An Overview
It is fundamental for individuals to have the right of access to their own data and the right to request such data is commonly known as a Data Subject Access Request (DSAR).
Personal data means any information about a living person, that either identifies, or could identify, that person. This covers various types of information such as name, address, date of birth, email address, phone number, physical characteristics, location data.
Access requests can be an onerous task for organisations acting as controllers of personal data either because of the volume of requests or the size or complexity of individual requests. This often leads to non-compliance under GDPR.
The most common issues with access requests are:
· Delay – controllers take too long to respond or fail to meet their statutory deadlines.
· Lack of communication - data subjects feel there is no one to contact.
· Lack of detailed explanations – individuals feel their questions are not answered, incomplete and unsatisfactory information is provided, or responses are generally unclear and unhelpful.
In Ireland, the DPC has been vocal that their focus will be on enforcement going forward.
Rights & Responsibilities
The GDPR entitles data subjects to request and receive certain confirmations and information from a data controller about their personal data held by that controller, as well as a copy of all personal data held.
The GDPR entitles data subjects to request from a controller:
1. Confirmation on whether the controller does hold their personal data
2. A copy of all personal data held by the controller in respect of that individual
3. Supplementary information in respect of the personal data, for example, information about the source of the data and the retention period for storing personal data
4. It is important to note that an individual does not have the right to access information relating to other individuals
The obligation to respond to a DSAR falls on the data controller, not on a data processor. Controllers should have documented processes in place with their processors to ensure that they can obtain the necessary assistance if required to respond to a request. In the case of joint controllers, there should be transparent and documented procedures in place setting out responsibilities for responding to DSARs.
DSARs can come from any individual whose data is held or processed (directly or indirectly) by that controller, for example, an employee, a customer, a litigant, a supplier, a consultant or any other individual in respect of whom the organisation controls personal data.
Timelines
Controllers must respond to a valid request without undue delay and at the latest within one month of receiving the request. The one-month clock starts ticking from the day of receipt, no matter what day it falls on.
An extension can be sought of up to a further two months if the request is complex or if that controller has received a number of requests from the same individual. The controller must inform the individual of any extension within one month of receiving the request and explain to them why the extension is necessary.
Controllers should ensure they have a dedicated way for data subjects to make a request, typically done through online forms or dedicated email addresses.
However, it must be noted that data subjects are not obliged to follow the prescribed route to make the request. It is therefore crucial for a controller to have procedures in place to ensure that requests are recognised when made and dealt with in a timely manner.
Confirming the Data Subject’s Identity
There is a need to confirm the requester’s identity. When requesting identity verification, the controller must ensure that the request is reasonable, proportionate and does not unduly create obstacles for the data subject.
Where special category data is concerned, or the information is particularly sensitive, more stringent identity checks are likely to be justifiable.
What Must Be Provided?
Controllers are required to search for and locate the personal data relating to the data subject. There is no exemption for archived or back up data. The controller should respond in the format the request was made, unless otherwise specified.
A controller might have a legitimate reason for not complying with a request and there are a number of exemptions from the right of access under the Data Protection Act 2018. However, controllers should apply a high threshold in determining whether any of the exemptions apply.
Next Steps
When a request is received:
1. Respond to the requester confirming receipt
2. Verify the requester’s identity
3. Using whatever systems are available, set reminders in respect of the relevant statutory deadlines
4. Notify all relevant internal stakeholders who will be required to retrieve the data, a well as any external service providers who the controller may seek assistance from in complying with the request. e.g. IT service providers, legal service providers
5. Engage with any data processors who may be processing the personal data on behalf of the controller
Personal data that is not on the controller’s systems but is held by data processors who process the data on behalf of the controller and any data held on personal devices, like laptops or mobile phones are also in scope.
Early engagement with processors is critical to ensure there are no delays in retrieving the information from processors. Following completion of all searches, the controller will have a data set containing all files with personal data relating to the requester.
The controller will need to undertake a review of the data set to assess what information is contained in the files and whether any of it should be redacted or withheld. The review and redaction process can be extremely time consuming for controllers, especially for DSARs that are complex or sensitive. Controllers should ensure that they have internal and/or external resources available to conduct the review and redaction process.
Almost every data controller will be relying on data processors for some processing activities and will need to engage with these processors to locate all personal data.
Preparing for DSARs
Every organisation will be faced with a DSAR at some point so it is critical to put in place a process for responding to requests. The procedure should clearly identify the individuals within the organisation and any external service providers who will be required to contribute to responding to the request. In advance of receiving a request, an organisation should have an exhaustive list of all locations where personal data may be located. This should include:
- All IT systems (whether proprietary or third party)
- Physical storage locations (whether on premises or remote)
- Devices (including phones, tablets, laptops and desktop computers, whether located on premises or remotely) and
- Data processors
Specific, well drafted and enforced data retention and deletion policies can also be very helpful for an organisation when it comes to fulfilling a request.
See a summarised version here:
Technology can play an important role in automating or speeding up parts of the process. There are different tools available for different parts of the process. There are platforms that enable logging and recording of requests with approval workflows for completion, tools to automate some or all of the scanning of company IT systems for data and platforms for digital review and redaction.
The volume of DSARs is expected to continue increasing over the next few years. Many DSARs involve employees in contentious situations such as a dispute or the employee has been dismissed. Employee DSARs can be particularly sensitive and more likely to lead to further complaints and enforcement action.