Data Protection Network | Privacy Rights

Right to erasure in the spotlight: how to manage requests 10 tips to tackle erasure requests The European Data Protection Board (EDPB) has announced a year-long focus on the right to erasure. Data Protection Authorities across Europe are taking part in this Coordinated Enforcement Framework initiative and will be contacting a number of organisations from different sectors, either launching formal investigations or undertaking fact-finding exercises. The EDPB chose to focus on the right to erasure as its one of the most frequently exercised GDPR rights and one DPAs frequently receive complaints about. In my work I find organisations are not always handling these requests appropriately and often don’t have clear and comprehensive procedures in place. While this is not a UK specific initiative, this right can raise a number of questions wherever your organisation is located. When can we refuse? What data should we erase? And, on a technical level, how do we make sure everything that needs to be erased is actually destroyed, especially when the data is held on multiple systems? It can raise complex challenges. Add to this the tight timeframe to action individual requests and the dreaded bulk requests from third parties, and it can turn into a bit of a minefield. We’ve got some tips to help you navigate the mines. But first, a little refresher on what the right to erasure means. What is the right to erasure? As the name suggests, a person has the right to request their personal data is erased from your systems if you no longer have a compelling lawful reason to keep it. This applies to ALL systems, back-ups and even data held in the cloud. You may hear it referred to as the ‘Right to be Forgotten’. This stems from a decision in 2014 by the Court of Justice of the EU which recognised the right of EU citizens to request the removal of links to personal information on search engines. GDPR took this ruling a step further and enshrined a broader right into EU law, taking it beyond the context of publicly available personal information. Under the UK GDPR the right remains the same as its EU counterpart. Crucially, the right to erasure is not an absolute right. Organisations may have a clear justification for denying a request either in part or in full. When does the right to erasure apply? You need to fulfil a person’s request for erasure in the following circumstances: ■ It’s no longer necessary for your organisation to retain the personal data for the purposes it was collected; ■ They gave you their consent to use their personal data for a specific purpose/s and they have now withdrawn their consent; ■ You’re relying on legitimate interests as your lawful basis to handle their data, they object to this, and you have no compelling and overriding legitimate interest to continue to hold it; ■ You’re fulfilling a legal ruling or legal obligation to erase the data; ■ You’re processing a child’s data to provide information services (i.e. online services) and an appropriate party is making the request, be this a parent or guardian, or the child themselves if they are of a competent age to decide for themselves. ■ You’re handing their data unlawfully. The last point, a general ‘catch-all’ is a tricky one to balance as there may be many reasons why personal data could be processed unlawfully. For example, the handling of personal data might be considered unlawful if it’s inaccurate, or even if necessary information about your processing activities was not provided in a privacy notice. When can an erasure request be refused? The law specifically tells us the right to erasure will not apply when you’re holding personal data for the following reasons: ■ to exercise the right of freedom of expression and information; ■ to comply with a legal obligation; ■ for the establishment or defence of legal claims; ■ to perform a task carried out in the public interest or when exercising and organisation’s official authority; ■ for public interest in the area of public health; ■ for archiving purposes in the public interest, scientific or historical research or statistical purposes (where erasure would make this impossible or seriously impair your objectives). Under UK GDPR and the Data Protection Act 2018 there are two specific circumstances where the right to erasure doesn’t apply to special category data. Further information about these exemptions can be found in the ICO erasure guidance. It’s also important to consider whether you have a contract in place with the individual, which necessitates the continued processing of their data. There may also be grounds for a refusing a request where you can justify its manifestly unfounded or excessive. There are many variables at play and each request needs to be assessed on a case-by-case basis. This is where the devil really is in the detail. In more complex cases you’ll need to consider the potential fallout should you delete personal data and subsequently discover you really needed to keep it. If you have a robust justification for needing to keep personal data, then you should keep it and document the reason(s) for your decision. This highlights the requirement for accurate record keeping, not only for erasure requests but for all privacy rights requests. If you refuse to comply with a request (either in part or in full), you must explain why and tell the individual they have the right to raise a complaint with the UK’s Information Commissioner’s Office, or other relevant Data Protection Authority. 10-point checklist for handling erasure requests 1. Awareness An individual can request their personal data is erased either in writing or verbally. They might make this request to anyone in your organisation. So, everyone in your organisation needs to know how to recognise this type of request, what to do if they receive one, and who to direct it to. Awareness campaigns, training and easy-to-understand policies and guides all play their part in getting the message across to all staff. 