According to data from EY, organisations are reporting a rise in subject access requests. Recently, Nigel Farage used one as evidence that a high profile bank account closure was related to his beliefs. Rachel Easton advises on why DSARs can be difficult to manage.
When Nigel Farage alleged that his account at prestigious banking group Coutts had been closed because of his political values, he had a useful piece of evidence at his disposal.
The former head of political party Ukip, famous for his role in the Leave campaign during Brexit, had obtained a data subject access request (DSAR) from the bank showing that his views “do not align with our values”, and also claiming that there was a perception he was “racist and xenophobic”.
Under the Data Protection Act 1998, an individual can ask an organisation for copies of any personal information that it holds about them. And according to the 2023 EY Law Survey, Farage is not alone in doing this; 60% of respondents had reported an increase in DSARs in the last year.
One factor in this upwards trend, the survey argues, could be a campaign by the Information Commissioner’s Office (ICO) to raise awareness of access rights.
Risks of not responding
The ICO reported more than 15,000 subject access complaints last year. If organisations fail to respond to a DSAR within the time limit, they will likely be in breach of their obligations under Article 15 of the General Data Protection Regulation.
This may lead to more than a fine or a reprimand from the ICO. The individual making the request is likely to be quite unhappy, and depending on the circumstances such individual may bring a subsequent claim against the organisation and/or the ICO may wish to delve deeper into the organisation’s data protection practices.
While DSARs are not a new right, they continue to be a challenge for organisations, quickly draining resources needed to deal with them. This begs the question of why they are such a burden to deal with.
The initial request
Many DSARs are presented as broad requests for “all personal data” held about an individual. This is often a huge undertaking for employers, who may find themselves processing a significant amount of personal data and storing that data in a variety of internal places. For employees, this data often goes back many years.
Without further clarification on the scope of the request (or where clarification of the request does not prove helpful), a wide search involving a number of people may be necessary.
Locating personal information
“Personal information” broadly means information relating to an individual (commonly referred to as the data subject).
Given that definition, organisations will find such information in a variety of places, such as HR and payroll systems, social media platforms used for business purposes, personal data in emails and minutes, to name just a few.
This puts a vast amount of data (located in a number of places) potentially within scope of the access request.
How an organisation finds the relevant personal data depends on the nature of the data itself, how/where it is stored as well as the organisation’s approach to information management. While information stored electronically may be found and sorted easily, the potential volume of such data (and the usually unstructured nature of it) can also make it one of the most difficult tasks to tackle.
Electronic information may also be held in harder to reach places, such as archived files or backups, which can add to the time and costs of accessing the information.
Testing policies and procedures
Access requests test an organisation’s ability to locate personal data and can create internal conflict in situations where there is a risk of exposing limitations in the process or policies or procedures that are not working.
The ICO guidance states that organisations “should make reasonable efforts to find and retrieve the requested information”.
This might mean, for example, using targeted searches across each identified database. Your organisation may well have a policy or protocol in place for locating information.
After locating the information, the next step would be to review and possibly redact (or look to rely on some other exemption).
Such a step may require a variety of people within the organisation (and possibly external to it) and places demands on the business and those involved that go above and beyond “normal” day-to-day work.
While technology can be used to assist, without a tested system in place to review and redact information, the ability to locate, review and analyse information within the timeframe remains a concern.
Timeframe
The organisation must respond to a DSAR without undue delay and in any event within one month of receipt of the request. Breaking down the one-month timeframe means that on average, the organisation will only have between 20-22 working days to complete the request and respond to the data subject.
When broken down to that timeframe, the efficiency needed to complete an access request on time is evident. Even a fine-tuned system, once overrun with bulk requests, high volumes of unstructured data within one (or even three) months of the request will be difficult to deal with.
Electronic information may also be held in harder to reach places, such as archived files or backups, which can add to the time and costs of accessing the information.”
An organisation will also need to take into account any period of leave for employees integral to the process or whether to consult with professionals concerning any required technical or legal assistance in order to complete the request.
It’s worth noting that there is the possibility of extending the time limit for responding by up to two months if, for example, the DSAR is “complex”. However, not every DSAR will be complex. The ICO expressly states, for example, that “a request is not complex solely because the individual requests a large amount of information”.
The time can also be paused, but organisations should only use this where it is genuinely required and the organisation processes a large amount of information on that individual. Neither method for extending the time should be used as a default reaction on receipt of a DSAR.
DSARs and tribunal proceedings
It has long been the position of the ICO that it will not look at the motivation behind a DSAR when considering complaints by data subjects. Therefore, the time-consuming job of managing and dealing with tribunal proceedings alongside processing a DSAR can be resource heavy.
Whether or not your organisation receives DSARs on a regular basis, the ICO states that it will be important to prepare and take a proactive approach to compliance.
Consider your internal processes and whether they can be improved in light of the challenges noted here or the ones your organisation may have already come across. With the right tools and expertise to hand, organisations can manage DSARs effectively and efficiently.