Data Subject Access Request Guide

Being prepared and handing DSARs

Handling Data Subject Access Requests can be complex, costly and time-consuming.

How do you make sure you’re on the front foot, with adequate resources, understanding and the technical capability to respond within a tight legal timeframe?

This guide aims to take you through the key steps to consider, such as…

  • Being prepared
  • Retrieving the personal data
  • Balancing complex requests
  • Applying redactions & exemptions
  • How technology can help

Just complete your details to get your copy now.

Managing Erasure Requests or DSARs via Third-Party Portals

January 2022

Do organisations have to honour them? Well, it depends…

Over the past few years GDPR, the California Consumer Privacy Act (CCPA) and other privacy regulations have led to specialist companies offering to submit Erasure or Data Subject Access Requests (DSARs) on behalf of consumers.

These online portals say they want to help people exercise their privacy rights, while enabling them to make requests to multiple organisations simultaneously.

Companies on the receiving end of such requests often receive them in volume, and not necessarily from consumers they even know. Requests can quote swathes of legislation, some of which may be relevant, some which won’t apply in your jurisdiction.

If you haven’t had any yet, you may soon. Companies like Mine, Privacy Bee, Delete Me, Revoke and Rightly all offer these services.

They don’t all operate in the same way, so be warned the devil is in the detail.

How third-party portals work

Okay, bear with me, as said there are different approaches. They may use one, or a combination of, the following elements:

  • Offer to simply submit requests on the individual’s behalf, then the consumer engages directly with each organisation
  • Offer people the opportunity to upload their details and proof of ID, so the portal can submit requests on their behalf without the consumer needing to validate their ID each time.
  • Provide a bespoke link which organisations are invited to use to verify ID/authority. (Hmmm, we’re told not to click on links to unknown third parties, right?)
  • Allow consumers to select specific named organisations to submit requests too
  • Make suggestions for which organisations the individual might wish to ‘target’
  • Offer to scan the individual’s email in-box to then make suggestions about which organisations are likely to hold their personal data. (Again, really? Would you knowingly let any third-party scan your in-box?).

Is this a good thing? Does it empower the consumer?

On the surface, this all seems fairly positive for consumers, making it simpler and quicker to exercise their privacy rights.

For organisations, these portals could be seen as providing an easier way of dealing with rights requests in one place. Providing perhaps, a more secure way of sharing personal data, for example in responding to a DSAR.

I would, however, urge anyone using these portals to read the small print, and any organisation in receipt of these requests to do their homework.

Why it’s not all straight-forward

The following tale from one DPO may sound familiar…

We tend to find these requests slightly frustrating and time-consuming. First, we have to log all requests for our audit trails. We cannot simply ignore the requests otherwise this can cause regulatory issues, not to mention if they are genuine requests.

More often than not, they are sent in batches and do not contain the information we require to search and make the correct suppression. Where we do have enough information to conduct searches, we often find the personal details do not exist on our database.

Another concern is whether the requests are actually for meant for us. We recently received a number of requests for a competitor, who was clearly named on the requests. When we tried to contact the portal to explain this issue, we did not get a response and were essentially ignored, which leaves us in a predicament – do we continue with the with the request, was it actually for our organisation or not?

So, there’s a problem. Requests might be submitted on behalf of consumers who organisations have never have engaged with. Requests can arrive with insufficient information. We can’t always verify people’s identity, or the portal’s authority to act on their behalf. In these circumstances, do people genuinely want us to fulfil their Erasure or Access request?

What does the ICO say about third-party portals?

The regulator does reference online portals in is Right of Access guidance. It tells us we should consider the following:

  • Can you verify the identity of the individual?
  • Are you satisfied the third-party has authority to act on their behalf?
  • Can you view the request without having to take proactive steps (e.g. paying a fee or signing up to a service)?

The ICO makes it clear it would not expect organisations to be obliged to take proactive steps to discover whether a DSAR has been made. Nor are you obliged to respond if you’re asked to pay a fee or sign up to a service.

The Regulator says it’s the portal’s responsibility to provide evidence of their authority to act on an individual’s behalf. If we have any concerns, we’re told to contact the individual directly.

If we can’t contact the individual, the guidance tells us we should contact the portal and advise them we will not respond to the request until we have the necessary information and authorisation.

This all takes time…

This is all very well, but for some organisations receiving multiple requests this is incredibly time-consuming.  Some organisations are receiving hundreds of these requests in a single hit, as Chris Field from Harte Hanks explains in – You’ve been SAR-bombed.

In addition, we need to do our research and understand how the portal operates, checking whether we believe they’re bone fide or not.

Another DPO, whose company receives around thirty privacy requests from third-party portals a month says; “Often these tools don’t provide anything more than very scanty info, so they all require responses and requests for more info”. This company takes the following approach; “We deal with the individual if it’s a legitimate contact detail, or we don’t engage.”

It really is a question of how much effort is reasonable and proportionate.

We must respect fundamental privacy rights, understand third-party portals may be trying to support this, but balance this with our duty to safeguard against fraud or mistakes.

Are Data Subject Access Requests driving you crazy?

January 2022

Complicated. Costly. Time-consuming...

… And driving me crazy. We’ve all heard the dreaded words, right? I’d like a copy of my personal data.

