Data Subject Access Requests and Proof of ID

March 2024

Why a blanket approach doesn't always work

Anecdotally, I hear stories of people’s frustration at being asked for certain documents as proof of ID. For example, insisting on a copy of a passport or driving licence. When reviewing internal data protection procedures, I come across DSAR request forms which veer towards asking for excessive documentation as proof of identity.

When responding to a Right of Access request (commonly known as a Data Subject Access Request), we might need to ask a person to prove their identity. But what constitutes a reasonable request for further information for verifying someone’s identity? And do you need to ask for additional documentation in all circumstances?

Organisations should take a balanced approach to this, considering factors such as;

  • context of your relationship with the person making the request
  • nature of personal data you will be providing – is it, for example, highly sensitive health information?
  • risks to the organisation and to individuals of personal data being given to the wrong person
  • making sure identity verification is not too onerous for the individual
  • Securely protecting any additional ID documents requested and not retaining it longer than necessary

Many organisations will already be taking a measured approach to this, others may unsure, some may be getting push-back – “I shouldn’t have to provide you with a copy of my passport!”

We’ve gathered some examples of how this is being approached.

But first…

What does GDPR say about identity verification?

Recital 64 of GDPR states;

“The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.”

What does the ICO say about identify verification?

The ICO’s detailed Right of Access Guidance states;

“You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.”

It continues to say:

“You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password.

However, you should not assume that on every occasion the requester is who they say they are. In some cases, it is reasonable to ask the requester to verify their identity before sending them information.

How you receive the SAR might affect your decision about whether you need to confirm the requester’s identity.”

Neither GDPR, nor the ICO provide specific details on what would be considered reasonable and proportionate. This is left for organisations to decide.

What are the risks?

Clearly there would be a data breach if personal data is given to the wrong person. The more sensitive the data the bigger the impact and fall-out. There’s also some evidence DSARs are being used as phishing attempts, bogus requests aimed at harvesting data.

However, if you make it mandatory to provide specific proof of ID you run the risk of angering people – being accused of putting barriers in the way of them exercising their right.

What approach to take?

Some organisations take a case-by-case approach or adopt a fairly standardised method dependent on the context (e.g. an employee, a customer or request made by a third party).

1. Employee or ex-employee requests

If you receive a request via your business email system from a member of staff, you already know who they are and proof of id is not needed. However, you may feel it’s sometimes necessary to ask for some proof of ID with requests from ex-employees. This could be asking for their staff ID number and National Insurance number.

2. No additional information requested

Based on the context of the relationship with the requester and the nature of personal data to be provided, some organisations don’t feel it is necessary or proportionate to request specific documents as proof of ID. Here are some examples we’ve gathered;

  • Where someone has an online account and submits a DSAR from an email address which is linked to their account, asking for it to be posted to an address currently held for them.
  • A request is received from a business email address, which matches the record held and the response will be given to the same email address.
  • Where the organisation is able to conduct sufficient internal checks to validate the request, based on information they already know about the individual.

3. Asking additional questions, rather than demanding documents

Some organisations take the approach of asking the individual to answer a question (or two) to verify their identity. Essentially rather than ask for additional documents they use the information they already know about the individual to do this. For example, can they confirm the nickname/username they used when setting up an account?

4. Additional information

Where there are doubts about the identity of the individual, some organisations will request photo identification (e.g. a passport or driving licence) along with proof of address (such as a utility bill). You just need to be prepared for those who may object.

Also, you don’t want to retain these documents any longer than necessary. Best to log receipt, and then immediately and securely destroy copies of passports and driving licences.

As an aside, I once received a notification about a data breach from a company saying my data had been affected. I couldn’t for the life of me remember when I had last had any dealings with them, so thought I should try and find out what personal data they actually had, and what had been lost. But when I went to put in a request they insisted on a copy of my passport. Considering they had just had a breach, the last thing I felt like doing was handing it over!

5. Requests made by third parties

When someone makes a request on behalf of someone else, be this a law firm or a relative, clearly a robust approach needs to be taken. You absolutely want to check this is okay, for example asking for evidence of Power of Attorney or a letter of authority. This approach is supported by the ICO’s guidance which states:

“An individual may prefer a third party (e.g. a relative, friend or solicitor) to make a SAR on their behalf. The GDPR does not prevent this, however you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this. This might be a written authority to make the request or a more general power of attorney.”

