Are Data Subject Access Requests driving you crazy?

Philippa DonnJanuary 2022

Complicated. Costly. Time-consuming...

… And driving me crazy. We’ve all heard the dreaded words, right? I’d like a copy of my personal data.

Which led me to think; is the fundamental privacy right of accessing our personal data becoming part of our increasingly litigious culture? The DSAR is now a staple opening shot for law firms handling grievance claims or employment tribunals, looking for potentially incriminating morsels of information.

Of course, this right must be upheld, but is the process fit for purpose? Employee-related requests, in particular, can entail a massive amount of work and the potential for litigation makes them a risky and complex area.

For some organisations, this is water off a duck’s back; they’ve always had access requests, anticipated volume would increase after GDPR, have teams to handle them, invested in tech solutions, have access to lawyers and so on.

Great stuff, but please spare a thought for others.

Plenty of businesses have lower volumes of DSARs. They’re unable to justify, or afford, extra resources. These guys are struggling under a system that assumes one size fits all.

Then there are businesses who’ve never even had a DSAR. For them, just one request can be an administrative hand grenade.

Of course some businesses are guilty of treating employees badly, but I wish things could be different. It’s about getting the balance right, that most elusive of things when creating regulatory regimes. Are the principles behind the DSAR important? Of course. Can the processes be improved? Definitely!

So be warned – here begins a micro-rant on behalf of the smaller guys. I’m feeling their pain.

What’s that sound? It’s wailing and the gnashing of teeth

It’s clear in our Privacy Pulse Report DSARs are a significant challenge facing data protection professionals. One DPO told us;

“Vexatious requests can be very onerous. Controllers need broader scope for rejection and to refine down the scope, plus criteria for when they can charge… In my view, the ICO should focus on helping controllers to manage complex and vexatious DSARs.”

Some access requests are straightforward, especially routine requests where ‘normal’ procedures apply. However, some requests are made by angry customers or disgruntled ex-employees on a mission… and there’s no pleasing them. A troublesome minority appear to be submitting DSARs because they want to cause inconvenience because they’re angry, but don’t go so far as to fall under the ‘manifestly unfounded’ exemption.

Anyhow, for all those of you out there dealing with this stuff, know that I feel your pain. Without any further ado…

My THREE biggest DSAR bugbears (there are others)

Everything!

We’re entitled to a copy of ALL our personal data (to be clear, this doesn’t mean we’re entitled to full documents just because our name happens to appear on them somewhere).

It’s true organisations are allowed to ask for clarification, and the ICO’s Right of Access Guidance, provides some pointers on how to go about this.

Yet that tiny glimmer of hope is soon dashed – we’re told we shouldn’t seek clarification on a blanket basis. We should only seek it if it’s genuinely required AND we process a large amount of information about the individual.

Furthermore; “you cannot force an individual to narrow the scope of their request, as they are still entitled to ask for ‘all the information you hold’ about them.”

Why?

Let’s take the hypothetical (but realistic) case of an ex-employee who believes they’ve been unfairly dismissed. They worked for the company for 10 years, they submit a DSAR but choose not to play along with clarifying their request. They want everything over a decade of employment.

Do they really need this information? Or are they refusing to clarify on purpose? Is this a fair, proportionate ‘discovery process’? As I’ve said before, large organisations may be better placed absorb this, it’s the not-so-big ones who can really feel the pain. And in my experience, much personal data retrieved after hours of painstaking work isn’t relevant or significant at all.

Emails!

I get conflicted with the requirement to search for personal data within email communications and other messaging systems.

On the one hand we have the ICO’s guidance, which to summarise tells us:

personal data contained within emails is in scope (albeit I believe GDPR has been interpreted differently by other countries on this point);
you don’t have to provide every single email, just because someone’s name and email address appears on it;
context is important and we need to provide emails where the content relates to the individual (redacted as necessary).

If you don’t have a handy tech solution, this means trying to develop reasonable processes for retrieving emails, then eliminating those which won’t (or are highly unlikely) to have personal data within the content. This takes a lot of time.

Why am I conflicted? In running a search of your email systems for a person’s name and email address, you’ll inevitably retrieve a lot of personal data relating to others.

They might have written emails about sensitive or confidential matters, now caught within the retrieval process. Such content may then be reviewed by the people tasked with handling the request.

I suspect this process can negatively impact on wider employee privacy. Yes, we’re able to redact third party details, but by searching the emails in the first place, we’re delving into swathes of lots of people’s personal data.

It seems everyone else’s right to privacy is thrown out in the interests of fulfilling one person’s DSAR.