Which led me to think; is the fundamental privacy right of accessing our personal data becoming part of our increasingly litigious culture? The DSAR is now a staple opening shot for law firms handling grievance claims or employment tribunals, looking for potentially incriminating morsels of information.

Of course, this right must be upheld, but is the process fit for purpose? Employee-related requests, in particular, can entail a massive amount of work and the potential for litigation makes them a risky and complex area.

For some organisations, this is water off a duck’s back; they’ve always had access requests, anticipated volume would increase after GDPR, have teams to handle them, invested in tech solutions, have access to lawyers and so on.

Great stuff, but please spare a thought for others.

Plenty of businesses have lower volumes of DSARs. They’re unable to justify, or afford, extra resources. These guys are struggling under a system that assumes one size fits all.

Then there are businesses who’ve never even had a DSAR. For them, just one request can be an administrative hand grenade.

Of course some businesses are guilty of treating employees badly, but I wish things could be different. It’s about getting the balance right, that most elusive of things when creating regulatory regimes. Are the principles behind the DSAR important? Of course. Can the processes be improved? Definitely!

So be warned – here begins a micro-rant on behalf of the smaller guys. I’m feeling their pain.

What’s that sound? It’s wailing and the gnashing of teeth

It’s clear in our Privacy Pulse Report DSARs are a significant challenge facing data protection professionals. One DPO told us;

“Vexatious requests can be very onerous. Controllers need broader scope for rejection and to refine down the scope, plus criteria for when they can charge… In my view, the ICO should focus on helping controllers to manage complex and vexatious DSARs.”

Some access requests are straightforward, especially routine requests where ‘normal’ procedures apply. However, some requests are made by angry customers or disgruntled ex-employees on a mission… and there’s no pleasing them. A troublesome minority appear to be submitting DSARs because they want to cause inconvenience because they’re angry, but don’t go so far as to fall under the ‘manifestly unfounded’ exemption.

Anyhow, for all those of you out there dealing with this stuff, know that I feel your pain. Without any further ado…

My THREE biggest DSAR bugbears (there are others)

Everything!

We’re entitled to a copy of ALL our personal data (to be clear, this doesn’t mean we’re entitled to full documents just because our name happens to appear on them somewhere).

It’s true organisations are allowed to ask for clarification, and the ICO’s Right of Access Guidance, provides some pointers on how to go about this.

Yet that tiny glimmer of hope is soon dashed – we’re told we shouldn’t seek clarification on a blanket basis. We should only seek it if it’s genuinely required AND we process a large amount of information about the individual.

Furthermore; “you cannot force an individual to narrow the scope of their request, as they are still entitled to ask for ‘all the information you hold’ about them.”

Why?

Let’s take the hypothetical (but realistic) case of an ex-employee who believes they’ve been unfairly dismissed. They worked for the company for 10 years, they submit a DSAR but choose not to play along with clarifying their request. They want everything over a decade of employment.

Do they really need this information? Or are they refusing to clarify on purpose? Is this a fair, proportionate ‘discovery process’? As I’ve said before, large organisations may be better placed absorb this, it’s the not-so-big ones who can really feel the pain. And in my experience, much personal data retrieved after hours of painstaking work isn’t relevant or significant at all.

Emails!

I get conflicted with the requirement to search for personal data within email communications and other messaging systems.

On the one hand we have the ICO’s guidance, which to summarise tells us:

  • personal data contained within emails is in scope (albeit I believe GDPR has been interpreted differently by other countries on this point);
  • you don’t have to provide every single email, just because someone’s name and email address appears on it;
  • context is important and we need to provide emails where the content relates to the individual (redacted as necessary).

If you don’t have a handy tech solution, this means trying to develop reasonable processes for retrieving emails, then eliminating those which won’t (or are highly unlikely) to have personal data within the content. This takes a lot of time.

Why am I conflicted? In running a search of your email systems for a person’s name and email address, you’ll inevitably retrieve a lot of personal data relating to others.

They might have written emails about sensitive or confidential matters, now caught within the retrieval process. Such content may then be reviewed by the people tasked with handling the request.

I suspect this process can negatively impact on wider employee privacy. Yes, we’re able to redact third party details, but by searching the emails in the first place, we’re delving into swathes of lots of people’s personal data.

It seems everyone else’s right to privacy is thrown out in the interests of fulfilling one person’s DSAR.

It also makes me wonder; if I write a comment that might be considered disparaging about someone in an email, do I have any right to this remaining private between me and the person I sent it to? (Even if it wasn’t marked confidential or done via official procedure).

I know many DPOs warn their staff not to write anything down, as it could form part of a DSAR. I know others who believe they’re justified in not disclosing personal data about the requester, if found in other people’s communications. Which approach is right?

Time!

Who decided it was a good idea to say DSARs had to be fulfilled within ‘one calendar month’?

It wasn’t! This phrase led to the ICO having to offer this ‘clarification’;

You should calculate the time limit from the day you receive the request, fee or other requested information (whether it is a working day or not) until the corresponding calendar date in the next month.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.

If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.

This means that the exact number of days you have to comply with a request varies, depending on the month in which an individual makes the request.

For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

I hope you got that.

Wouldn’t it have been easier to have a set number of days? And perhaps more realistic timescale?

Let’s take the hypothetical (but realistic) case; you receive a DSAR on 2nd December. You can’t justify an extension as it isn’t unduly complex.

Yes, I know you’re with me; bank holidays and staff leave suddenly means the deadline is horribly tight.