The ICO’s guidance also makes specific reference to requests made by via a third party portal, and says you need to consider if you are able to verify identity and are satisfied the third party portal is acting with the authority and on behalf of the individual. It specifically states:

“You are not obliged to take proactive steps to discover that a SAR has been made. Therefore, if you cannot view a SAR without paying a fee or signing up to a service, you have not ‘received’ the SAR and are not obliged to respond. You should note that it is the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. Mere reference to the terms and conditions of its service are unlikely to be sufficient for this purpose (see ‘Can a request be made on behalf of someone?’ above). The portal should provide this evidence when it makes the request (ie in the same way as other third parties). When responding to a SAR, you are also not obliged to pay a fee or sign up to any third party service. If you are in this position you should instead provide the information directly to the individual.”

In summary, it may not always be necessary to ask for additional documentation as proof of identity, where you’ve no doubt the individual is who they say they are, or can verify this in another way.

As we know, many individuals submitting SARs often do so because they’re already unhappy with your organisation. Don’t fuel the flames by putting unreasonable hurdles in their way, but do request proof of ID where you believe it’s necessary to protect people.

If you’re in any doubt, and the individual can’t or won’t prove who they are, you may take the decision not to fulfil a request. Just make sure you have document your decision and can defend it.

It’s a question of balance and proportionality – making sure you have a robust process in place for handling SARs and retaining evidence to support your decisions is vital.

Managing the right to erasure

November 2023

Ten tips to tackle erasure requests

What data should you erase? When can you refuse? And, on a technical level, how do you make sure everything is actually deleted, especially if held on multiple systems?

Fulfilling people’s privacy rights aren’t easy, and GDPR’s Right to Erasure can raise complex challenges. Add to this the tight timeframe to action requests, or bulk requests from third parties, and it can turn into a bit of a minefield.

We’ve got some tips to help navigate around the quicksand. But first, a little refresher on what the Right of Erasure means.

What is the Right to Erasure?

As the name suggests, a person has the right to request their personal data is erased from your systems if you’ve no longer have a compelling reason to keep it.

You may hear it referred to as the ‘Right to be Forgotten’. This stems from a decision in 2014 by the Court of Justice of the EU which recognised the right of EU citizens to request the removal of links to personal information on search engines.

GDPR took this ruling a step further and enshrined a broader right into EU law, taking it beyond the context of publicly available personal information. Under the post-Brexit spin-off, UK GDPR the right remains the same.

People have the right to submit an erasure request to any organisation operating within the UK/EU or organisations in other territories which handle the data of UK/EU citizens. It’s not an absolute right, and there are circumstances in which it can be denied.

When does the right to erasure apply?

You need to fulfil a person’s request for erasure in the following circumstances;

  • It’s no longer necessary for the organisation to hold onto the personal data of an individual for the purposes it was collected
  • They gave you their consent and now wish to withdraw this consent
  • You’re relying on legitimate interests as your lawful basis to handle their data, they object to this, and you have no compelling and overriding legitimate interest to continue
  • They gave you their details for direct marketing purposes and no longer want to receive communications. (You are permitted to keep a minimised record on a suppression file).
  • You’re fulfilling a legal ruling or legal obligation to erase the data
  • You’re processing a child’s data to provide information services (i.e. online services)
  • You’re handing their data unlawfully

The last point, a general ‘catch-all’, is a tricky one to balance, as there may be many reasons why personal data could be processed unlawfully.

For example, the handling of personal data might be considered unlawful if it’s inaccurate, or if necessary information about your processing has not been provided in a privacy notice.

When can you refuse an erasure request?

The right to erasure doesn’t apply when you’re holding personal data for the following reasons:

  • to exercise the right of freedom of expression and information
  • to comply with a legal obligation
  • for the establishment or defence of legal claims
  • to perform a task carried out in the public interest or when exercising and organisation’s official authority
  • for public interest in the area of public health
  • for archiving purposes in the public interest, scientific or historical research or statistical purposes (where erasure would make this impossible or seriously impair your objectives)

Under UK GDPR there are two specific circumstances where the right to erasure doesn’t apply to special category data. Further information about these exemptions can be found in the ICO erasure guidance.

It’s also important to consider whether you have a contract in place with the individual, which requires the processing of their data, and the impact on this of the erasure request.

There may also be grounds for a refusing a request where you can justify it’s manifestly unfounded or excessive. See the ICO’s guidance on exemptions.

If you refuse to comply with a request, you must explain why and tell the individual they have the right to raise a complaint with the ICO (or other relevant supervisory authority).

There are many variables at play; each request needs to be assessed on a case-by-case basis. This is where the devil really is in the detail.

10 tips for handling erasure requests

1. Awareness

Someone can request their data is erased, either in writing or verbally. They might make this request to anyone in your organisation. So, everyone needs to know how to recognise this type of request, what to do if they receive one, who to direct it to and so on.
Awareness campaigns, training and easy-to-understand policies all play their part in getting key messages across to all staff.

