The DPO Centre Answers – DSAR FAQs

Over the last six months, we have hosted a series of webinars centred around providing helpful advice on dealing with some of the most complex types of Data SubjectAn individual who can be identified or is identifiable from data. Access Requests: those in the office and medical settings.

During these webinars we received a number of interesting questions from attendees about scenarios that are common to many organisations, so we thought we would do the nice thing and share them with the group – introducing, our DSAR FAQs.

While we attempt to address specific topics, it is not possible to include in depth advice specific to your organisation. Likewise, over time supervisory authorities may issue new guidance or new laws may be implemented. Please ensure you seek appropriate advice for your specific enquiry.

Q: DSARs no longer need to be submitted in writing, but for audit purposes can we really not push back and require it in writing?

A: No – Supervisory Authorities have been crystal clear that data subjects can submit a request via any method they choose, and that includes verbally either over the phone or face to face. Whilst organisations can provide a specific email address to use, a form to fill in, or a number to call, data subjects are under no obligation to use that specific method and you cannot retrospectively force a data subject to follow up their phone call with an email, for example.

So, if you receive a request verbally, what can you do? Well first of all, it is important that the individual who receives the request transcribes the details as soon as possible so that you have an accurate record of what the requester would like, how to provide the information etc. In addition, whilst the request has come in verbally, it is a good idea to acknowledge the request in writing, which gives you the opportunity to confirm with the requester that you have understood their request correctly, ask for clarification and ID if needed, and to provide that all important audit trail.

Q: Do we need to include WhatsApp and text messages in a disclosure?

A: Maybe – unfortunately in this respect there is not a singular yes/no answer. If an organisation recognises or advocates for these communication methods as tools for business communication, they are used on work devices with work numbers, or are a commonly used method for communicating about work matters e.g.  there is a department WhatsApp group, then the information contained within those messages would be classed as information held by the organisation and therefore subject to disclosure.

If the communication is occurring on personal devices, the situation is less clear cut and should be considered on a case by case basis. However, if the organisation accepts that people use their personal phones for business purposes (having a Bring Your Own Device Policy is a good indicator), then this information may be disclosable.

Ultimately, organisations should be accountable for their decision making, so if important decisions are being made via text or WhatsApp, it seems right that it should be shared. And, if you choose not to include such communications in a disclosure, you need to be able to justify this if it were to be questioned.

Q: With data subjects becoming less keen to hand over official documents, what is the best way of verifying the identity of the data subject?

A: It depends – what you request for the purposes of validating a requester’s identity will depend upon a number of factors including the information you have in your system to verify against and the sensitivity of the information that could be disclosed in a DSAR. As a rule, the more sensitive the information that could form part of a DSAR response, the higher the bar should be set in terms of identity validation. For example, if all you hold is an email address to which you send newsletters, merely receiving the request from that email address should be sufficient to validate the individual as the email address holder. In contrast, if an individual is requesting copies of their medical records, requiring copies of official documents such as a passport or driver’s licence is perfectly appropriate. Another way of validating ID is asking the requester security questions or to verify some information that you have on file, however, it is vital that you choose questions that only the individual would know e.g., their payroll number, rather than information that is in the public domain or could easily be guessed.

If individuals are hesitant to hand over copies of documents to validate their identity, a promise to delete them once ID has been validated may serve to allay their concerns. However, ultimately it is essential that you are satisfied that the requester is who they say they are, as providing information to the wrong person is a data breach that could have potentially extremely serious consequences for the data subject. Therefore, if a requester is unhappy with providing you with a reasonable amount of information in the context with which to verify their identity, you can and should refuse to action the request.

Q: What are some examples of manifestly unfounded or excessive requests?

A: There are two main scenarios which meet the threshold for a manifestly unfounded or excessive request. First, is when a requester offers to withdraw or amend their request in return for something. This often occurs when an individual is going through an Employment Tribunal case or redundancy negotiations, whereby they will withdraw their request in return for a favourable settlement offer or severance package. It could also occur where individuals are trying to get money off a service, or a debt written off, or any other instance where you as an organisation have something you could offer in return for the withdrawal. In these scenarios, the individual is not really interested in the request itself, as such it is unfounded.

A request will meet the excessive threshold if it is one of multiple DSARs submitted by the same person, asking for the same information, over a short period of time. When considering how often is too often to submit a DSAR, you should think about how often there is likely to be changes to the information you store on individuals. For example, the UK Data Protection Index collects survey responses from its panel of privacy professionals every three months, in between times no additional data is collected. Therefore, requests submitted more often than every three months could in this context be considered excessive. In contrast, in a scenario where data is being generated far more often (where the response to the same request would be materially different after only a short period of time), a three month gap may be perfectly reasonable. It is worth noting, however, that in this context you would not be obliged to provide the information that you have already provided in a prior request – only anything additional.

Q: What do we need to do if someone complains to the ICOThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. about a DSAR response we have provided?

A: Run – joking, don’t do that. If a requester is unhappy with your response to their DSAR and ends up complaining to the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (or any other Supervisory AuthorityAn authority established by its member state to supervise the compliance of data protection regulation.), the regulator will normally get in touch with you and let you know if they require you to do anything additional in order to fulfil the request appropriately. This could be providing another type of document that you may have omitted e.g. call recordings, or it could be simply providing the data subject with a further explanation as to why you have redacted or not provided certain things.

Normally you are given 7-14 days in which to action this, and we always recommend copying the regulator into your further correspondence with the data subject so they have evidence you have complied. Ultimately, however, most regulators are mainly concerned with penalising organisations that do not respond to DSARs at all; so, provided that you do respond to the best of your ability and, crucially, you provide to the data subject a comprehensive cover letter explaining your rationale for redactions and exclusions, it is fairly unlikely that a regulator will follow up on a complaint from an aggrieved data subject.

Conclusion

If these FAQs demonstrate anything it is that there is no one size fits all approach to handling DSARs; each request must be judged on its own merit and dealt with accordingly. It is therefore important that organisations ensure they have a robust DSAR response processA series of actions or steps taken in order to achieve a particular end. in place to enable those handling them to have the time to deal with them adequately. That is why we encourage our clients to regularly review their process for handling DSARs and take stock in order to identify areas of difficulty or inefficiency.

The DPO Centre’s DSAR Audit is designed to help organisations assess their end-to-end DSAR process, identify any gaps or inefficiencies, and provide tailored, workable solutions to ensure robust DSAR handling. In addition, if you are thinking about outsourcing all or part of your DSAR process, our dedicated DSAR Response Service can take away the stress of DSARs by enabling you to respond appropriately and in a timely manner. Fill in the form below to find out more.

The final webinar in our series on dealing with DSARs in the healthcare industry is happening on Wednesday 10^th August at 1pm (BST) – click here to sign up now. You can find the rest of the series, along with our 3-part series on employment DSARs, on demand on our Vimeo page.