2. Identity verification You clearly don’t want to delete someone’s details unless you are absolutely sure they are who they say they are. Sometimes this will be obvious, but in other circumstances you’ll need to ask for verification of identity. However, if the deletion has not negative impact on the individual, for example they are only on your marketing list, asking for proof of identity is likely to be a disproportionate step. When asking for proof of identity only ask for the minimum amount of information necessary to confirm identity. Don’t accumulate additional personal information such as copies of passports or driving licences, unless it’s truly justified, and remember to destroy these too! If a request is received via another organisation, make sure the third party genuinely has the authority to act on behalf of the individual in question. The responsibility lies with the third party to provide any necessary evidence to prove this. 3. Technical measures Your customers might think deleting their data is as simple as clicking a button. If only it were that easy! It can be difficult to locate, identify, assess and properly destroy data – especially if it’s held on many different systems. You might hold records on emails, backed-up systems, on the cloud… all must be deleted. Make sure your systems, applications and databases allow easy identification and deletion of individuals. You may also need to assess the implications of deletion; it can impact on how different software works. This is where the concept of Data Protection by Design really supports businesses. If from the outset of any new project or onboarding of new technology systems you factor in how to successfully manage all individual privacy rights, it will make life much easier in the long run. It’s worth reiterating – the right to erasure extends to deleting data from backups. However, the ICO recognises the inherent difficulties here and says, “the key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten.” 4. Timeline You don’t have long to comply with erasure requests, so keeping track of time is crucial. The request must be actioned ‘without undue delay,’ and in any case within one calendar month of receiving it. You may be able to extend this by up to two months if it’s particularly complex. If you need to extend, make sure you tell the individual before the first month is up, giving them clear reasons for the delay. 5. Who else holds their data? The right to erasure doesn’t just apply to the records your organisation holds. You’re also expected to inform both your suppliers (processors) and other controllers you have shared it with. Having a clear understanding of all your suppliers and other organisations you share personal data with, such as in your Record of Processing Activities, means you can efficiently contact them and inform them of erasure requests. You don’t have to do this if it would prove impossible or involves disproportionate effort, but you may need to be able to justify this is genuinely the case. 6. Public domain data The right to erasure also applies to personal data which has been made public in an online environment (‘the right to be forgotten’). So take note if you publish personal data, or pass it on for others to publish. You need to be ready to take reasonable steps to inform other organisations who are handling the personal data; asking them to erase links to, copies of, or replication of the data. What’s ‘reasonable’ is another judgement call, and the expectation scales with size; the bigger your organisation and the more resources you have, the more you’ll be expected to do. 7. Children’s data erasure rights Children have special protection under data protection law, and the right to erasure is particularly relevant when a child has given their consent (or their parent/guardian has) and at a later stage (even when they’re an adult) they want their personal information removed, especially if it’s available on the internet. Baking in the ability to delete children’s information from the start is crucial. 8. Exemptions It’s helpful to have a clear checklist of the exemptions which might apply and be relevant for your organisation. They don’t all apply in the same way, so be sure to examine each exemption on a case-by-case basis. The ICO exemptions guide is a good starting point, and it’s likely you’ll also need to reference the Data Protection Act 2018. 9. Maintain an erasure log How do we delete someone, but also prove we have done it? Feels ambiguous doesn’t it? However, organisations are required to keep a log of erasure requests, actions taken and justifications for these to demonstrate compliance. The key is only recording the minimum amount of information necessary to meet this obligation, and keeping this secure. I know some organisations who’ve taken the step of making sure this log is pseudonymised for extra protection. 10. Minimisation and retention The right to erasure (and indeed other privacy rights, such as DSARs) can be less complex if you try to stick to two of the core data protection principles; data minimisation and data retention (storage limitation). Collecting ‘just enough’ data in the first place, using it in specified ways and only keeping it for as long as you need it, means there’s less data to trawl through when an erasure request comes in. Sounds simple, less easy in practice, but worth the effort. For useful tips, tools and templates see our Data Retention Guide. Giving those responsible for handling erasure requests a clear procedure to follow which covers the key considerations and how to actually fulfil requests in practice, is really worth developing. With the right elements in place you’ll be in a much better place to handle the right to erasure effectively, within the statutory timescale and with less risk of mistakes.

Data Subject Access Requests – what are people entitled to? I’m often asked what’s in scope when responding the Right of Access – aka Data Subject Access Requests (DSAR/SAR). What are organisations obliged to provide, and what can they legitimately exclude? I’ve taken a look at some questions which routinely come up. But first a quick summary of what the law says… The Right of Access is a fundamental right under data protection legislation in the UK and EU. There are similar rights in other jurisdictions, but I’m focusing here on the right under UK GDPR and the Data Protection Act (DPA 2018). The law gives people the right to receive and copy of their personal data, and other supplementary information from any organisation acting as a controller. Controller or processor – what are we? Personal data is any information which could directly or indirectly identify the requestee. To give some examples, this could include images, voice and video recordings, demographic information, profiles, order history, marketing preferences, HR records, performance reviews, opinions expressed about the requestee, other personal identifiers … and the list goes on. Now, on to the FAQs… Q: Do we need to provide information the requestee already has, or is obvious to them? The short answer is, yes. Based on UK case law, organisations can’t refuse to disclose information on the grounds personal data is already known to the individual. (Case: Lttihadieh v 5-11 Cheyne Gardens, 2017). However, it