2. Identity verification

You clearly don’t want to delete someone’s details unless you are absolutely sure they are who they say they are. Sometimes this will be obvious, but in other circumstances you’ll need to ask for verification of identity. However, if the deletion would have no negative impact on the individual, for example they are only on your marketing lists, you may feel asking for proof of identification is unnecessary.

When asking for proof of id only ask for the minimum amount of information necessary to confirm identity. Don’t accumulate more information such as copies of passports or driving licences, unless it’s justified, and remember to delete these too!

If a request is received via another organisation, make sure this third party definitely has the authority to act on behalf of the individual in question. The responsibility lies with the third party to provide any necessary evidence to prove this. Bear this in mind if you’re the third party!

3. Technical measures

Your customers might think deleting their data is as simple as clicking a button. If only it were that easy!

It can be difficult to locate, identify, assess and properly delete data – especially if it’s held on many different systems. You might hold records on emails, backed-up systems, on the cloud… all must be deleted.

Make sure your systems, applications and databases allow the easy identification and deletion of individuals. You may also need to assess the implications of deletion; it can impact on how different software works.

This is where the concept of Data Protection by Design really supports businesses. If from the outset of any new project or initiative you make sure you factor in managing individual data rights, it will make life much easier in the long run.

It’s worth reiterating – the right to erasure extends to deleting data from backups. However, the ICO recognises the inherent difficulties here and says, “the key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten.”

4. Timeline

You don’t have long to comply with requests, so keeping track of time is crucial. The request must be actioned without ‘undue delay,’ and in any case within one calendar month of receiving it.

You may be able to extend this by up to two months if it’s particularly complex. If you need to extend, make sure you tell the individual before the first month is up, giving them clear reasons for the delay – reasons you must be ready to explain to the regulator if necessary.

5. Who else holds their data?

The right to erasure doesn’t just apply to the records your organisation holds. You’re also expected to tell other organisations to whom you’ve disclosed the personal data.

Having a clear understanding of all your suppliers, any other organisations you share personal data with, means you can efficiently contact them and inform them of erasure requests.

You don’t have to do this if it would prove impossible or involves disproportionate effort. (But again, you must be able to justify this is the case).

6. Public domain data

The Right to Erasure also applies to personal data which has been made public in an online environment (‘The Right to be Forgotten’).
You need to be ready to take reasonable steps to inform other organisations who are handling the personal data; asking them to erase links to, copies of, or replication of the data.

What’s ‘reasonable’ will depend on available technology and the cost of implementation. This expectation scales with size; the bigger your organisation and the more resources you have, the more you’ll be expected to do.

7. Children’s specific rights

Children have special protection under data protection law, and the right to erasure is particularly relevant when a child has given their consent (or their parent/guardian) and at a later stage (even when they’re an adult) want their personal information removed, especially if it’s available on the internet. Baking in the ability to delete children’s information from the start is crucial.

8. Exemptions

It’s helpful to have a clear checklist of the exemptions that might apply. They don’t all apply in the same way, so be sure to examine each exemption on a case-by-case basis. The ICO exemptions guide is a good starting point.

9. Maintain a log

How do we delete someone, but also prove we have done it? Feels ambiguous doesn’t it?

You’re allowed to keep a log of erasure requests, actions taken and justifications for these. You need to do this to demonstrate compliance.
However, be sure to make sure this is kept securely and only keep the minimum amount of information necessary. I know some organisations who’ve taken the step of making sure this log is pseudonymised for extra protection.

10. Minimisation and retention

The right to erasure (and indeed other privacy rights, such as DSARs) can be less complex if we try to stick to two of the core data protection principles; data minimisation and data retention (storage limitation).

By collecting less data in the first place, using it in limited ways and only keeping it for as long as we need it, means there’s less data to trawl through when we get a request to delete it.

Sounds simple, less easy in practice, but worth the effort. Data retention guide

DSARs – what are people entitled to receive

October 2023

The Right of Access is a fundamental right under data protection law in the UK and European Union. Other jurisdictions have similar rights for their citizens. Requests are commonly referred to as a Data Subject Access Request – DSAR or SAR.

I often get asked questions about what’s in scope; what are organisations expected to provide in their response to a request? And what can they exclude?

The law tells us people have the right to request a copy of their personal data and other supplementary information from any organisation acting as a Controller.

What is meant by personal data?

Personal data is any information which could directly or indirectly identify the individual. This could include contact details, images, voice and video recordings, demographic information, profiles, order history, marketing preferences, HR records, opinions expressed about the individual, other personal identifiers such as employee number… the list goes on.

