With the use of Data Subject Access Requests (DSARs) becoming increasingly common, it is important that anyone dealing with personal data understands what a DSAR is, when it can be used, how an organisation should respond to the request and the timeframe for its response. Even entities which have had one or more DSARs must reflect on whether their procedures are in line with the required approach. A key trend in decisions by data protection authorities in the Channel Islands relate to failures by organisations to properly respond to DSARs and this has resulted in public reprimands being issued.
A useful starting point is either section 15 of the Data Protection (Bailiwick of Guernsey) Law, 2017 or article 28 of the Data Protection (Jersey) Law 2018 which affords individuals the right to be provided with confirmation as to whether or not an organisation is holding or using their personal data and, if it is, the right to be provided with a copy of that personal data (subject to certain exceptions or exemptions). The provisions of the Channel Islands’ data protection legislation will look familiar to anyone who has dealt with DSARs in the UK, EU or any other country that has been deemed to have data protection legislation equivalent to the GDPR.
We set out below some key points which organisations may want to consider when receiving and responding to a DSAR.
What is a DSAR?
Broadly speaking DSAR outlines a request by an individual in which they ask “what do you know about me?”. Any information identified in response is likely to be the data of that individual. The DSAR captures all of the individual’s personal data and “personal data” is any information relating to an identified or identifiable individual. The DSAR can be made in any format and need not mention “data subject access request” so the organisation’s staff must be able to spot a DSAR when it arrives.
First steps and identity
It is recognised good practice for an organisation to send the requesting individual an acknowledgment of the DSAR and this can be combined with a request for information to verify that the DSAR is genuine. If the request for information by the individual is very wide this is also a chance to invite the individual to narrow their request to see if there is something they are particularly interested in. If the individual does not wish to narrow the scope then this cannot be used to avoid responding to a DSAR.
The first question the organisation (being the “controller”) should ask itself when a DSAR is received is “are we sure this individual is who they say they are?”. In the event that the organisation has any reason to doubt the requestor’s identity, it may request any additional information that is reasonably necessary to provide the verification. When the identity of the requesting individual cannot be verified despite the organisation taking reasonable steps, the individual will not be entitled to exercise any data subject right and the organisation will not be required to give the information. Where a third party is making a DSAR on behalf of a data subject then the organisation must satisfy itself that the request being made is genuinely by the individual whose data is being sought.
Once a DSAR is received and organisation is satisfied that the request is genuinely from the individual, the clock for responding to the DSAR starts.
Organisations in Jersey have a maximum response time of four weeks and those in Guernsey have one month, although in both Jersey and Guernsey this can be extended for a period of a further eight weeks / two months (respectively) in certain circumstances.
What information should be provided?
As well as providing the individual with a copy of any personal information held by the organisation (subject to certain exemptions and exceptions –see below), the organisation must provide a statement setting out certain additional information relating to the use of the individual’s personal data.
The contents of this statement are very similar to the information that must be included in the organisation’s privacy notice.
When the organisation provides copies of information to the data subject, this information must be provided free of any charge, except in the case where the individual is asking for further copies. If the organisation is not going to comply with all or any part of a request, it must notify the individual of the reasons for the organisation not so complying and that the individual has the right to complain to the relevant data protection authority.
The Search
Often the key challenge for an organisation responding to a DSAR is ascertaining where to search for the personal data and then subsequently sorting through the data retrieved to extract the information. Electronic storage systems and structured physical filing systems must be searched, including archived and back-up data. This can be a time consuming exercise although IT solutions are available to help with this process.
Exceptions and Exemptions
If any part of a DSAR is ‘manifestly unfounded’, the organisation may refuse to give the information or take the action requested in that part of the request. Similarly if any part of the request is frivolous, vexatious, unnecessarily repetitive or otherwise excessive under the Guernsey legislation or manifestly vexatious or excessive under the Jersey legislation, the organisation may either refuse to provide the information or may provide the information but charge a reasonable fee for the administrative costs of doing so. Any organisation intending to rely on these exceptions must be certain that it is entitled to do so and must be ready to evidence this to the relevant data protection authority.
The organisation should keep in mind that a DSAR is ‘purpose blind’, meaning that it is a free standing right of individuals, even where that individual is in conflict with the organisation. Employers in particular have faced criticism from the data protection authorities where the employer has failed to properly respond to a DSAR from a hostile former employee on the grounds that the information was going to be used in legal proceedings.
There are also a number of instances where data, although strictly within the ambit of a response to a DSAR, can be withheld by the organisation because one of the exemptions in the data protection laws apply. The list of exemptions is relatively long and includes certain key exemptions which allow the organisation to withhold information where the disclosure would:
- Prejudice the management forecasting or management planning of the organisation;
- Prejudice current negotiations;
- Result in disclosing legally privileged information;
- Prejudice judicial proceedings.
The data protection authorities have stated that exemptions should be applied narrowly, to specific personal data in specific circumstances and should be carefully considered and their use fully justified. All decisions to rely on an exemption should be documented and the organisation should be prepared to share that documentation with the relevant authority if it is asked.
Mixed data
Often the individual’s personal data is mixed with that of one or more other people and this places the organisation in a more difficult position. The requesting individual is entitled to their own data but not to the personal data of other people. Here the organisation needs to undertake a balancing exercise. With appropriate redactions the information might still be shared. Alternatively it can be appropriate for the organisation to see if the other person would object to their information being disclosed.
Manner of Response
Where the organisation is required to provide information in response to the DSAR, and none of the exceptions or exemptions apply, the organisation must give the information to the individual in writing (unless requested to be given orally), which must be concise, transparent, easily accessible, intelligible and clearly legible. Where the DSAR was made electronically, this information must be provided by similar or commonly used electronic means, unless otherwise requested by the data subject. Organisations should note that the individual is entitled to a copy of their personal data and not to the document in which the data is held. The organisation may decide that it will provide a copy of the document containing the personal data (possibly in redacted form) but the individual does not have a right to that document.
The changing landscape for DSARs?
As the GDPR and the new data protection legislation in the UK and Channel Islands bed down, the data protection authorities are refining their guidance on DSARs and issuing decisions where organisations have failed to meet their obligations. For more information about this direction of travel please see this article.
Other Rights
Organisations should also be aware of the other rights given to individuals contained within the data protection legislation. These rights include the right to rectification, to erasure, to restriction of processing, to data portability, to object to processing for direct marketing purposes or not to be subject to automated decision-making. In each case the organisation must take all reasonable steps to facilitate the exercise of these data subject rights.