wouldn’t need to be included if the person has made it clear they don’t want this information. You can always ask them. Q: Are they entitled to full documents? It isn’t a right to documentation. Just because someone’s name appears in a report, spreadsheet, meeting notes or any other document doesn’t mean they’re entitled to the whole document, if the rest doesn’t relate to them. It may prove easier and relevant to provide full documents, but you would be justified in not doing so. You can extract the necessary information, or redact the irrelevant information. But remember what you provide must be meaningful and have context. Q: Are they entitled to the full content of email correspondence? Linked to the question above, people are only entitled to a copy of their personal data. So just because their email address or email signature appears in an email (or email chain) doesn’t make this their personal data. For example, routine business as usual emails, where the content is solely about business related matters will not be the individual’s personal data. It can be really helpful to explain this from the start. Q: Are handwritten notes in scope? Personal data which is not part (or intended to be part) of a structured filing system is not in scope. For example handwritten notes in a personal notepad where there’s no intention to formally file these notes would not need to be included. However, if for example, employees write notes in ‘day books’ which are intended to be kept as a record of conversations, these would be in scope. Q: How much effort is required? Organisations are expected to make all reasonable efforts to search, identify and retrieve all the personal data being requested. The ICO would expect systems to be well-designed and maintained so information can be efficiently located (including carrying out searches) and extracted. The right of access is not new. It was around long before GDPR came into force in 2018, so organisations would be expected to be well prepared to handle requests. Q: Can we refuse to comply with a request? Sometimes it may seem obvious the requestee has an ulterior motive for submitting a DSAR. In general, an individual’s motives shouldn’t affect their right to obtain a copy of their personal data, or the organisation’s duty to respond. Organisations can however refuse to comply with a request, either partially or fully, where they judge it to be manifestly unfounded or manifestly excessive. A request might be considered manifestly unfounded if, for example, the individual… ■ has no real intention of exercising their right ■ offers to withdraw their request in return for some kind of benefit ■ explicitly states they want to cause disruption ■ makes unsubstantiated accusations or allegations ■ is targeting a specific employee due to a grudge ■ sends regular and targeted requests as part of a concerted campaign A request might be considered manifestly excessive if it’s clearly or obviously unreasonable or would involve disproportionate effort. In assessing whether it would involve disproportionate effort, you should consider the following factors: ■ the nature of the requested information; ■ the context of the request, and the relationship between you and the individual; ■ whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to the individual; ■ your available resources; ■ whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or ■ whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive). If you rely on either of these grounds, be sure to document your decision, the rationale behind it and explain this to the individual. To give an example, quite a few years ago I worked on a request from a disgruntled former employee where, among everything else, they asked for all CCTV footage of them. The business operated CCTV which captured employees as they entered and exited the main office. We asked the individual if there were specific dates and times they were interested in. They responding just reiterating the request for all CCTV footage. I think understandably we judged this to be an manifestly excessive request, requiring disproportionate effort and that it would not cause any damage to the individual not to receive this. Q: What can be excluded or redacted? Once all the information relating to the individual has been retrieved, the data collated often includes information which doesn’t need to be disclosed. There may be justifiable grounds for excluding information or redacting documents, emails, video recordings and so on. Information relating to others: the person making the request has a right to receive a copy of their personal data, they’re not entitled to personal data about other people. The DPA 2018 confirms you do not need to include certain information if it means disclosing information which identifies someone else, unless the other person has given their consent or it’s reasonable to disclose without the other person’s consent. Confidential information: A duty of confidence may arise when another individual has genuinely shared ‘confidential’ information with the expectation it remains confidential. Confidentiality cannot be automatically assumed and needs to be assessed on a case-by-case basis. Other information which may also be considered confidential includes, but is not limited to; trade secrets, information made confidential under another law, internal costs or commercial rates, intellectual property and information covered as part of a non-disclosure agreement Other exemptions: The DPA 2018 provides a number of further exemptions which may apply depending on the nature of your business and the context of the specific request. These don’t always apply in the same way. Sometimes you might be obliged to rely on an exemption (i.e. it would break another law), other times it will be a choice. Commonly used exemptions include; legal professional privilege, crime and taxation, management information, research and statistics, confidential references and journalism. The ICO says exemptions should not be routinely relied upon or applied in a blanket fashion. And remember, you may be required to demonstrate how an exemption applies and your rationale for relying on it. The ICO has published guidance on exemptions and how they apply. These are just some questions I get asked and I’m afraid to say there are plenty more. Responding to DSARs can be very time-consuming, with nuanced considerations and can feel a minefield if you don’t receive many requests or out of the blue receive your first one. Our DSAR Guide provides more information about how to prepare and fulfil requests. Also see the ICO’s detailed Right of Access Guidance.