What if the individual already has the information?

I am also frequently asked; ‘do we need to provide information they already have or is obvious to them?’ The short answer is, yes. Based on UK case law, organisations can’t refuse to disclose information on the grounds personal data is already known to them. (Case: Lttihadieh v 5-11 Cheyne Gardens, 2017). However, it wouldn’t need to be included if the person has made it clear they don’t want this information.

What is out of scope with DSARs?

  • A DSAR isn’t a right to documentation. Just because someone’s name appears in an email, report or letter doesn’t mean they’re entitled to the whole document, if much of it doesn’t relate to them. It may be easier and relevant to provide full documents, but you would be justified in not doing so. You can extract the necessary information, or redact the irrelevant information.
  • If personal identifiers have been removed from a dataset, and it’s truly anonymised (i.e. the individual cannot be reidentified), it no longer falls under the scope of data protection law.
  • Personal data which is not part (or intended to be part) of a structured filing system is not in scope. For example handwritten notes in a personal notepad where there’s no intention to formally file these notes would not need to be included. However, if for example, employees write notes in ‘day books’ which are intended to be kept as a record of conversations, these would be in scope.

When can we refuse to comply with a request?

Sometimes it may seem obvious to you the individual has an ulterior motive for submitting a DSAR. In general, an individual’s motives shouldn’t affect their right to obtain a copy of their personal data, or the organisation’s duty to respond. Organisations can however refuse to comply with a request, either partially or fully, where they judge it to be manifestly unfounded or manifestly excessive.

A request might be considered manifestly unfounded if, for example, the individual…

  • has no real intention of exercising their right
  • offers to withdraw their request in return for some kind of benefit
  • explicitly states they want to cause disruption
  • makes unsubstantiated accusations or allegations
  • is targeting a specific employee due to a grudge
  • sends regular and targeted requests as part of a concerted campaign

A request might be considered manifestly excessive if it’s clearly or obviously unreasonable or would involve disproportionate effort.

If you rely on either of these grounds be sure to document your decision and the rationale behind it.

How much effort is required?

Organisations are expected to make all reasonable efforts to search, identify and retrieve all the personal data being requested. Regulators would expect systems to be well-designed and maintained so information can be efficiently located (including carrying out searches) and extracted.

The right of access is not new. It was around long before GDPR came into force in 2018, so organisations would be expected to be well prepared to handle requests.

What can be excluded or redacted?

Once all the information relating to the individual has been retrieved, the data collated may include information which doesn’t need to be disclosed. There may be justifiable grounds for excluding information or redacting documents, emails, video recordings and so on.

  • Information relating to others: the person making the request has a right to receive a copy of their personal data, they’re not entitled to personal data about other people. The UK Data Protection Act 2018 confirms you do not need to include certain information if it means disclosing information which identifies someone else, unless the other person has given their consent or it’s reasonable to disclose without the other person’s consent. Remember in many sitiations you may have a duty to protect the identify of others.
  • Confidential information: A duty of confidence may arise when another individual has genuinely shared ‘confidential’ information with the expectation that it remains confidential. Confidentiality cannot be automatically assumed and needs to be assessed on a case-by-case basis. Other information which may also be considered confidential includes, but is not limited to; trade secrets, information made confidential under another law, internal costs or commercial rates, intellectual property and information covered as part of a non-disclosure agreement
  • Other exemptions: The UK’s Data Protection Act 2018 provides a number of further exemptions which may apply depending on the nature of your business and the context of the specific request. These don’t always apply in the same way. Sometimes you might be obliged to rely on an exemption (i.e. it would break another law), other times it will be a choice. Commonly used exemptions include; legal professional privilege, crime and taxation, management information, research and statistics, confidential references and journalism.

The ICO says exemptions should not be routinely relied upon or applied in a blanket fashion. And remember, you may be required to demonstrate how an exemption applies and your rationale for relying on it. The full list of exemptions can be found in Schedule 2, Data Protection Act 2018. Examples of how they apply can be found in the ICO’s guidance.

What other information should be included in a response?

