The scourge of AI-generated DSARs

A fresh menace stalks the Data Subjects Access Request landscape.

Artificial Intelligence. AI-generated DSAR requests are landing in DPO’s mailboxes across the UK and beyond. Lengthy, demanding, often employee-related and routinely linked to some form of disgruntlement. In reality this use of AI is helping no one; neither the individual, nor the organisation. Adding complexity and feeding misunderstanding.

As an experiment, I asked ChatGPT to create a DSAR request letter. The result was four pages long. Yikes. It included the seemingly obligatory:

Please conduct searches using all identifiers associated with me, including but not limited to: Philippa Donn, Philippa (maiden name), P Donn, Philippa, Phil, Pip, PD, P.D, P D, P-D and P/D. Please also search for any common misspellings, abbreviations, and variations of my name and identifiers across all electronic and paper filing systems, archived records, backup systems where reasonably accessible, email systems, instant messaging platforms, and shared drives.

If this wasn’t enough, simply pasting this into MS Word prompted another AI, CoPilot, to offer a rewrite!

Handling AI requests

I’d like to add my two-penneth worth, to quell the anxiety this pest is causing. So don’t panic. Take a BIG deep breath. Pause. Remind yourself what the law actually says, what people are actually entitled to and how we’re expected to approach requests. Remember, as the controller, WE decide what’s legally within scope and WE decide what ‘reasonable and proportionate searches’ to conduct.

Recently a DSAR passed my desk, which insisted on confirmation of the following:

All and any historic, yet stored versions of documents are included in the search and will be disclosed…

Hmm. The AI is mistaken. It’s a right to obtain a copy of your personal data, not carte blanche to receive full documents.

I’ve seen the requests which include demands for the ‘metadata’, insisting searches must include:

file properties, creation dates and timestamps, author and editor identities, comments and annotations, embedded notes, audit logs and access logs… It can go on and on)

The AI seems determined to prove the old saw that a little knowledge is a dangerous thing. Sorry, ChatGPT, this is a right to receive a copy of your personal data, not anyone else’s (unless reasonable to disclose personal information relating to others). Again, WE decide what constitutes ‘reasonable and proportionate’ searches. In doing so, we can absolutely balance the importance of fulfilling the right of access, with the volume of information which needs to be searched and the difficulties of retrieving it.

What can I do?

Here are some actions I’d take concerning a lengthy, clearly AI-generated request.

1. Send a well-crafted (human) acknowledgement which clearly (and politely) explains what the right entitles the individual to, the approach taken to searching for their personal information (i.e. reasonable and proportionate), tells them exemptions may apply, and so on.
2. Seek clarification, within the above acknowledgement, especially if their request is long and complex. While we can’t force someone to narrow the scope of their request, we can phrase our acknowledgement to encourage them to help us  understand the personal information they really want, so we can give them the most meaningful response.
3. Go through what they’ve requested and ‘tick off’ anything covered by the supplementary information requirements. Matters such as: any recipients or categories of recipients to whom the data has been disclosed and the retention period for the data. If supplementary information is satisfactorily covered by a privacy notice we can simply provide a copy or link to it.
4. Make sure our response reiterates points made in our acknowledgement i.e. what they’re entitled to and our ‘reasonable and proportionate’ searches. Avoid trying to give a point-by-point answer to every single matter they’ve raised.
5. If they bounce right back picking nuanced holes in our response, which we feel are somewhat vexatious or trivial, tell them how they can raise a formal complaint. (i.e. go through our data protection complaints process).
6. If they go on to complain, craft a robust outcome to their complaint. If they still pick seemingly trivial holes, direct them swiftly to the ICO. If we’ve made our best efforts to satisfy someone, we shouldn’t be afraid of the ICO. The regulator will be getting AI-generated DSARs too, and I’m sure will have some sympathy with everyone else’s woes.

More help on the horizon

The ICO has recently published guidance on Freedom of Information and Artificial Intelligence. This recognised public bodies are suffering an increase in AI-generated FOI requests. Encouragingly, I’m hearing similar guidance on AI DSARs is expected over the summer. In the meantime, as these requests keep arriving thick and fast, I’ve picked up on a few points from the FOI guidance which I believe apply equally to AI DSARs:

• Just because it’s AI-generated and contains inaccuracies doesn’t mean it’s not a valid request (…there will be some wheat among the chaff).
• You can tell people if AI has got something wrong (…which it occasionally will!)
• You may need to clarify requests if the use of AI has made the wording of the request more complex.
• Using AI to draft a request may result in asking for more information than the requester is looking for (… and is entitled to)

The ICO also provides suggested wording for a relevant website FOI page. I’ve adapted some of these statements for a DSAR context. These may be helpful to use either on a DSAR request form, within a privacy notice or indeed in an acknowledgement.

• AI tools can be helpful in composing your request, but they can also introduce errors or create overly complex requests.
• We’re seeing an increase in requests and secondary correspondence that appear to have been drafted by generative AI. These can require additional clarification because of inaccuracies or unnecessary complexity. This creates delays for both requesters and our teams.
• AI can misrepresent legislation or misstate what your actually entitled to. Please review the text of your request carefully and don’t assume AI is right. If it has referred to something you don’t understand, check what it is.
• AI tools sometimes generate broad or excessive wording that goes beyond the information you’re entitled to under the Right of Access.
• Short, straightforward requests are easier for us to process and usually lead to quicker, more meaningful responses.

I appreciate this article may feel one-sided in favour of those receiving DSARs. Of course, there are organisations who don’t take this right seriously enough. And yes, I’ve seen the dreadful responses involving reams of fully redacted pages, or where no context has been provided, or limited explanation.

I completely respect people’s right of access to their personal data – it’s important and valuable. Organisations should be making considerable efforts to fulfil this right, and should be accountable for how they handle people’s information.

My problem? There are many good data protection people trying to ‘do the right thing’ yet becoming slaves to ‘normal’ DSARs – and now the over-wordy AI menace. Tearing their hair out, spending days trying to fulfil requests. Churning out responses, much of which they suspect will be barely read.

To my mind, this privacy right has strayed too far from what I believe legislators originally intended. DSARs have become distorted and unduly onerous to fulfil. As ever, we must balance professionalism and common sense with our legal obligations. The use of AI to create obstacles, unintentionally or otherwise, shouldn’t distract us from those objectives. Until, of course, we ask our AI DPO and AI legal team to argue the point with the requester’s AI… 😉