How to prevent DSAR complaint escalation Nearly forty thousand complaints were received by the Information Commissioner’s Office in the past year. Staggeringly, 39% of them concerned people’s Right of Access according to the ICO’s Annual Report 2023/24. Handling Data Subject Access Requests (aka DSARs or SARs) can be fraught. Often those requesting a copy of their personal data are already disgruntled, be it an employee going through a grievance procedure or a dissatisfied customer. This means requestees are often quick to react if the statutory deadline is missed. They may also closely scrutinise your response, looking for any mistakes or omissions. Or their solicitor will. Any requestee has the potential to become dissatisfied and escalate matters to the ICO. More than a decade ago, I was handling a request and missed the deadline by 24 hours. Much to my frustration they’d had already fired off their complaint to the ICO, and this was pre-GDPR! I know of many businesses who’ve received letters from the ICO following a DSAR complaint. These will usually ask you to address the issues raised directly with the individual – and quickly! However, if your organisation racks up too many ICO complaints, the regulator is likely to delve deeper. This delving has led to a number of ICO DSAR-related reprimands being issued. Most recently, the Labour Party has been in the spotlight for ‘repeatedly failing to respond to people who asked what personal information the party held on them’. A backlog of requests mounted up after a cyber attack in October 2021, with the ICO receiving 150 complaints. During its investigation, the ICO discovered 78% of people had not received a response within the maximum extended timescale of three months and more than half were delayed by over a year. They also found an unmonitored ‘privacy inbox’ was overflowing with hundreds of DSAR and erasure requests – none of which received any form of response whatsoever. Hopefully most organisations will avoid such a catalogue of problems, but it’s still worth remembering certain factors can prompt a spike in DSAR requests. In this case a cyber attack, but a non-cyber data breach could also create a surge. Similarly, a business restructure might prompt a rise in employee-related requests. And let’s not forget the random factor – like Mr Farage’s very public DSARs to NatWest, which not only led to NatWest getting an increase in requests, but reportedly had a knock-on effect on other banks too. Here are my tips for getting on the front foot and mitigating the risk of complaint escalation. 6 golden rules for managing DSARs 1. Staff awareness & a sense of urgency A request can be submitted in writing, verbally or even via social media. It doesn’t matter who in the business receives a request. Employees all need to be able to recognise them (and other privacy rights, such as erasure), and know what to do if they receive or spot one. Failing to do so puts you on the back foot straight away. Everyone needs to be aware time is of the essence, so training and clear guidance is essential. Refresh it too, with friendly reminders. Quick checklist: ✓ Individual privacy rights are covered in new starter and refresher training. ✓ Ongoing awareness via posters, intranet posts, newsletters etc. ✓ Specialist training for those involved in the process of fulfilling requests. 2. Robust procedure A clear procedure which walks relevant staff through the key steps and considerations is invaluable, especially for times when key people aren’t available and someone else has to pick up the reins. Procedures should clearly set out how to retrieve the data, the collation and assessment stage, what to redact (or extract), when exemptions might apply and so on. Without this, a lot of knowledge could walk out the door when a key person leaves the business or is not available in cases of long periods of absence like maternity or sickness leave. 3. Adequate resourcing Businesses receiving a significant volume of requests are likely to have a dedicated person or team to handle them. They might also have sophisticated software to help speed up the process. But for those who have low or fluctuating volumes, it can be tricky to judge how many people need to understand the process and manage requests. In my experience, often the one or two people who have to handle requests end up snowed under for weeks and completely distracted from their day jobs when a DSAR lands on their desk with an ominous thump. What happens if your go-to DSAR person is not available? The clock is ticking. You also need to factor in how to handle any spike in requests – seen or unforeseen. Have you got other adequately trained staff, or alternative resources on standby to cover higher volumes? There was a case in Belgium where the Data Protection Authority ruled the person who normally handled DSARs being on long-term absence was no excuse for a late response. I think the UK’s ICO would take a similar stance. 4. Assigned responsibilities While one person or a team may have ultimate responsibility for managing DSARs and responding to them on time, it’s likely others across the business will need to support them. For example, your IT team may play a significant role in retrieving the data, or HR may need to be closely involved in an employee-related DSAR. It helps to make sure it’s clear who’s responsible for retrieving the data, reviewing the data, applying exemptions, apply redactions, reviewing the response, approving it and sending it out securely. 5. Managing expectations and communicating This is my personal favourite; quite often requestees don’t quite understand what a DSAR really entitles them to, so it pays to set out your stall from the start. Explain what the right is and what they can expect to receive. Tell them you have a duty to protect the privacy of others, that it’s not a right to documentation and that exemptions may apply. Keep in touch with requestees, and dare I say it, even pick up the phone and talk things through. Confrontation can sometimes be defused – I’ve known of DSARs being withdrawn after a decent chat (and with no pressure whatsoever applied). 6. Polished response A good covering letter can go a long way to satisfying the individual that you’ve made every effort to fulfil their request. This can for example explain; ✓ The personal data being provided ✓ Some of the internal processes (where appropriate) ✓ Redactions have been applied to protect the privacy of others (if relevant) ✓ Why an exemption has been applied (if relevant) ✓ Legally necessary supplementary information, (or a link to a Privacy Notice if this covers matters sufficiently) The above is by no means an exhaustive list and I’m a big fan of a template response letter which can be adapted as needed. Finally, don’t forget to inform people about their privacy rights such as the right to object, erasure, rectification and access. Privacy notices should set out these rights, and it should be clear how people can submit a request. And of course, tell them they have the right to raise a complaint with the ICO (with fingers firmly crossed they don’t). Check out our DSAR Guide for more tips on seeking clarification, retrieving the data, complex requests and applying redactions.