Along with a copy of their personal data, people are entitled to receive other supplementary information. Where this information is clearly available in a Privacy Notice, the UICO says it’s sufficient to provide a link to this in your DSAR response. This supplementary information is as follows:

  • Purpose: your purpose(s) for processing the person’s data.
  • Categories: the categories of personal data you’re processing.
  • Recipients: recipients or categories of recipient you have or will be disclose the personal data to (including recipients or categories of recipients in third countries or international organisations).
  • International data transfer safeguards: the safeguards you have provided where personal data has or will be transferred to a third country or international organisation.
  • Retention: your retention period for storing the personal data or, where this is not possible, the criteria for determining how long you will store it.
  • Other privacy rights: the individual’s right to request rectification, erasure or restriction or to object to processing.
  • Right to complain: the individual’s right to lodge a complaint with a Supervisory Authority, for example in the UK the Information Commissioner’s Office (ICO).
  • Data source: information about the source of the data, if you didn’t collect it directly from the individual.
  • Automated decisions: whether or not you use automated decision-making (including profiling) and information about the logic involved, as well as the significance and envisaged consequences of the processing for the individual;

DSARs can feel a bit of a minefield to the uninitiated and a little daunting if you don’t receive many or suddenly receive your first one. Our DSAR Guide provides more information about how to prepare and fulfil requests. The ICO also has detailed Right of Access Guidance.

Efficiently handling Data Subject Access Requests (DSARs)

March 2023

The right of access; the right everyone has to ask an organisation for a copy of their personal data. But fulfilling it can prove challenging, time-consuming and costly for organisations.

Complaints about DSARs account for a fifth of all complaints raised with the UK’s Information Commissioner’s Office (ICO Annual Report 2021-22).

People are clearly not satisfied with how many organisations are responding to requests. This could in part be organisations failing to comply, and in part people misunderstanding what they are entitled to receive.

Late last year the ICO took the step of issuing a number of reprimands to public sector bodies and a commercial media company, in relation to DSARs. A key issue is failure to respond in time, and significant backlogs developing. The law says we must respond within one calendar month, this can be extended by up to a further two months where requests are unduly complex.

DSARs are nothing new; people had the right to request a copy of their personal data long before GDPR. Organisations are expected to have robust procedures in place and the technical capabilities to fulfil requests. What GDPR did, back in 2018, was raise awareness of this right and it’s clear more people are submitting requests.

So, how do we make sure we on the front foot and are able to efficiently respond to the requests we receive?

5-point checklist for handling DSARs

1. Staff awareness

A request can be submitted in writing, verbally or even via social media. It doesn’t matter who in the business receives a request. Employees all need to be able to recognise them, and know what to do if they receive or spot one. Everyone needs to know time is of the essence, so training is vital. The last thing you need is a delay at the very start because a request wasn’t quickly acted upon.

2. Knowing where our data is

We can’t begin to fulfil requests unless we know where personal data is located across the organisation. What systems need to be searched, which may differ depending on who is submitting the request, do paper filing systems need to be in scope, do we need to approach suppliers to assist… and so on.

This is where having an up to date Record of Processing Activities (RoPA) and/or Information Asset Register (IAR) which states where and how we store data can really help to speed up the process.

3. DSARs and unstructured data challenges

It can prove particularly time-consuming searching for personal data within email systems and other internal messaging systems. This can throw up an eye-watering number records, which can take painstaking hours to sift through to identify relevant personal data.

A clear method for searching unstructured data is essential. Automated tools can make this more efficient and thorough.

4. Resourcing

Many organisations which receive a significant volume of requests will have a dedicated person or team to handle them. But where organisations have fluctuating numbers of requests it can be difficult to predict how many people within the organisation need the expertise to handle them.

We need to factor in holidays and the potential for sick leave. Have we got other adequately trained staff, or alternative resources on standby to provide cover, especially if we get higher than routine volumes?

In a recent case in Belgium, the data protection authority ruled the fact the person who normally handled DSARs was on long-term absence was not an excuse for a late response. I think other data protection authorities would take a similar view.

It can also pay to clearly allocate responsibilities. Often other people will have to free up their time to help deliver the DSAR process, for example retrieving the data, collating or reviewing it.

5. Robust procedure

Having a clear procedure which walks staff through the key steps and considerations is invaluable, especially for times when key members of staff aren’t available and someone else needs to pick up the reins. Procedures should clearly set out how to retrieve the data, the collation and assessment stage, what to redact (or extract), when exemptions might apply and so on.

To avoid failing to respond to DSARs in time, to try and avoid complaints escalating and potential unwelcome regulatory scrutiny, it pays to be prepared.  We need to be able to log requests, keep records, effectively retrieve data, manage workflows, review documents, apply redactions and respond on time. This can be done using routine business tools, but where DSARs are becoming unduly time-consuming and costly, technical solutions developed in-house or via an external provider can help to automate and streamline the process.

Is bias and discrimination in AI a problem?