I wish there was specific number of days to respond. I wish they excluded national bank holidays and I wish there was a reprieve for religious festivals. I know, I’m dreaming.

DSARs and UK data reform

Is the UK Government going to try and address the challenges in their proposal to reform UK data protection law?

The consultation paper makes the right noises about the burden DSARs place on organisations, especially smaller businesses.

Suggestions include introducing a fee regime, similar to that within the Freedom of Information Act. One idea is a cost ceiling, while the threshold for responding could be amended. None of this is without challenges. There’s also a proposal to re-introduce a nominal fee.

On the latter point, GDPR removed the ability to charge a fee. You may recall prior to 2018 organisations could charge individuals £10 for a copy of their personal data.

Many will disagree, but I think the nominal fee is reasonable. I realise it could be seen a barrier to people on lower incomes exercising a fundamental right. However, my thoughts are organisations wouldn’t be forced to charge. It would be their choice. They would also be able to use their discretion by waiving the fee in certain situations.  It makes people stop and think; ‘do I really want this?’

Whatever transpires, I truly hope some practical changes can be made to support small and medium-sized businesses. Balancing those with individual rights isn’t easy, but that’s why our legislators are paid the big bucks.

And here, dear reader, endeth my rant!

What privacy lessons can we learn from Online Dating

March 2021

Here are our top 10 tips…

Recently, I was joined by John Mitchison from DMA and Chris Field from Harte Hanks in Texas to talk about privacy issues in the online dating industry. DPN are now Associate members of the Online Dating Association, the International trade body for dating businesses, and we were delighted to speak to their members on this topic.

The discussion was wide ranging – here are my ten lessons:

1. International data protection laws appear to be converging

We know EU GDPR has set the bar high but we can see that, to an extent, this is being replicated in some states in US, most notably California. It’s also clear with the Biden/Harris presidential team there will be a greater focus on protecting privacy and the possible introduction of a Federal data protection law.

The fact the UK is likely to be granted adequacy is another reason to believe high data protection standards are here to stay.

2. Questions around trust and transparency will increase

Since the introduction of GDPR and the start of the Covid pandemic the wider population has an increased awareness of privacy questions. People know their rights and there’s an increasing awareness of data breaches.

Being open and transparent is a core principle of GDPR and, to build trust, more businesses will treat trust as a core operating principle.

3. Special category data must be handled carefully

A lot of very personal information is shared through an online dating account and some of it will be considered special category data. This is, anything to do with health, sexual orientation, sex life, racial origin and religious beliefs.

The UK’s ICO cautions against using this data unless its use has been carefully risk assessed.  In particular if this data is shared as part of a profile it should not necessarily be used to help build segments for marketing purposes.

4. Distinguish between service messages and marketing messages

It may not be desirable or necessary to use all the data contained in a user profile to create segments for marketing. It would make sense to minimise the use of personal data and identify the key variables which will generate a sale.

The remainder of the data could be used to help deliver the service, but understanding the difference between service and marketing messages is paramount.

5. Right to be Forgotten is not an absolute right

It’s almost never a good idea to completely erase a data subject from your system as, somehow, you need to know not to add them back in again. This means keeping a small snippet of information in a suppression file to ensure they can never sign up for marketing again.

However, with the dating industry, there’s also the need to have safeguards in place to protect other members from stalkers, convicted rapists or other criminals. In this case, producing a DPIA and documenting the reasons for keeping any data is absolutely essential.

6. DSARs (Data Subject Access Requests) are growing

Individuals know their rights and are making more requests whether it’s through a third party or a direct request. In the US, there’s a similar requirement in California. Having the necessary processes in place to ensure these can be responded to within a month is key.

7. Removal of fake profiles is not a privacy matter

Within the terms and conditions of most dating sites will be the absolute right to remove fake profiles. This is not a privacy matter but part of the terms and conditions of use to protect other users.

8. Wean yourselves off use of third-party cookies

Although Firefox and Mozilla have already stopped supporting third party cookies for targeting purposes, Google’s decision to stop supporting them in 2022 is a game changer. Chrome represents over 65% of the browser market and their decision will effectively kill off third-party cookies.

Now is the time to think about alternative ways of targeting. This could be through the development of profiles using data you’ve compliantly collected yourselves, the use of contextual targeting tools or collaborations to share data insights. The world will change and the race is on to change ways of targeting.

9. Social media marketing is under scrutiny

What do you need to create look alike audiences on Facebook or Instagram? Can you create anonymised segments which can be uploaded for targeting? Do you need to upload emails to create segments and if you do, have you gained the necessary consent from your customers/prospects? Uploading emails is a high risk activity without consent.

10. Data breaches are endemic

In UK, 88% of companies were affected by a breach in last 12 months whilst in US the number is 49%.  The most recent ICO quarterly breach review indicated 72% of breaches were non-cyber security related.

In a nutshell, most problems are down to user error whether it’s not updating user access, not changing passwords, insecure data sharing. The list of possible infringements due to error are endless. For any organisation handling such huge volumes of personally sensitive data, the challenge is substantial.

We may have been talking about dating but these top 10 tips can apply to any digital business.

 

Data protection team over-stretched? Find out how we can support you with our Privacy Manager Service.

Right to Erasure: 10 Tips

March 2021

What data should you erase? When can you refuse? And, on a technical level, how do you ensure everything is deleted?