DSAR ruling and other people’s data High Court judgement in Harrison vs Cameron case A recent high court ruling concerning a Data Subject Access Request reveals some interesting points relating to how organisations comply with people’s right to know the identity of the recipients of their personal data, and how organisations apply the ‘third-party exemption’. The right of access gives people the right to receive a copy of their own personal data, it doesn’t give them the right to receive personal data relating to others. However, often other people’s details are intertwined as part of the data retrieved. In this particular case, the focus was on other people the requester’s data had been shared with, and whether the requester had the right to know the identity of these recipients. The ‘third party exemption’ frequently comes up for debate when handling DSARs and this case sheds light on how this exemption should be applied. In the ruling the Judge found that it’s necessary to apply a ‘balancing test’ when considering the third-party exemption. It was also acknowledged that the controller is the ‘primary decision maker’ when assessing whether it is reasonable or not to disclose personal data relating to others, and has a ‘wide margin of discretion’ in this decision. Here’s some background to two of the key points of law in this case: What’s the third-party exemption? The third-party exemption is set out in the UK Data Protection Act 2018 and says organisations (controllers) do not have to comply with a DSAR, if in doing so this would mean disclosing information which identifies another individual. Organisations can disclose such information if the third party has given their consent, or if it’s reasonable to disclose without their consent. What about the recipients of personal data? Along with the right to receive a copy of their personal data, when an individual submits a DSAR they are also entitled to receive other supplementary information. This includes details of any ‘recipients’ or ‘categories of recipients’ the organisation has, or will, disclose their personal data to. The Harrison vs Cameron case Mr Harrison, Chief Executive of a real estate investment company was covertly recorded making threats to Mr Cameron, the owner of a gardening business. Here’s a summary of what happened next: Mr Cameron shared the recording with some of his employees, members of his family and friends. Mr Cameron sent the recording to twelve people in total, and it was then shared on to a further three people. Mr Harrison claimed the recordings had been shared more widely and damaged his business. Mr Harrison submitted a DSAR to Mr Cameron in a personal capacity (I’ll come back to this) and submitted similar requests to others, including employees at the gardening business. He demanded to know the identity of the people who’d received the recording. Mr Cameron and others declined his request, and the case ended up in the High Court. The Court decided Mr Cameron was not himself a controller of Mr Harrison’s data, and that he’d made the recordings in his capacity as a director of the gardening company. Therefore the company, not Mr Cameron was the controller and responsible for fulfilling the request. According to the judge, a person’s rights extend to being provided with details of the specific recipients of their personal data, including the names of individuals who’ve received their data. The rationale behind this is to enable the individual to check the lawfulness of how their personal data is being handled. This is a potentially worrying development as organisations may have previously viewed this as an either provide the names of specific recipients, or provide just the categories of recipient. This ruling makes it clear this is the requester’s choice, not the controller’s decision. However, in this case the judge found the gardening company could rely on the third-party exemption and not disclose the identity of the recipients. Why? None of the fifteen recipients consented to their names being disclosed to Mr Harrison, due in part to concerns this may expose them to abusive and threatening behaviour. Due to these safety concerns the judge ruled it would not be reasonable to disclose people’s names, without their consent. Ultimately this ruling makes it clear it is the controller’s decision to make; is it reasonable or not to disclose information which identifies other people? Third-party balancing test The ICO’s Right of Access guidance provides helpful pointers on how to conduct a balancing test when considering the third-party exemption. There isn’t a blanket rule, a balanced decision is required on whether it’s appropriate in the circumstances to disclose information relating to others, or withhold it. 1. Can you redact or not provide? Consider if it’s possible to comply with the request without revealing information that relates to, and identifies another individual. For example, can this third-party information be redacted, or can you separate out the requestor’s personal data? Sometimes, even redacting other people’s names doesn’t render them unidentifiable. There may be situations where you can reasonably assume the requester will be able to work out whose name has been redacted. 2. Can you seek consent? If you can get the consent of another individual to disclose their details, it’s a problem solved. I’ve been involved in cases where the consent of other employees has been sought in employee related requests and they’ve given it. However, you’re not obliged to seek consent and it may not be appropriate to do so. You might not have contact details for the third-party, you might not want to share information with them, or let them know a particular individual has submitted a DSAR. 3. Reasonable to disclose without consent? Where the information about other individuals if fairly innocuous and you can’t identify any negative impact on them, you may choose to disclose the information without consent. In assessing whether this is reasonable to do, you need to take account of: the type of information you intend to disclose whether it was possible to seek consent or not whether consent was declined any duty of confidentiality Any potential repercussions for the third-party if their data is disclosed (or they are identifiable from what you provide) can be considered. As this case shows concerns for a person’s safety can be justification for applying the third-party exemption. I’ve worked on many cases where this has been debated, situations where redaction wouldn’t render the third-party unidentifiable and it wasn’t appropriate to seek consent. The context is crucial, sometimes it has been reasonable to disclose, other times we had justified concerns and chose to withhold. It’s important to be clear with the requester about what you are giving them in your response to their DSAR. If you rely on the third-party exemption, you should tell them, and explain why. I’d also highly recommend documenting your decision-making just in case it’s challenged.