September 2022

Artificial Intelligence - good governance will need to catch up with the technology

The AI landscape

We hear about the deployment and use of AI in many settings. The types and frequency of use are only going to increase. Major uses include:

  • Cybersecurity analysis to identify anomalies in IT structures
  • Automating repetitive maintenance tasks and guiding technical support teams
  • Ad tech to profile and segment audiences for advertising targeting and optimise advertising buying and placement
  • Reviewing job applications to identify the best-qualified candidates in HR
  • Research scientists looking for patterns in health to identify new cures for cancer
  • Predicting equipment failure in manufacturing
  • Detecting fraud in banking by analysing irregular patterns in transactions.
  • TV and movie recommendations for Netflix users
  • Inventory optimisation and demand forecasting in retail & transportation
  • Programming cars to self-drive

Overall, the different forms of AI will serve to improve our lives but from a privacy point of view, there is a danger that the governance around AI projects is lagging behind the evolving technology solutions.  

In that context, tucked away in its three-year plan, published in July, the ICO highlighted that AI driven discrimination might become more of a concern. In particular, the ICO is planning to investigate concerns about the use of algorithms to sift recruitment applications. 

Why recruitment applications?

AI is used widely in the recruitment industry. A Gartner report suggested that all recruitment agencies used it for some of their candidate sifting. The CEO of Ziprecruiter website in US is quoted as saying that three-quarters of submitted CVs are read by algorithms. There is plenty of scope for data misuse, hence the ICO’s interest. 

The Amazon recruitment tool – an example of bias/discrimination

The ICO are justified in their concerns around recruitment AI. Famously, Amazon developed their own tool to sift through applications for developer roles. Their model was based on 10 years of recruitment data for an employee pool that was largely male. As a result, the model discriminated against women and reinforced the gender imbalance by filtering out all female applications.

What is AI?

AI can be defined as: 

“using a non-human system to learn from experience and imitate human intelligent behaviour”

The reality is that most “AI” applications are machine learning. That is, models are trained to calculate outcomes using data collected from past data. Pure AI is technology designed to simulate human behaviour. For simplicity, let’s call machine learning AI.  

Decisions made using AI are either fully automated or with a “human in the loop”. The latter can safeguard individuals against biased outcomes by providing a sense check of outcomes. 

In the context of data protection, it is becoming increasingly important that those impacted by AI decisions should be able to hold someone to account.

You might hear that all the information is in a “black box” and that how the algorithm works cannot be explained. This excuse isn’t good enough – it should be possible to explain how a model has been trained and risk assess that activity. 

How is AI used? 

AI can be used to make decisions:

1.     A prediction – e.g. you will be good at a job

2.     A recommendation – e.g. you will like this news article

3.     A classification – e.g. this email is spam. 

The benefits of AI

AI is generally a force for good:

1.     It can automate a process and save time

2.     It can optimise the efficiency of a process or function (often seen in factory or processing plants)

3.     It can enhance the ability of individuals – often by speeding processes

Where do data protection and AI intersect?

An explanation of AI-assisted decisions is required: 

1.     If there is a process without any human involvement

2.     It produces legal or similarly significant effects on an individual – e.g. not getting a job. 

Individuals should expect an explanation from those accountable for an AI system. Anyone developing AI models using personal data should ensure that appropriate technical and organisational measures are in place to integrate safeguards into processing. 

What data is in scope?

  • Personal data used to train a model
  • Personal data used to test a model
  • On deployment, personal data used or created to make decisions about individuals

If no personal data is included in a model, AI is not in scope for data protection. 

How to approach an AI project?

 Any new AI processing with personal data would normally require a Data Protection Impact Assessment (DPIA). The DPIA is useful because it provides a vehicle for documenting the processing, identifying the privacy risks as well as identifying the measures or controls required to protect individuals. It is also an excellent means of socialising the understanding of AI processing across an organisation. 

Introducing a clear governance framework around any AI projects will increase project visibility and reduce the risks of bias and discrimination. 

Where does bias/discrimination creep in?

Behaviour prohibited under The Equality Act 2010 is any that discriminates, harasses or victimises another person on the basis of any of these “protected characteristics”:

  • Age
  • Disability
  • Gender reassignment
  • Marriage and civil partnership
  • Pregnancy and maternity
  • Race
  • Religion and belief
  • Sex
  • Sexual orientation. 

When using an AI system, your decision-making process needs to ensure and are able to show that this does not result in discrimination. 

Our Top 10 Tips

  1. Ask how the algorithm has been trained – the “black box” excuse isn’t good enough
  2. Review the training inputs to identify possible bias with the use of historic data
  3. Test the outcomes of the model – this really seems so obvious but not done regularly enough
  4. Consider the extent to which the past will predict the future when training a model – recruitment models will have an inherent bias if only based on past successes
  5. Consider how to compensate for bias built into the training – a possible form of positive discrimination
  6. Have a person review the outcomes of the model if it is challenged and give that person authority to challenge
  7. Incorporate your AI projects into your data protection governance structure
  8. Ensure that you’ve done a full DPIA identifying risks and mitigations
  9. Ensure that you’ve documented the processes and decisions to incorporate into your overall accountability framework
  10. Consider how you will address individual rights – can you easily identify where personal data has been used or has it been fully anonymised? 