Fulfilling people’s privacy rights aren’t easy, and the Right to Erasure raises complex challenges. Add to this the tight timeframe to action requests, or bulk requests from third parties, and it can turn into a bit of a minefield.

We’ve got some tips to help navigate around the quicksand. But first, a little refresher on what the Right of Erasure means.

What is the Right to Erasure?

As the name suggests, a person has the right to request their personal data is erased from your systems if you’ve no longer have a compelling reason to keep it.

You may hear it referred to as the ‘Right to be Forgotten’. This stems from a decision in 2014 by the Court of Justice of the EU which recognised the right of EU citizens to request the removal of links to personal information on search engines.

GDPR took this ruling a step further and enshrined a broader right into EU law, taking it beyond the context of publicly available personal information.

It’s not an absolute right, and there are circumstances in which it can be denied.

By the way, post-Brexit and under UK GDPR, the right remains unchanged. (See UK data protection law post-Brexit)  

When does the right to erasure apply?

You need to fulfil a person’s request for erasure in the following circumstances;

  • Their personal data is no longer necessary for the purposes you originally collected it for
  • They gave you their consent and now wish to withdraw this consent
  • You’re relying on your legitimate interests to handle their data, they object to this, and you have no overriding legitimate interest to continue to keep it
  • They gave you their details for direct marketing purposes and now want you to erase them
  • You’re fulfilling a legal ruling or legal obligation to erase the data
  • You’re processing a child’s data to provide information services (i.e. online services)
  • You’re handing their data unlawfully

The last point, a general ‘catch-all’, is a tricky one to balance, as there may be many reasons why personal data could be processed unlawfully.

For example, the handling of personal data might be considered unlawful if it’s inaccurate, or if necessary information has not been provided in a privacy notice.

When can you refuse an erasure request?

Under both EU & UK GDPR, the right doesn’t apply when you’re handling personal data for the following reasons:

  • to exercise the right of freedom of expression and information
  • to comply with a legal obligation
  • for the establishment or defence of legal claims
  • to perform a task carried out in the public interest or when exercising and organisation’s official authority
  • for public interest in the area of public health
  • for archiving purposes in the public interest, scientific or historical research or statistical purposes (where erasure would make this impossible or seriously impair your objectives)

There may also be grounds for a refusing a request where you can justify it’s manifestly unfounded or excessive.

The UK’s Data Protection Act 2018 provides a full list of exemptions.

If you refuse to comply with a request you must tell the person promptly, explaining why and telling them they’ve the right to raise a complaint with the ICO (or other supervisory authority).

There are many variables at play; each request needs to be assessed on a case-by-case basis. This is where the devil really is in the detail.

10 tips for handling the Right to Erasure

1. Awareness

Someone can request their data is erased, either in writing or verbally. They might make this request to anyone in your business or organisation. So, everyone needs to know how to recognise this request, what to do if they receive one, how to log it, who to direct it to and so on.

Awareness campaigns, training, easy-to-understand policies and straightforward procedures all play their part in getting key messages across to all staff.

2. Identity verification

You clearly don’t want to delete someone’s details unless you are absolutely sure they are who they say they are. Sometimes this will be obvious, but in other circumstances you’ll need to ask for verification.

Be careful to only ask for the minimum amount of information necessary to confirm identity. Don’t accumulate more information such as copies of passports or driving licences, unless it’s justified.

If a request is received via another organisation, make sure this third party definitely has the authority to act on behalf of the individual in question. The responsibility lies with the third party to provide any necessary evidence to prove this – bear this in mind if you’re the third party!

3. Technical measures

Your customers might think deleting their data is as simple as clicking a button. If only it were that easy!

It can be difficult to locate, identify, assess and properly delete data – especially if it’s held on different systems, media or other platforms. You might hold records on emails, backed-up systems, on the cloud… all must be deleted.

You need to make sure your systems, applications and databases allow the easy identification and deletion of individuals. You may also need to assess the implications of deletion; it can impact on how different software works.

This is where the concept of Data Protection by Design really supports businesses. If from the outset of any new project or initiative you make sure you factor in managing individual data rights, it will make life much easier in the long run.

It’s worth reiterating – the right to erasure extends to deleting data from backups. The Information Commissioner’s Office recognises this and says, “the key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten.”

4. Timeline

You don’t have long to comply with requests, so keeping track of time is crucial. The request must be actioned without ‘undue delay,’ and in any case within one calendar month of receiving it.

You may be able to extend this by up to two months if it’s particularly complex. If you need to extend, make sure you tell the individual before the first month is up, giving them clear reasons for the delay – reasons you must be ready to explain to the regulator if necessary.

5. Who else holds their data?

The right to erasure doesn’t just apply to the records your organisation holds. You’re also expected to tell other organisations to whom you’ve disclosed the personal data.

Having a clear understanding of all your suppliers, any other organisations you share personal data with, means you can efficiently contact them and inform them of erasure requests.

You don’t have to do this if it would prove impossible or involves disproportionate effort. (But again, you must be able to justify this was the case).

6. Public domain data

The Right to Erasure also applies to personal data that’s been made public in an online environment (‘The Right to be Forgotten’).

You need to be ready to take reasonable steps to inform other organisations who are handling the personal data; asking them to erase links to, copies of, or replication of the data.