Data Subject Access Requests and Proof of ID Why a blanket approach doesn’t always work Anecdotally, I hear stories of people’s frustration at being asked for certain documents as proof of ID. For example, insisting on a copy of a passport or driving licence. When reviewing internal data protection procedures, I come across DSAR request forms which veer towards asking for excessive documentation as proof of identity. When responding to a Right of Access request (commonly known as a Data Subject Access Request), we might need to ask a person to prove their identity. But what constitutes a reasonable request for further information for verifying someone’s identity? And do you need to ask for additional documentation in all circumstances? Organisations should take a balanced approach to this, considering factors such as; context of your relationship with the person making the request nature of personal data you will be providing – is it, for example, highly sensitive health information? risks to the organisation and to individuals of personal data being given to the wrong person making sure identity verification is not too onerous for the individual Securely protecting any additional ID documents requested and not retaining it longer than necessary Many organisations will already be taking a measured approach to this, others may unsure, some may be getting push-back – “I shouldn’t have to provide you with a copy of my passport!” We’ve gathered some examples of how this is being approached. But first… What does GDPR say about identity verification? Recital 64 of GDPR states; “The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.” What does the ICO say about identify verification? The ICO’s detailed Right of Access Guidance states; “You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.” It continues to say: “You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password. However, you should not assume that on every occasion the requester is who they say they are. In some cases, it is reasonable to ask the requester to verify their identity before sending them information. How you receive the SAR might affect your decision about whether you need to confirm the requester’s identity.” Neither GDPR, nor the ICO provide specific details on what would be considered reasonable and proportionate. This is left for organisations to decide. What are the risks? Clearly there would be a data breach if personal data is given to the wrong person. The more sensitive the data the bigger the impact and fall-out. There’s also some evidence DSARs are being used as phishing attempts, bogus requests aimed at harvesting data. However, if you make it mandatory to provide specific proof of ID you run the risk of angering people – being accused of putting barriers in the way of them exercising their right. What approach to take? Some organisations take a case-by-case approach or adopt a fairly standardised method dependent on the context (e.g. an employee, a customer or request made by a third party). 1. Employee or ex-employee requests If you receive a request via your business email system from a member of staff, you already know who they are and proof of id is not needed. However, you may feel it’s sometimes necessary to ask for some proof of ID with requests from ex-employees. This could be asking for their staff ID number and National Insurance number. 2. No additional information requested Based on the context of the relationship with the requester and the nature of personal data to be provided, some organisations don’t feel it is necessary or proportionate to request specific documents as proof of ID. Here are some examples we’ve gathered; Where someone has an online account and submits a DSAR from an email address which is linked to their account, asking for it to be posted to an address currently held for them. A request is received from a business email address, which matches the record held and the response will be given to the same email address. Where the organisation is able to conduct sufficient internal checks to validate the request, based on information they already know about the individual. 3. Asking additional questions, rather than demanding documents Some organisations take the approach of asking the individual to answer a question (or two) to verify their identity. Essentially rather than ask for additional documents they use the information they already know about the individual to do this. For example, can they confirm the nickname/username they used when setting up an account? 4. Additional information Where there are doubts about the identity of the individual, some organisations will request photo identification (e.g. a passport or driving licence) along with proof of address (such as a utility bill). You just need to be prepared for those who may object. Also, you don’t want to retain these documents any longer than necessary. Best to log receipt, and then immediately and securely destroy copies of passports and driving licences. As an aside, I once received a notification about a data breach from a company saying my data had been affected. I couldn’t for the life of me remember when I had last had any dealings with them, so thought I should try and find out what personal data they actually had, and what had been lost. But when I went to put in a request they insisted on a copy of my passport. Considering they had just had a breach, the last thing I felt like doing was handing it over! 5. Requests made by third parties When someone makes a request on behalf of someone else, be this a law firm or a relative, clearly a robust approach needs to be taken. You absolutely want to check this is okay, for example asking for evidence of Power of Attorney or a letter of authority. This approach is supported by the ICO’s guidance which states: “An individual may prefer a third party (e.g. a relative, friend or solicitor) to make a SAR on their behalf. The GDPR does not prevent this, however you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this. This might be a written authority to make the request or a more general power of attorney.” The ICO’s guidance also makes specific reference to requests made by via a third party portal, and says you need to consider if you are able to verify identity and are satisfied the third party portal is acting with the authority and on behalf of the individual. It specifically states: “You are not obliged to take proactive steps to discover that a SAR has been made. Therefore, if you cannot view a SAR without paying a fee or signing up to a service, you have not ‘received’ the SAR and are not obliged to respond. You should note that it is the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. Mere reference to the terms and conditions of its service are unlikely to be sufficient for this purpose (see ‘Can a request be made on behalf of someone?’ above). The portal should provide this evidence when it makes the request (ie in the same way as other third parties). When responding to a SAR, you are also not obliged to pay a fee or sign up to any third party service. If you are in this position you should instead provide the information directly to the individual.” In summary, it may not always be necessary to ask for additional documentation as proof of identity, where you’ve no doubt the individual is who they say they are, or can verify this in another way. As we know, many individuals submitting SARs often do so because they’re already unhappy with your organisation. Don’t fuel the flames by putting unreasonable hurdles in their way, but do request proof of ID where you believe it’s necessary to protect people. If you’re in any doubt, and the individual can’t or won’t prove who they are, you may take the decision not to fulfil a request. Just make sure you have document your decision and can defend it. It’s a question of balance and proportionality – making sure you have a robust process in place for handling SARs and retaining evidence to support your decisions is vital.

