certain DSARs, based on administrative costs. However, organisations must carefully consider the factors involved in determining the fee and avoid double charging.

Overall, effective management of DSARs requires organisations to have knowledgeable personnel, streamlined processes, and a commitment to timely and compliant responses. By navigating DSARs appropriately, organisations can uphold data privacy rights, build trust with individuals, and safeguard their reputation in terms of data protection and privacy compliance.

– Team AMLEGALS assisted by Ms. Shivangi Banrjee (Intern)