What is reasonable will depend on available technology and the cost of implementation. This expectation scales with size; the bigger your organisation and the more resources you have, the more you’ll be expected to do.

7. Children’s specific rights

Children have special protection under data protection law, and the right to erasure is particularly relevant when a child has given their consent and later wants their personal information removed, especially if it’s available on the internet.

Someone can exercise this right, even if they are no longer a child. Baking in the ability to delete children’s information from the start is crucial.

8. Exemptions

It’s helpful to have a clear checklist of the exemptions that might apply. They don’t all apply in the same way, so be sure to examine each exemption on a case-by-case basis.

The ICO’s exemptions guide is a good starting point. 

If you believe the request is manifestly unfounded or excessive, the duty is on you to make sure you’ve a strong justification for this.

9. Maintain a log

How do we delete someone, but also prove we have? Feels ambiguous doesn’t it?

You’re allowed to keep a log of erasure requests, actions taken and justifications for these. You need to do this to demonstrate compliance.

Be sure to make sure this is kept securely and only keep the minimum amount of information necessary. I know some organisations who’ve taken the step of making sure this log is pseudonymised for extra protection.

10. Minimisation and retention

The right to erasure (and indeed other privacy rights, such as DSARs) can be less complex if we try to stick to two of the core data protection principles; data minimisation and storage limitation.

By collecting less data in the first place and only keeping it for as long as we need it, means there’s less data to trawl through when we get a request to delete it.

Sounds simple, less easy in practice, but worth the effort.

Just finally, no matter how belligerent someone’s being, try to remain upfront and honest with them.

Yes, this was a blatant excuse for me to shoehorn a 80s pop gag into the article in the form of an Erasure reference – just show complainers ‘A little Respect’. Oh, and you can’t only be compliant with requests Sometimes!

For more information see: GDPR Article 17, Recital 65.  Recital 66ICO Right to Erasure Guidance

 

Data protection team over-stretched? Find out how we can help with our flexible no-nonsense Privacy Manager Service

 

ICO Subject Access Request Guidance: help or hindrance?

October 2020

The ICO published its hotly anticipated detailed ‘Right of Access’ guidance on 21st October, following a consultation which closed in February 2020. Does it help, or add to the complexity of handling access requests?

(For the sake of clarity, the Right of Access is commonly referred to as Data Subject Access Requests – DSAR/SAR).

First off, I’ll be diplomatic and say the ICO was being slightly optimistic by titling its accompanying blog, ‘Simplifying subject access requests new detailed SARs guidance’.

Simplifying isn’t a word I’d have chosen for 81 pages of detailed guidance – much of which rests on interpretation, careful assessment and justifiable decision-making.

SARs are often an area where the devil is in the detail and they can be a minefield for the initiated, let alone the uninitiated.

What are the key highlights of the guidance?

  • ‘Stopping the clock’ is now permitted when you need to seek clarification. But seeking clarification shouldn’t be a blanket approach
  • Examples are provided to help organisations assess when a request might be considered ‘manifestly unfounded’
  • Some pointers are given for setting a ‘reasonable’ admin fee. This is only permitted when responding to manifestly unfounded or excessive requests, or when responding to follow up SARs.

I’ve taken a look at these in more detail.

‘Stopping the clock’

If you process ‘a large amount of information’ about someone, you may ask them to specify the information or activities their request relates to before you respond, but the regulatory guidance is that this should’t be your routine approach.

The ICO has confirmed the one calendar month for responding can be paused while you wait for the requestor to provide clarification. (In their draft they had suggested the clock didn’t stop).

You may choose to conduct a ‘reasonable’ search instead of seeking clarification and it is up to you to assess and justify what constitutes a ‘large amount of information’, considering the size of your organisation and resources.

The guidance states:

“It is unlikely to be reasonable or necessary to seek clarification if you process a large volume of information in relation to the individual but can obtain and provide the requested information quickly and easily.

You can ask the requester to provide additional details about the information they want to receive, such as the context in which you may have processed their information and the likely dates of when you processed it.

However, you cannot force an individual to narrow the scope of their request, as they are still entitled to ask for ‘all the information you hold’ about them.”

If you judge it necessary to seek clarification, you should make sure it’s quick and easy for the individual to respond, and you should let them know the clock will be paused and will resume once they respond.

Good communications with people submitting access requests can’t be underestimated, as highlighted in our article 10 DSAR tips from 10 DPOs.

I can foresee some scratching of heads here; what type of clarification can be sought? when is it reasonable to ask for this? what to do if someone fails to respond? how much should you chase up? and so on.

‘Manifestly unfounded’

There is an exemption whereby you’re permitted to refuse to respond to a SAR (wholly or in part) if you judge it to be ‘manifestly unfounded’ or ‘excessive’.

This has been an area which has vexed many, and the ICO has attempted to clarify this by giving some examples, such as;

  • Where there is no intention to exercise their right of access. This could be when the individual offers to withdraw their request in return for some kind of benefit.
  • Where the request is malicious and is being used to harass or cause disruption. This could include a request which targets a particular employer based on a personal grudge, or where different requests are systematically sent as a part of a campaign.

The onus rests with you to be able to justify a decision that a request is manifestly unfounded. Also, be careful, it’s not enough to use this exemption simply because of the individual’s motive. An ex-employee on a fishing exercise because they are unhappy with being made redundant is highly unlikely to fall under ‘manifestly unfounded’.