Data Subject Access Request Guide Being prepared and handing DSARs Handling Data Subject Access Requests can be complex, costly and time-consuming. How do you make sure you’re on the front foot, with adequate resources, understanding and the technical capability to respond within a tight legal timeframe? This guide aims to take you through the key steps to consider, such as… Being prepared Retrieving the personal data Balancing complex requests Applying redactions & exemptions How technology can help

Managing Erasure Requests or DSARs via Third-Party Portals Do organisations have to honour them? Well, it depends… Over the past few years GDPR, the California Consumer Privacy Act (CCPA) and other privacy regulations have led to specialist companies offering to submit Erasure or Data Subject Access Requests (DSARs) on behalf of consumers. These online portals say they want to help people exercise their privacy rights, while enabling them to make requests to multiple organisations simultaneously. Companies on the receiving end of such requests often receive them in volume, and not necessarily from consumers they even know. Requests can quote swathes of legislation, some of which may be relevant, some which won’t apply in your jurisdiction. If you haven’t had any yet, you may soon. Companies like Mine, Privacy Bee, Delete Me, Revoke and Rightly all offer these services. They don’t all operate in the same way, so be warned the devil is in the detail. How third-party portals work Okay, bear with me, as said there are different approaches. They may use one, or a combination of, the following elements: Offer to simply submit requests on the individual’s behalf, then the consumer engages directly with each organisation Offer people the opportunity to upload their details and proof of ID, so the portal can submit requests on their behalf without the consumer needing to validate their ID each time. Provide a bespoke link which organisations are invited to use to verify ID/authority. (Hmmm, we’re told not to click on links to unknown third parties, right?) Allow consumers to select specific named organisations to submit requests too Make suggestions for which organisations the individual might wish to ‘target’ Offer to scan the individual’s email in-box to then make suggestions about which organisations are likely to hold their personal data. (Again, really? Would you knowingly let any third-party scan your in-box?). Is this a good thing? Does it empower the consumer? On the surface, this all seems fairly positive for consumers, making it simpler and quicker to exercise their privacy rights. For organisations, these portals could be seen as providing an easier way of dealing with rights requests in one place. Providing perhaps, a more secure way of sharing personal data, for example in responding to a DSAR. I would, however, urge anyone using these portals to read the small print, and any organisation in receipt of these requests to do their homework. Why it’s not all straight-forward The following tale from one DPO may sound familiar… We tend to find these requests slightly frustrating and time-consuming. First, we have to log all requests for our audit trails. We cannot simply ignore the requests otherwise this can cause regulatory issues, not to mention if they are genuine requests. More often than not, they are sent in batches and do not contain the information we require to search and make the correct suppression. Where we do have enough information to conduct searches, we often find the personal details do not exist on our database. Another concern is whether the requests are actually for meant for us. We recently received a number of requests for a competitor, who was clearly named on the requests. When we tried to contact the portal to explain this issue, we did not get a response and were essentially ignored, which leaves us in a predicament – do we continue with the with the request, was it actually for our organisation or not? So, there’s a problem. Requests might be submitted on behalf of consumers who organisations have never have engaged with. Requests can arrive with insufficient information. We can’t always verify people’s identity, or the portal’s authority to act on their behalf. In these circumstances, do people genuinely want us to fulfil their Erasure or Access request? What does the ICO say about third-party portals? The regulator does reference online portals in is Right of Access guidance. It tells us we should consider the following: Can you verify the identity of the individual? Are you satisfied the third-party has authority to act on their behalf? Can you view the request without having to take proactive steps (e.g. paying a fee or signing up to a service)? The ICO makes it clear it would not expect organisations to be obliged to take proactive steps to discover whether a DSAR has been made. Nor are you obliged to respond if you’re asked to pay a fee or sign up to a service. The Regulator says it’s the portal’s responsibility to provide evidence of their authority to act on an individual’s behalf. If we have any concerns, we’re told to contact the individual directly. If we can’t contact the individual, the guidance tells us we should contact the portal and advise them we will not respond to the request until we have the necessary information and authorisation. This all takes time… This is all very well, but for some organisations receiving multiple requests this is incredibly time-consuming. Some organisations are receiving hundreds of these requests in a single hit, as Chris Field from Harte Hanks explains in – You’ve been SAR-bombed. In addition, we need to do our research and understand how the portal operates, checking whether we believe they’re bone fide or not. Another DPO, whose company receives around thirty privacy requests from third-party portals a month says; “Often these tools don’t provide anything more than very scanty info, so they all require responses and requests for more info”. This company takes the following approach; “We deal with the individual if it’s a legitimate contact detail, or we don’t engage.” It really is a question of how much effort is reasonable and proportionate. We must respect fundamental privacy rights, understand third-party portals may be trying to support this, but balance this with our duty to safeguard against fraud or mistakes.