It also makes me wonder; if I write a comment that might be considered disparaging about someone in an email, do I have any right to this remaining private between me and the person I sent it to? (Even if it wasn’t marked confidential or done via official procedure).

I know many DPOs warn their staff not to write anything down, as it could form part of a DSAR. I know others who believe they’re justified in not disclosing personal data about the requester, if found in other people’s communications. Which approach is right?

Time!

Who decided it was a good idea to say DSARs had to be fulfilled within ‘one calendar month’?

It wasn’t! This phrase led to the ICO having to offer this ‘clarification’;

You should calculate the time limit from the day you receive the request, fee or other requested information (whether it is a working day or not) until the corresponding calendar date in the next month.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.

If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.

This means that the exact number of days you have to comply with a request varies, depending on the month in which an individual makes the request.

For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

I hope you got that.

Wouldn’t it have been easier to have a set number of days? And perhaps more realistic timescale?

Let’s take the hypothetical (but realistic) case; you receive a DSAR on 2nd December. You can’t justify an extension as it isn’t unduly complex.

Yes, I know you’re with me; bank holidays and staff leave suddenly means the deadline is horribly tight.

I wish there was specific number of days to respond. I wish they excluded national bank holidays and I wish there was a reprieve for religious festivals. I know, I’m dreaming.

DSARs and UK data reform

Is the UK Government going to try and address the challenges in their proposal to reform UK data protection law?

The consultation paper makes the right noises about the burden DSARs place on organisations, especially smaller businesses.

Suggestions include introducing a fee regime, similar to that within the Freedom of Information Act. One idea is a cost ceiling, while the threshold for responding could be amended. None of this is without challenges. There’s also a proposal to re-introduce a nominal fee.

On the latter point, GDPR removed the ability to charge a fee. You may recall prior to 2018 organisations could charge individuals £10 for a copy of their personal data.

Many will disagree, but I think the nominal fee is reasonable. I realise it could be seen a barrier to people on lower incomes exercising a fundamental right. However, my thoughts are organisations wouldn’t be forced to charge. It would be their choice. They would also be able to use their discretion by waiving the fee in certain situations. It makes people stop and think; ‘do I really want this?’

Whatever transpires, I truly hope some practical changes can be made to support small and medium-sized businesses. Balancing those with individual rights isn’t easy, but that’s why our legislators are paid the big bucks.

And here, dear reader, endeth my rant!

You’ve been SAR-bombed!

Chris FieldJuly 2020

You are at the end of long day; just about to turn in for the night. You just do one last check of your inbox for any signs of a reported security incident. Suddenly you are aghast, the new email count in your inbox registers over 9,000 new emails! You quickly scan to fathom what on earth has happened…

All the emails come from the same sender and the subject lines all declare they are SAR (Subject Access Request) requests. Looking closer you note the emails include personal information, describe that “so-and-so” wants to exercise a privacy right and references different privacy laws.

Laws you know require you reasonably address privacy requests, with penalties should you fail to address the request in good faith and in a timely manner.

While I hope you never experience 9,000 requests in one hit, people seem to be increasingly relying on third parties and apps to facilitate their privacy rights. Indeed, some third-party portals are actively encouraging people to use their services.

Once your organisation is identified, you are likely to receive requests from the third party’s entire user base; all delivered to the email address published via your privacy statements.

Let’s explore this trend in more detail and give you a glimpse of how to tackle the SAR-bomb experience.

The Dawn of Privacy Preference Apps

Chances are you’ve already received or honoured an individual’s privacy request received via a third party in some fashion or another. Country and channel specific regulatory “do not contact” lists have for some years allowed people to ‘opt-out’ of direct marketing “en masse.” Some third parties offer people template letters to express privacy choices with a pre-defined list of organisations that should receive them.

Mobile apps are also available to help individuals exercise their requests. One such app seeks to help individuals to identify organisations they have previously transacted with for the purposes of exercising their privacy rights and another is designed to help individuals address legal disputes.

Of course, California’s Consumer Privacy Act (CCPA) now requires organisations to process privacy requests delivered by third parties (defined as “authorised agents”). As the world’s sixth largest economy, CCPA’s “authorized agent” mandates are likely to be replicated and influence individual’s expectations beyond California.

Mindset

When addressing privacy requests delivered to you via third parties, be sure your response plan considers first the people submitting these requests. They’ve already invested some time and energy and may have even paid for the help these parties and solutions offer.

People may have turned to such third parties to assert control over their data in as broad a manner possible. Some may be frustrated, confused or upset, and others may not be aware or care that your organisation has specific obligations under the law.