The ICO guidance states:

“If the individual genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.

Whilst aggressive or abusive language is not acceptable, the use of such language does not necessarily make a request manifestly unfounded.”

The guidance also provides examples of what would be considered manifestly ‘excessive’. Such as requests which largely repeat previous requests without a reasonable interval.

‘Charging an admin fee’

As we know, the old £10 fee disappeared with GDPR, and the general rule is no fee should be charged. However, you can charge a ‘reasonable fee’ to cover administrative costs if:

  • you’ve assessed the request to be manifestly unfounded or excessive
  • the individual asks for further copies of their data following a request.

Many organisations are therefore left with (1) having to assess whether a request is manifestly unfounded, and (2) what would be reasonable fee.

The guidance tries to help organisations judge what criteria they should consider, by coming up with a reasonable fee for the costs of locating, retrieving and extracting the information, communicating the response and staff time.

The ICO says it’s good practice to establish an unbiased set of criteria for charging fees and that this should be explained to individuals.

I found the following paragraph in the guidance unnecessarily confusing;

“If you choose to charge a fee, you do not need to comply with the request until you have received the fee. However you should request the fee promptly and at the latest within one month of receiving the SAR. This means you must request the fee as soon as possible. You must not unnecessarily delay requesting it until you are nearing the end of the one month time limit.”

So, request the fee promptly and at the latest within one month of receiving the SAR, but don’t delay requesting it until you’re nearing the end of the one month time limit? (Hmmm…)

My advice? Request the fee promptly, and not when you’re nearing the end of the month time limit.

Is there a risk organisations are being given more leeway to refuse SARs?

Michael Bond, Group DPO at News UK, raises some concerns about the ICO’s approach;

“It appears to have capitulated under the weight of lobbying and produced something that could well have a chilling effect on this cornerstone of information rights. Clarification is always welcome but, in my view, it will make the entire subject access process more complex for organisations and individuals to understand and increase administrative burden.”

As I said, the ICO blog title ‘simplifying subject access requests’ isn’t a phrase I’d have used, for an area which can quickly become complex. So much rests on balanced decisions and being able to justify these.

There are places in the guidance which organisations may use to push back on requests (perhaps unfairly). On the other hand the guide is extensive and a useful resource, especially for organisations with less experience in handling SARs.

Remember it’s ‘guidance’ and you may decide you disagree, but if you do be sure to have a strong case for doing so.

A final tiny tip – I’d recommend downloading the Right of Access Guidance, as on the ICO website it can be tricky to search if you are looking for something specific. Also, be sure to check for updates.

 

Need DSAR support? If you’d like helpe handling SARs or other individual rights get in touch

10 DSAR tips from 10 DPOs

October 2020

While it’s great people have the right to request copies of their personal data, there’s no doubt Subject Access Requests (SARs) can be challenging to complete adequately and on time.

(If you’ve ever had the misfortune to get a request from a disgruntled employee, for example, you’ll understand how complex these requests can become).

Some organisations are turning to tech to improve their processes for gathering information and redacting data where necessary. However, our recent survey shows the take-up of organisations using external tech solutions is currently relatively low, with just 15% of organisations using an external solution to ease the burden of DSAR requests.

To give you a helping hand, we’ve asked 10 experts who routinely handle requests, to share their top tips, (they’re not all strictly speaking DPOs, but forgive me for wanting to keep the headline succinct).

1. Keep in touch

Chris Field | Privacy Director | Harte Hanks (US)

When addressing a DSARs, it is critical DPOs take the time to ensure their communications with data subjects are positive. Always use simple language that’s easily understood when communicating. Acknowledge requests as soon as possible and set expectations as to when requests will be complete. Use calendar reminders to help you proactively notify data subjects of any delays and always check the information provided by the business. Be sure it relates to the data subject, and include clear descriptions as to what the data represents and how it is used.

2. The personal touch

Andy Bridges | Data Quality and Governance Manager | REaD Group

In our experience, one of the most important aspects when dealing with both DSARs and standard DPO cases is to ensure there is acknowledgment and understanding from the first stage. It is, of course, fundamental to ensure that your organisations’ processes and procedures are properly implemented, but also important not to lose sight of the human elements which often gets missed. I have spoken directly to many data subjects and in most cases that personal touch has made a big difference and reassures the consumer that they are being treated with respect and dignity – which in turn helps to alleviate their concerns about how their personal data is being processed and why.

3. Focus on the agreed scope

Sara Howers | Data Protection Officer UK | CGI IT UK Ltd.

Although we cannot insist on a data subject giving us parameters for their access request, many do, and in these cases it’s important to restrict the data selected and supplied to within those parameters and not to over-supply the data. As many of us rely on a number of parties to collate information for us, even when we pass on those parameters, they aren’t always picked up and adhered to (sometimes because their own selection tools are a little overly inclusive), so it’s very important that we sense check all feeds in & restrict them accordingly. After all, you don’t want your DSAR to end up being the cause of a data breach in itself.

4. Don’t be unduly influenced by other matters

Michael Bond | Group Data Protection Officer | News UK

In my experience, the right of subject access is most often asserted where there are ongoing grievances or complaints relating to employees or customers. As such, there may be broader issues that turn on the results of a request. As the person managing the request, it is important to ensure that the subject access process is not unduly influenced by these broader customer or employee matters but kept separate; thereby preserving the integrity of the subject access process and impartiality and independence of the DPO.