In summary

AI is complex and fast-changing. Arguably the governance around the use of personal data is having to catch up with the technology. When people believe that these models are mysterious and difficult to understand, a lack of explanation for how they work is not acceptable. 

In the future clearer processes around good governance will have to develop to understand the risks and consider ways of mitigating those risks to ensure that data subjects are not disadvantaged. 

Data Subject Access Requests – 10 Quick Tips

September 2022

Handling DSARs efficiently and effectively

DSARs can be challenging to handle and complete on time, especially when you get one from a disgruntled ex-employee with a grievance.

While it’s clearly important for people to be able to request and receive a copy of their personal data, I fully appreciate how tricky they can be to fulfil. Prior to joining the DPN more than seven years ago, I used to handle them myself and now I spend a fair bit of time helping clients with the requests they receive. Without further ado, here are my quick tips.

Ten Quick DSAR Tips

1. Staff Awareness

A request can come into any part of the business. Requests can be made in writing, verbally or even via social media. We’re told however they come in they’re valid. Customer-facing staff and others need to know how to recognise them and what action to take. And not all requests for information will be a DSAR.

2. It’s not a right to documentation!

People have the right to request a copy of their personal data, but they don’t have the right to receive reams of documents which might contain just their name or email address, or in part relate to them. You can extract relevant personal data from documents and emails, as long as the context is made clear.

3. Always acknowledge DSARs

Quickly acknowledge any request. It can also be helpful to explain a little more about what they can expect to receive. This can save issues further down the line if the individual doesn’t get what they expected to. Always be personable and polite, even if they aren’t!

4. Diarise response date

Be sure to set the date for when the DSAR must be fulfilled by. This is one calendar month from the date you received it. You can start the clock after you’ve received any necessary confirmation of their identity . You can pause the clock if you need to seek further clarification.

5. Talk to the requester

Don’t always sit behind the comfort of an email A telephone call may be a novel suggestion, but in my experience actually speaking to the person (if they are happy to take your call) can make a huge difference.

6. Be wary of requests from third-party portals

Increasingly organisations are receiving DSARs and other privacy rights requests via third-party portals which offer to submit the requests on behalf of individuals. Sometimes multiple requests can be received at once. You have a responsibility to check these requests are genuine, be sure the individual is who they say they are and the third-party has the authority to act on their behalf.

I’ve written more about this here: Managing Erasure Requests or DSARs via Third-Party Portals

7. Collaboration

One person, or indeed the data protection team, can’t fulfil these requests on their own. Make sure others who’ll need to support in gathering relevant information understand their responsibilities, and in particular the need to prioritise any actions. The clock keeps ticking and a calendar month can race away.

8. Share the knowledge

What happens if the person who routinely handles requests is off sick? Or the person from the IT team who knows how to gather the data is on holiday? Make sure other people are familiar with the process, and have a clear written procedure others can pick up if necessary.

9. Don’t forget the exemptions

There’s information you can legitimately withhold. The exemptions are there for a reason – to cover information you’ve good reasons for not disclosing. This might be information relating to other individuals, details subject to legal privilege or commercially sensitive information. Sometimes you’ll be obliged to rely on an exemption, other times you may choose to rely on one or not. Be sure to tell people if you’ve used one (or more) and why.

The ICO’s Right of Access Guidance covers the exemptions and links through to relevant sections in the Data Protection Act 2019.

10. Respond securely

The last thing you want is to cause a potential data breach when responding to a DSAR! It can be helpful to liaise with the individual about how you send the data to make sure this will work for them. While secure sending is crucial, you shouldn’t make it difficult for them to access.

Hmm, should I have done more than 10 tips? Be proportionate when asking for proof of id, consider the privacy of others… and I could go on. Check out our DSAR Guide for more information.

Often DSARs are straightforward, but sometimes they’re a minefield. Having a clear procedure can go a long way to making sure things run as smoothly as possible.

Data Subject Access Request Guide

Being prepared and handing DSARs

Handling Data Subject Access Requests can be complex, costly and time-consuming. How do you make sure you’re on the front foot, with adequate resources, understanding and the technical capability to respond within a tight legal timeframe?

