At The DPO Centre, we are working hard to reduce the difficulties associated with even the most complex of Data SubjectAn individual who can be identified or is identifiable from data. Access Requests (DSARs), whether that be through our free DSAR training webinar series, helpful blogs, or our outsourced DSAR Response Service.
We understand that receiving a DSAR can place significant pressure on organisations and their resources, so we try to simplify the processA series of actions or steps taken in order to achieve a particular end. by providing clear, practical advice on how best to deal with these requests in a timely manner and in a way that satisfies the data subject. In this most recent blog post, we highlight the top 5 things that tend to make DSARs particularly challenging to deal with, and how you can overcome these issues.
Collating data as part of a DSAR can often be challenging due to the number of documents and data assets involved. Depending upon the type of requester, the amount of data your business holds is likely to vary considerably, and if we are talking about an employee that has been with the business for many years, the number of documents for review could run into the tens or even hundreds of thousands.
In order to prevent you from getting into a situation where you have masses of documents to wade through in response to a DSAR, preventative action can be taken in the form of implementing and adhering to a robust retention scheduleA catalogue of an organisation's information assets, aligned to an appropriate retention period for that asset type.. Implementing a retentionIn data protection terms, a defined period of time for which information assets are to be kept. schedule ensures that personal dataInformation which relates to an identified or identifiable natural person. that is no longer required to be retained is destroyed, therefore reducing the total amount of personal data being held on individuals. You cannot provide a requester with something that you do not have, so getting rid of personal data as soon as you no longer required to retain it can drastically reduce the volume of data brought back in a search.
Whilst the above will help you prior to receiving a request, it is important to remember that once a request is received you cannot destroy any personal data that falls under the request and doing so is a criminal offence. However, you can ask the Data Subject to be more specific about the information or processing activities that their request relates to. Whilst it is not permissible to require the requestor to narrow the scope of their request, you can ask them to provide some additional details to help you respond effectively and locate the personal data that they are seeking. Asking the right questions on receipt of a request may save you a significant amount of effort down the line, whilst also helping the Data Subject get exactly the information they are looking for.
Just as there may be large volumes of personal data to be provided, this data is likely to be spread across multiple locations and be held in varying formats within numerous systems, including paper. It should also be noted that non-text data such as audio recordings, or CCTV video images may also need to be retrieved and included within a DSAR response and this can be more challenging to process.
Similar to dealing with large volumes of data, it is often helpful to work with the Data Subject to determine which types of data they want access to, thus limiting the scope of the search required – e.g. if they just want CCTV recordings, this will save you searching through your whole email database. In addition, once you have identified which systems the data is in, appropriate searches must be conducted. As personal data consists of more than just an individual’s name, multiple search terms or criteria must be used to filter through the various databases to ensure that all relevant personal data is found (e.g., the individual’s name; customer ID number; email address etc).
Further, it is critical to know what data each system holds and how the data is stored, as well as how to extract the information in the event of a DSAR. Therefore, it is often helpful to carry out a data mapping exercise on the data flows within your organisation.
In many cases, documents that relate to the Data Subject’s request will also include the personal data of other individuals, such as staff members who have dealt with the Data Subject, the Data Subject’s family members, or individuals who have made allegations against the Data Subject. The presence of a third party’s personal data within the information to be disclosed complicates responding to DSARs in two ways. First, searches must be conducted to identify if any third party personal data is present. This is made especially difficult if personal data is likely to reference multiple third-parties, or people who are referred to by things other than their name (a nickname, reference number, or description e.g. “the man in glasses”). Secondly, once personal data of other people is identified, decisions must be made over whether to disclose or redact the information in question.
Searching for any personal data belonging to third parties within the documents to be disclosed in a DSAR requires knowledge of what the law considers to be personal data. Pieces of information that may initially seem insignificant may make an individual identifiable. Therefore, you must ensure that you are searching correctly through the documents. In many cases, it may be clear which third parties’ personal data will be included within the information. For example, if the Data Subject has a shared bank account with their partner, their partner’s name is likely to appear in the collated documents. However, things become more complicated when the identity of possible third parties mentioned within the documents is unknown.
Whilst there are eDiscovery tools on the market, manual review is still the most effective way of ensuring that no third parties’ personal data is unlawfully disclosed to another person. Whilst this may sound tedious, you can save yourself a lot of time by appropriately clarifying the scope of a request at the outset, limiting the number of documents you have to review.
All too often, there will be cases where the provision of personal data may conflict with other data protection or privacy rights, or potentially prejudice other legal provisions or interests (e.g., where the personal data of a third party is contained within the documents, or the information is confidential or privileged). Therefore, once the documents that fall within the parameters of the DSAR have been retrieved, they need to be reviewed to ensure that they are able to be disclosed. There may be several considerations to be taken into account and it may be difficult to determine which should take precedence. Where there is a conflict between fulfilling a DSAR and other rights, interests, or legal provisions, a balance must be struck between the competing factors.
When considering whether to disclose information that may identify a third party, for example, you must weigh up the requestor’s right of access, with the data protection, privacy, and any other rights of the third party. This requires a test of reasonableness to be undertaken where factors such as whether the third party is cited in their personal or professional capacity, the nature of the information, and the potential harms that may arise from disclosure should be considered. These types of decisions should be documented somewhere, so that the reasoning can be referred back to in the future if it were to ever be challenged by a supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation..
As with the personal data of third parties, there may be confidential or privileged information included within the files retrieved as part of a DSAR. On one hand, disclosing confidential or privileged information to an individual who does not have authorisation to access it has legal implications. On the other, failing to disclose information to a Data Subject based upon the mistaken idea that it is confidential may give rise to grounds for a complaint or legal challenge. Therefore, it is important that accurate judgements are made about the disclosure of information. This presents challenges for companies because it may be difficult to identify which documents are confidential – just because something is marked ‘confidential’ does not mean that it is. Furthermore, judgements must then be made as to whether there is any overriding interest that means it should be disclosed.
Determining the confidentiality of information involves detailed consideration of a range of factors of which context is paramount. As such, confidentiality must be determined on a case-by-case basis and thus requires thorough examination. To be deemed confidential, the information must have a quality of confidence about it and the relationship between the parties giving and receiving the information must impart a duty of confidence. Although in some cases this may be fairly obvious, for example, information covered by a non-disclosure agreement is confidential, there are many other cases which are less so.
Once information has been deemed confidential, it cannot be disclosed unless there is an overriding public interest in its disclosure. This again demands a case-by-case assessment which will require a reasonable amount of expertise in this area. Whatever decision you make with regard to both the confidentiality of information and its disclosure, once again it is very important to document your decisions and the rationale behind them.
Conclusion
It is clear that DSARs present multiple and varying challenges for organisations and dealing with them can be onerous. Having robust procedures and practices in place within your organisation, both for dealing with DSARs but also for processing personal data more generally, will greatly aid in responding to any requests received and reduce the significant burden that they can impose.
For more information on how we can help your organisation with its DSARs, please complete the contact form below.
Fill in your details below and we’ll get back to you as soon as possible