5. What about request from third party portals?

Gerald Coppin | Deputy Group Data Protection Officer | Springer Nature Group

A growing trend is for a DSAR to be submitted by a third party portal that insists the data subject is not contacted as part of the process, and organisations are instructed that any questions or follow up be undertaken solely through the third party. There is still the responsibility on your organisation to verify the identity of the data subject and this can be done by using the direct contact details of the data subject (if provided). Often these requests are accompanied with scanned images of legal documents (passport, driving licence, visas, permits, ID card, etc) and you should be mindful that these images are still stored on your systems even if the data subject has not confirmed the request as genuine.

6. Keep track of time

Claire Robson | Data Protection Officer | Great Ormond Street Hospital Children’s Charity

Managing a DSAR within the 1-month timescale is tricky, particularly where you have a geographically spread organisation or multiple record-keeping systems. Establish a process to help staff identify a request – getting it to you promptly ensures you don’t lose too many days before you’ve even started. Know your record keeping systems – understanding what is held where, helps you locate, and retrieve the records needed. Are you reliant on other teams? Establishing KPIs for response times and setting expectations of them can help. Throughout, keep an eye on progress so you can quickly identify and notify the requestor if it’s going to take longer.

7. Can tech help?

Simon Morrissey | Legal Director Information Rights | BBC

The frequency and scale of individual DSARs has led to technology assuming an increasingly important role to play in the handling of DSARs, both in terms of managing the overall DSAR workflow and the collation, review and redaction process. There are now technology solutions available that allow an organisation to track a DSAR from inception to completion and which also contain a reporting tool that can assist with compliance reporting. As far as collation, review and redaction is concerned, there are also technology solutions which use machine learning to improve de-duplication and email de-threading, thereby reducing the volume of documents that require review. Machine learning is also being used to analyse the human level review and redaction of the documents potentially in scope to ascertain the relevance of the documents not yet reviewed. This can also result in a significant reduction in the number of documents that require manual review and redaction.

8. How to cope with employee emails?

Data Protection Officer | Haymarket Media Group

Employee DSARs can be the most complex. You will need to take a view on how to tackle email communications and strike a balance between other employees’ confidentially and the right of access. An employee expressing an opinion about another employee to somebody else is personal data, but did they expect a level of confidentiality to be upheld when it was written as a private message? Whichever way you decide, it’s important all employees are clear on your company’s stance, so they know such messages may be disclosed as part of a DSAR. Remember, only the personal data needs to be provided, so including hundreds (if not thousands) of BAU emails might not be necessary. Automatically filter out those that would clearly be BAU and search for any personal data on a smaller volume of emails.

9. Remember the exemptions

Chris Whitewood | Privacy & Data Protection Officer | Direct Line Group

When considering what your DSAR response will consist of, you will need to understand what information a data subject is legally entitled to and when information can legitimately be withheld. If information is to be withheld, then it is important that you clearly document internally what information is to be withheld and what exemption you are relying upon. Your DSAR Team will need to be trained as to how exemptions apply and understand the nuances of the Data Protection Act 2018. This will assist you when responding to any requests for clarification from the ICO or further correspondence from data subjects.

10. Respond securely

Temi Akindele | Data Protection & Legal Counsel | The Prince’s Trust

When responding to a request by email, the information must be sent securely. Often (depending on the secure email solution) the secure email will look different from the regular email address that the DSAR was sent to and/or acknowledged from. It is advisable to follow up immediately with an email (from the regular email) to ask the recipient to confirm that they have received the information and are able to view it. Their reply will serve as proof of receipt of the response. If your secure email solution can track when the response was viewed and the information downloaded, save this receipt with the DSAR records. The cover email should also inform the recipient how to escalate if they are unhappy with the response; include the details for an internal contact in the first instance as well as the ICO’s details.

On 21 October 2020 the ICO published new detailed Right of Access Guidance.

You’ve been SAR-bombed!

July 2020

You are at the end of long day; just about to turn in for the night. You just do one last check of your inbox for any signs of a reported security incident. Suddenly you are aghast, the new email count in your inbox registers over 9,000 new emails! You quickly scan to fathom what on earth has happened…

All the emails come from the same sender and the subject lines all declare they are SAR (Subject Access Request) requests. Looking closer you note the emails include personal information, describe that “so-and-so” wants to exercise a privacy right and references different privacy laws.

Laws you know require you reasonably address privacy requests, with penalties should you fail to address the request in good faith and in a timely manner.

While I hope you never experience 9,000 requests in one hit, people seem to be increasingly relying on third parties and apps to facilitate their privacy rights. Indeed, some third-party portals are actively encouraging people to use their services.

Once your organisation is identified, you are likely to receive requests from the third party’s entire user base; all delivered to the email address published via your privacy statements.

Let’s explore this trend in more detail and give you a glimpse of how to tackle the SAR-bomb experience.

The Dawn of Privacy Preference Apps

Chances are you’ve already received or honoured an individual’s privacy request received via a third party in some fashion or another. Country and channel specific regulatory “do not contact” lists have for some years allowed people to ‘opt-out’ of direct marketing “en masse.” Some third parties offer people template letters to express privacy choices with a pre-defined list of organisations that should receive them.

Mobile apps are also available to help individuals exercise their requests. One such app seeks to help individuals to identify organisations they have previously transacted with for the purposes of exercising their privacy rights and another is designed to help individuals address legal disputes.