Your procedures to authenticate identity, validate the processing of personal data, address requests within your organisation and ensure the security of the data in your care, are likely of little concern to individuals.

Even though the law may require you to separately affirm certain requests received online, some individuals simply won’t appreciate your attempts to confirm the authenticity of their requests.

Furthermore your requests of people to follow your processes may be met with frustration, indifference and scepticism; especially when you need them to take additional action to facilitate their original request.

Your experience addressing sensitive SAR requests, such as those associated by disgruntled employees or customers punishing you for bad service, can be especially useful.

Getting to Work

With the individual’s mindset front and centre, let’s shift attention to some of considerations specific to being SAR-bombed. Time is of the essence and you need a systematic approach to establish whether you will deny, partially or fully comply with the request.

Get your arms around the situation – At a minimum, you need to identify each individual, extract the personal data (as needed to authenticate their identity and confirm the data exists within your organisation) and define the rights they wish to exercise. Conduct a quick test to see how much time is needed based on the total volume.

In our example, let’s say it takes you just 90 seconds to open one of emails, log the relevant details to your SARs system and archive the email. At 9,000 requests, you may need 225 hours to convert these SAR emails into requests that make sense within your organisation.

Create a structured dataset – The volume of SARs simply requires a repeatable process designed to convert the unstructured privacy email into a structured request that makes sense within your organisation. It may help to create a solution that can parse emails for relevant details and return data back to you in a structured format.

If your email platform supports it, consider exporting all the SAR emails into a Comma Separated Values or “CSV” file. Once in a CSV file, you can use your favourite spreadsheet program to make short work of your analysis and response.

Include key details within your structure dataset – Consider assigning a unique identifier specific to the request and sender to help you demonstrate the original request across the actions needed to address it. Pull forward the personal data related to the request in a way which reflects your existing SARs authentication and matching procedures.

You may also extract demographic information across specific columns; especially useful if the requests reference rights across different jurisdictions or laws. Denote the privacy right (or rights) for each request. Be sure to use terms your organisation understands to save time.

Consider assigning a reference to the jurisdiction (or law) applicable to the request; or the individual involved. For example, it may be useful to validate GDPR requests originating from Europeans differently from CCPA requests from Californians.

Questions relevant to developing your strategy –

a. Do you have multiple requests for the same individual? Check if you have duplications i.e. the same individual requesting the same right.
b. Do you have requests that aren’t legally required? Check if those exercising a right are indeed subject to the right or law referenced. For example, is the individual a European (if referencing GDPR) or a Californian (if referencing CCPA)? Dependent on the volume and results of this analysis, you may need to address requests subject to the law first.
c. Can you act on the request as presented? Do you have evidence the third party has authority to act on the individual’s behalf? Are you able to verify their identity? If you need more information your response plan also needs to factor in developing and sending communications, and addressing the responses.

Creating records to demonstrate your reasonable efforts – Regardless of your specific response plan, be sure to keep records detailing what you did and the decisions you made. This may include:

1) details of your actions to assess the request
2) communications with the individual
3) actions taken internally to address the request
4) summary of results (for example whether you denied, partially or fully complied)
5) the timeframe taken to resolve

Adopting the approach above, my company, Harte Hanks, has addressed 9,254 email requests within just a few days. We identified that 96% of the requests delivered were simply duplicates.

The “sender” seems to have experienced a technical problem, delivering the same request on average at least 44 times and one over 1,600 times. Of the 326 “unique” requests delivered, 67 requests described rights under CCPA whereas the other 259 described rights under GDPR.

When considering the personal data delivered along with the request, we found all CCPA requests included personal details reasonably descriptive of a Californian whereas only 16 of the remaining “GDPR” request reasonably “described” a European.

Here’s to hoping you don’t ever experience such a deluge of requests at one time.

Further information

In the UK, the Information Commissioner’s Office addresses requests made via third party portals in its detailed Right of Access Guidance.

The ICO says to determine whether you need to comply with such a request you should consider whether you are able to verify the identity of the individual and are satisfied the third party portal is acting with the authority of and on behalf of the individual in question.

The regulator stresses you are not obliged to take proactive steps to discover that a SAR has been made. So, if you can’t view the SAR without paying a fee or signing up to a service, you have not ‘received’ a SAR and are not obliged to respond.

Furthermore, it’s the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. In responding to a SAR you are not obliged to pay a fee or sign up to a third party service. If you are in this position the regulator’s advice is to provide the information to the individual directly. The draft code states:

“If you have concerns that the individual has not authorised the information to be uploaded to the portal or may not understand what information would be disclosed to the portal, you should contact the individual to make them aware of your concerns.”