Are Data Subject Access Requests driving you crazy? Complicated. Costly. Time-consuming… … And driving me crazy. We’ve all heard the dreaded words, right? I’d like a copy of my personal data. Which led me to think; is the fundamental privacy right of accessing our personal data becoming part of our increasingly litigious culture? The DSAR is now a staple opening shot for law firms handling grievance claims or employment tribunals, looking for potentially incriminating morsels of information. Of course, this right must be upheld, but is the process fit for purpose? Employee-related requests, in particular, can entail a massive amount of work and the potential for litigation makes them a risky and complex area. For some organisations, this is water off a duck’s back; they’ve always had access requests, anticipated volume would increase after GDPR, have teams to handle them, invested in tech solutions, have access to lawyers and so on. Great stuff, but please spare a thought for others. Plenty of businesses have lower volumes of DSARs. They’re unable to justify, or afford, extra resources. These guys are struggling under a system that assumes one size fits all. Then there are businesses who’ve never even had a DSAR. For them, just one request can be an administrative hand grenade. Of course some businesses are guilty of treating employees badly, but I wish things could be different. It’s about getting the balance right, that most elusive of things when creating regulatory regimes. Are the principles behind the DSAR important? Of course. Can the processes be improved? Definitely! So be warned – here begins a micro-rant on behalf of the smaller guys. I’m feeling their pain. What’s that sound? It’s wailing and the gnashing of teeth It’s clear in our Privacy Pulse Report DSARs are a significant challenge facing data protection professionals. One DPO told us; “Vexatious requests can be very onerous. Controllers need broader scope for rejection and to refine down the scope, plus criteria for when they can charge… In my view, the ICO should focus on helping controllers to manage complex and vexatious DSARs.” Some access requests are straightforward, especially routine requests where ‘normal’ procedures apply. However, some requests are made by angry customers or disgruntled ex-employees on a mission… and there’s no pleasing them. A troublesome minority appear to be submitting DSARs because they want to cause inconvenience because they’re angry, but don’t go so far as to fall under the ‘manifestly unfounded’ exemption. Anyhow, for all those of you out there dealing with this stuff, know that I feel your pain. Without any further ado… My THREE biggest DSAR bugbears (there are others) Everything! We’re entitled to a copy of ALL our personal data (to be clear, this doesn’t mean we’re entitled to full documents just because our name happens to appear on them somewhere). It’s true organisations are allowed to ask for clarification, and the ICO’s Right of Access Guidance, provides some pointers on how to go about this. Yet that tiny glimmer of hope is soon dashed – we’re told we shouldn’t seek clarification on a blanket basis. We should only seek it if it’s genuinely required AND we process a large amount of information about the individual. Furthermore; “you cannot force an individual to narrow the scope of their request, as they are still entitled to ask for ‘all the information you hold’ about them.” Why? Let’s take the hypothetical (but realistic) case of an ex-employee who believes they’ve been unfairly dismissed. They worked for the company for 10 years, they submit a DSAR but choose not to play along with clarifying their request. They want everything over a decade of employment. Do they really need this information? Or are they refusing to clarify on purpose? Is this a fair, proportionate ‘discovery process’? As I’ve said before, large organisations may be better placed absorb this, it’s the not-so-big ones who can really feel the pain. And in my experience, much personal data retrieved after hours of painstaking work isn’t relevant or significant at all. Emails! I get conflicted with the requirement to search for personal data within email communications and other messaging systems. On the one hand we have the ICO’s guidance, which to summarise tells us: personal data contained within emails is in scope (albeit I believe GDPR has been interpreted differently by other countries on this point); you don’t have to provide every single email, just because someone’s name and email address appears on it; context is important and we need to provide emails where the content relates to the individual (redacted as necessary). If you don’t have a handy tech solution, this means trying to develop reasonable processes for retrieving emails, then eliminating those which won’t (or are highly unlikely) to have personal data within the content. This takes a lot of time. Why am I conflicted? In running a search of your email systems for a person’s name and email address, you’ll inevitably retrieve a lot of personal data relating to others. They might have written emails about sensitive or confidential matters, now caught within the retrieval process. Such content may then be reviewed by the people tasked with handling the request. I suspect this process can negatively impact on wider employee privacy. Yes, we’re able to redact third party details, but by searching the emails in the first place, we’re delving into swathes of lots of people’s personal data. It seems everyone else’s right to privacy is thrown out in the interests of fulfilling one person’s DSAR. It also makes me wonder; if I write a comment that might be considered disparaging about someone in an email, do I have any right to this remaining private between me and the person I sent it to? (Even if it wasn’t marked confidential or done via official procedure). I know many DPOs warn their staff not to write anything down, as it could form part of a DSAR. I know others who believe they’re justified in not disclosing personal data about the requester, if found in other people’s communications. Which approach is right? Time! Who decided it was a good idea to say DSARs had to be fulfilled within ‘one calendar month’? It wasn’t! This phrase led to the ICO having to offer this ‘clarification’; You should calculate the time limit from the day you receive the request, fee or other requested information (whether it is a working day or not) until the corresponding calendar date in the next month. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond. This means that the exact number of days you have to comply with a request varies, depending on the month in which an individual makes the request. For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month. I hope you got that. Wouldn’t it have been easier to have a set number of days? And perhaps more realistic timescale? Let’s take the hypothetical (but realistic) case; you receive a DSAR on 2nd December. You can’t justify an extension as it isn’t unduly complex. Yes, I know you’re with me; bank holidays and staff leave suddenly means the deadline is horribly tight. I wish there was specific number of days to respond. I wish they excluded national bank holidays and I wish there was a reprieve for religious festivals. I know, I’m dreaming. DSARs and UK data reform Is the UK Government going to try and address the challenges in their proposal to reform UK data protection law? The consultation paper makes the right noises about the burden DSARs place on organisations, especially smaller businesses. Suggestions include introducing a fee regime, similar to that within the Freedom of Information Act. One idea is a cost ceiling, while the threshold for responding could be amended. None of this is without challenges. There’s also a proposal to re-introduce a nominal fee. On the latter point, GDPR removed the ability to charge a fee. You may recall prior to 2018 organisations could charge individuals £10 for a copy of their personal data. Many will disagree, but I think the nominal fee is reasonable. I realise it could be seen a barrier to people on lower incomes exercising a fundamental right. However, my thoughts are organisations wouldn’t be forced to charge. It would be their choice. They would also be able to use their discretion by waiving the fee in certain situations. It makes people stop and think; ‘do I really want this?’ Whatever transpires, I truly hope some practical changes can be made to support small and medium-sized businesses. Balancing those with individual rights isn’t easy, but that’s why our legislators are paid the big bucks. And here, dear reader, endeth my rant!