Of course, California’s Consumer Privacy Act (CCPA) now requires organisations to process privacy requests delivered by third parties (defined as “authorised agents”). As the world’s sixth largest economy, CCPA’s “authorized agent” mandates are likely to be replicated and influence individual’s expectations beyond California.

Mindset

When addressing privacy requests delivered to you via third parties, be sure your response plan considers first the people submitting these requests. They’ve already invested some time and energy and may have even paid for the help these parties and solutions offer.

People may have turned to such third parties to assert control over their data in as broad a manner possible. Some may be frustrated, confused or upset, and others may not be aware or care that your organisation has specific obligations under the law.

Your procedures to authenticate identity, validate the processing of personal data, address requests within your organisation and ensure the security of the data in your care, are likely of little concern to individuals.

Even though the law may require you to separately affirm certain requests received online, some individuals simply won’t appreciate your attempts to confirm the authenticity of their requests.

Furthermore your requests of people to follow your processes may be met with frustration, indifference and scepticism; especially when you need them to take additional action to facilitate their original request.

Your experience addressing sensitive SAR requests, such as those associated by disgruntled employees or customers punishing you for bad service, can be especially useful.

Getting to Work

With the individual’s mindset front and centre, let’s shift attention to some of considerations specific to being SAR-bombed. Time is of the essence and you need a systematic approach to establish whether you will deny, partially or fully comply with the request.

  • Get your arms around the situation – At a minimum, you need to identify each individual, extract the personal data (as needed to authenticate their identity and confirm the data exists within your organisation) and define the rights they wish to exercise. Conduct a quick test to see how much time is needed based on the total volume.

In our example, let’s say it takes you just 90 seconds to open one of emails, log the relevant details to your SARs system and archive the email. At 9,000 requests, you may need 225 hours to convert these SAR emails into requests that make sense within your organisation.

  • Create a structured dataset – The volume of SARs simply requires a repeatable process designed to convert the unstructured privacy email into a structured request that makes sense within your organisation. It may help to create a solution that can parse emails for relevant details and return data back to you in a structured format.

If your email platform supports it, consider exporting all the SAR emails into a Comma Separated Values or “CSV” file. Once in a CSV file, you can use your favourite spreadsheet program to make short work of your analysis and response.

  • Include key details within your structure dataset – Consider assigning a unique identifier specific to the request and sender to help you demonstrate the original request across the actions needed to address it. Pull forward the personal data related to the request in a way which reflects your existing SARs authentication and matching procedures.

You may also extract demographic information across specific columns; especially useful if the requests reference rights across different jurisdictions or laws. Denote the privacy right (or rights) for each request. Be sure to use terms your organisation understands to save time.

Consider assigning a reference to the jurisdiction (or law) applicable to the request; or the individual involved. For example, it may be useful to validate GDPR requests originating from Europeans differently from CCPA requests from Californians.

  • Questions relevant to developing your strategy

a. Do you have multiple requests for the same individual? Check if you have duplications i.e. the same individual requesting the same right.
b. Do you have requests that aren’t legally required? Check if those exercising a right are indeed subject to the right or law referenced. For example, is the individual a European (if referencing GDPR) or a Californian (if referencing CCPA)? Dependent on the volume and results of this analysis, you may need to address requests subject to the law first.
c. Can you act on the request as presented? Do you have evidence the third party has authority to act on the individual’s behalf? Are you able to verify their identity? If you need more information your response plan also needs to factor in developing and sending communications, and addressing the responses.

  • Creating records to demonstrate your reasonable efforts – Regardless of your specific response plan, be sure to keep records detailing what you did and the decisions you made. This may include:

1) details of your actions to assess the request
2) communications with the individual
3) actions taken internally to address the request
4) summary of results (for example whether you denied, partially or fully complied)
5) the timeframe taken to resolve

Adopting the approach above, my company, Harte Hanks, has addressed 9,254 email requests within just a few days. We identified that 96% of the requests delivered were simply duplicates.

The “sender” seems to have experienced a technical problem, delivering the same request on average at least 44 times and one over 1,600 times. Of the 326 “unique” requests delivered, 67 requests described rights under CCPA whereas the other 259 described rights under GDPR.

When considering the personal data delivered along with the request, we found all CCPA requests included personal details reasonably descriptive of a Californian whereas only 16 of the remaining “GDPR” request reasonably “described” a European.

Here’s to hoping you don’t ever experience such a deluge of requests at one time.

Further information

In the UK, the Information Commissioner’s Office addresses requests made via third party portals in its detailed Right of Access Guidance.

The ICO says to determine whether you need to comply with such a request you should consider whether you are able to verify the identity of the individual and are satisfied the third party portal is acting with the authority of and on behalf of the individual in question.

The regulator stresses you are not obliged to take proactive steps to discover that a SAR has been made. So, if you can’t view the SAR without paying a fee or signing up to a service, you have not ‘received’ a SAR and are not obliged to respond.

Furthermore, it’s the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. In responding to a SAR you are not obliged to pay a fee or sign up to a third party service. If you are in this position the regulator’s advice is to provide the information to the individual directly.  The draft code states:

“If you have concerns that the individual has not authorised the information to be uploaded to the portal or may not understand what information would be disclosed to the portal, you should contact the individual to make them aware of your concerns.”