GDPR: The Right of Access

Philippa DonnMay 2018

The right of access is nothing new, but there are some changes ushered in by the EU General Data Protection Regulation (GDPR). There’s also the anticipation that increased awareness (and the removal of the fee) will see the number of requests received rise.

It’s crucial that employees are aware of what a Data Subject Access Request (DSAR) is and the importance of immediately passing such requests to the Data Protection Officer or relevant member of staff/team. Time is of the essence!

What is a data subject access request?

A DSAR is a request from a data subject to be provided with a copy of the personal data being processed by a Controller and an explanation of the purposes for which personal data is being used. A complaint or general query about how personal data is being used does not constitute a DSAR, for example a query about why marketing is being received or where you got someone’s name from. A DSAR is specifically when anyone asks to receive a copy of the personal data you may hold for them. A request does not need to be formerly called a “subject access request” or “access request” for it to constitute one, and they will rarely be entitled as such.

A request could be sent to any department and come from a variety of sources. Individuals do not need to officially write a letter addressed to the Data Protection Office for it to be a valid request. They might be submitted by email or social media and may be addressed to the “wrong” department or person.

What are the changes under the GDPR?

Less time to respond: The timescale for responding to a DSAR has been reduced from 40 days to one calendar month, representing a challenge for many organisations.

No fee: Organisations can longer charge a £10 fee for a DSAR. However, where the request is deemed to be excessive or manifestly unfounded organisations can charge a “reasonable fee” to cover the administrative costs of complying with the request. There is also an ability to charge a “reasonable fee” if an individual requests further copies of their data. But, even if you suspect a request may be malicious this is very unlikely to be sufficient grounds for refusing to respond.

Article 15 of the GDPR sets out the the information that individuals have the right to be provided with. Broadly this covers providing information about:

What personal data it is being processed
The purposes for which the personal data is being
Who the personal data has or will be disclosed
The existence of any automated decision-making, including profiling. And, at least where this produces legal or similarly significant effects, what logic is being used for that purpose.
How long the data will be retained for (or at least the criteria used to determine this)

Initial Response

In order for a formal DSAR to be valid it must come from the individual themselves (or an authorised agent/parent/guardian) and needs to be accompanied by enough information to enable you to extract the personal data pertaining to the individual from your systems.

It is very important to establish that the individual asking for the information is who they say they are, to avoid the damage of inadvertently disclosing personal information to the wrong person. There have been several instances of fraudulent requests in order to aid identity theft.

If the information the individual has provided in their request is insufficient, you should ensure you have a standard initial response process so you can immediately ensure you have enough details to fulfil the request. For example you may need to:

request proof of ID (if the requester is an employee or ex employee this may not be necessary if it is obvious to you who they are)
request proof of relationship/authority (for example if information is requested about a child or by an agent)
ask if they are interested in specific information (if they request ALL personal data you cannot restrict this)
ask what their relationship is with your organisation
ask if they wish to see CCTV images of them (if relevant) and request a photograph, description of clothes worn, dates of visits etc.
ask if they require the information to be provided in writing or whether they will accept it in an electronic from

You have one calendar month to provide your formal response to the individual.

In limited circumstances this can be extended for up to a maximum of a further two months

Gathering the information

Ensure you have a standard process to efficiently check all relevant systems and liaise with other departments. A SAR covers most computerised personal data you hold (including archives and backups) and some paper records (where these are held in a systematic and structure format). Email systems will need to be checked for emails pertaining to the individual (where they are referenced by name or are identifiable).

[Update] Do you need to include deleted records? The ICO’s view in its detailed Right of Access Guidance (published Oct 2020) is “Information is ‘deleted’ when you try to permanently discard it and you have no intention of ever trying to access it again. The ICO’s view is that, if you delete personal data you hold in electronic form by removing it (as far as possible) from your computer systems, the fact that expensive technical expertise might enable you to recreate it does not mean you must go to such efforts to respond to a SAR.”

Review the information

If no personal data is held about the individual they must be informed of this.

If the information you have gathered contains personal data relating to other individuals you need to carefully (on a case by case basis) consider whether/how to redact this or judge it to be reasonable to disclose. Such information can be disclosed with the consent of other parties. Where consent is not feasible you need to consider the privacy impact and/or how your duty of confidentiality to these other parties could be broken should you disclose this information. You should document any justification for disclosure of personal relating to other parties.