Data subject access request from the data protection consultancy DPN - Data Protection Network

This guide aims to take you through the key steps to consider, such as…

  • Being prepared
  • Retrieving the personal data
  • Balancing complex requests
  • Applying redactions & exemptions
  • How technology can help

Managing Erasure Requests or DSARs via Third-Party Portals

January 2022

Do organisations have to honour them? Well, it depends…

Over the past few years GDPR, the California Consumer Privacy Act (CCPA) and other privacy regulations have led to specialist companies offering to submit Erasure or Data Subject Access Requests (DSARs) on behalf of consumers.

These online portals say they want to help people exercise their privacy rights, while enabling them to make requests to multiple organisations simultaneously.

Companies on the receiving end of such requests often receive them in volume, and not necessarily from consumers they even know. Requests can quote swathes of legislation, some of which may be relevant, some which won’t apply in your jurisdiction.

If you haven’t had any yet, you may soon. Companies like Mine, Privacy Bee, Delete Me, Revoke and Rightly all offer these services.

They don’t all operate in the same way, so be warned the devil is in the detail.

How third-party portals work

Okay, bear with me, as said there are different approaches. They may use one, or a combination of, the following elements:

  • Offer to simply submit requests on the individual’s behalf, then the consumer engages directly with each organisation
  • Offer people the opportunity to upload their details and proof of ID, so the portal can submit requests on their behalf without the consumer needing to validate their ID each time.
  • Provide a bespoke link which organisations are invited to use to verify ID/authority. (Hmmm, we’re told not to click on links to unknown third parties, right?)
  • Allow consumers to select specific named organisations to submit requests too
  • Make suggestions for which organisations the individual might wish to ‘target’
  • Offer to scan the individual’s email in-box to then make suggestions about which organisations are likely to hold their personal data. (Again, really? Would you knowingly let any third-party scan your in-box?).

Is this a good thing? Does it empower the consumer?

On the surface, this all seems fairly positive for consumers, making it simpler and quicker to exercise their privacy rights.

For organisations, these portals could be seen as providing an easier way of dealing with rights requests in one place. Providing perhaps, a more secure way of sharing personal data, for example in responding to a DSAR.

I would, however, urge anyone using these portals to read the small print, and any organisation in receipt of these requests to do their homework.

Why it’s not all straight-forward

The following tale from one DPO may sound familiar…

We tend to find these requests slightly frustrating and time-consuming. First, we have to log all requests for our audit trails. We cannot simply ignore the requests otherwise this can cause regulatory issues, not to mention if they are genuine requests.

More often than not, they are sent in batches and do not contain the information we require to search and make the correct suppression. Where we do have enough information to conduct searches, we often find the personal details do not exist on our database.

Another concern is whether the requests are actually for meant for us. We recently received a number of requests for a competitor, who was clearly named on the requests. When we tried to contact the portal to explain this issue, we did not get a response and were essentially ignored, which leaves us in a predicament – do we continue with the with the request, was it actually for our organisation or not?

So, there’s a problem. Requests might be submitted on behalf of consumers who organisations have never have engaged with. Requests can arrive with insufficient information. We can’t always verify people’s identity, or the portal’s authority to act on their behalf. In these circumstances, do people genuinely want us to fulfil their Erasure or Access request?

What does the ICO say about third-party portals?

The regulator does reference online portals in is Right of Access guidance. It tells us we should consider the following:

  • Can you verify the identity of the individual?
  • Are you satisfied the third-party has authority to act on their behalf?
  • Can you view the request without having to take proactive steps (e.g. paying a fee or signing up to a service)?

The ICO makes it clear it would not expect organisations to be obliged to take proactive steps to discover whether a DSAR has been made. Nor are you obliged to respond if you’re asked to pay a fee or sign up to a service.

The Regulator says it’s the portal’s responsibility to provide evidence of their authority to act on an individual’s behalf. If we have any concerns, we’re told to contact the individual directly.

If we can’t contact the individual, the guidance tells us we should contact the portal and advise them we will not respond to the request until we have the necessary information and authorisation.

This all takes time…

This is all very well, but for some organisations receiving multiple requests this is incredibly time-consuming.  Some organisations are receiving hundreds of these requests in a single hit, as Chris Field from Harte Hanks explains in – You’ve been SAR-bombed.

In addition, we need to do our research and understand how the portal operates, checking whether we believe they’re bone fide or not.

Another DPO, whose company receives around thirty privacy requests from third-party portals a month says; “Often these tools don’t provide anything more than very scanty info, so they all require responses and requests for more info”. This company takes the following approach; “We deal with the individual if it’s a legitimate contact detail, or we don’t engage.”

It really is a question of how much effort is reasonable and proportionate.

We must respect fundamental privacy rights, understand third-party portals may be trying to support this, but balance this with our duty to safeguard against fraud or mistakes.