According to the 2020/21 ICO annual report, around half of the [46% of ~40k] complaints the regulator receives are related to subject access. Fulfilling DSARs is clearly an area where Data Controllers are facing challenges with data subject satisfaction. In a previous article, I wrote about coping with DSAR volumes, suggesting methods to bring such high numbers down and how to minimise the data held. Those techniques help with overall volumes but what happens when a single Data Subject Access Request is, in of itself, complex? It is these complex DSARs that, if handled improperly, are more likely to lead to upheld complaints. Upheld complaints could then mean the prospect of follow-on regulatory action – and no one wants that! In this article, we will look at the concept of complexity in DSARs. What it is (and isn’t) and, the techniques available to Controllers to help manage complex data subject access requests.
What is meant by complexity (and what isn’t)?
The UK ICO has some guidance on when they consider a DSAR to be complex. The guidance states the following as complicating factors:
- Technical difficulties in retrieving the information – for example, if data is electronically archived.
- Applying an exemption that involves large volumes of particularly sensitive information.
- Clarifying potential issues around disclosing information about a child to a legal guardian.
- Any specialist work involved in obtaining the information or communicating it in an intelligible form.
- Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party.
- Needing to obtain specialist legal advice. If you routinely obtain legal advice, it is unlikely to be complex.
- Searching large volumes of unstructured manual records NB: This is only applicable to public authorities.
What is not considered complicating factors in a DSAR, however, are as follows:
- High volumes of data involved. Just because a Controller holds a lot of data, doesn’t make the request complex (but high volumes can become an aggravating factor in complex cases).
- Retrieving data from multiple systems. Whilst it may be a complicating factor to retrieve personal data from a specific type of system (e.g. encrypted off-site archives), personal data held across multiple systems, doesn’t make the request complex.
- Reliance on a Processor. Whilst material retrieved from a Processor may form part of a complex DSAR, the retrieval from the Processor itself is not deemed to be a complicating factor.
- High volumes of Subject Access Requests. Complexity relates to the specifics of a single DSAR. Just because a Controller is dealing with a lot of DSARs simultaneously does not make the collective batch of DSARs complex.
An important point to highlight is that even where DSAR complexity exists, it does not equate to a de facto exemption. A Controller can’t withhold information as a result of these complicating factors. A Controller can’t respond to a DSAR by stating it was “too hard” to fulfill. A Controller must still provide the personal data requested where it is required to do so. All the existence of complicating factors does is give the Controller a little more time to fulfill the DSAR.
Great – but we still have to deal with the complexity. Any tips?
As mentioned, Controllers must still provide the personal requested when required to do so by law. They must still deal with all the complicating factors and whilst the deadline is two months further down the line, the clock is still ticking. With that in mind, is there anything Controllers can do to make dealing with complex DSARs less onerous? The short answer is, yes! Here are some of the things Controllers can do to make their lives easier.
Review adherence to the DP principles: The Right of Access that underpins the DSAR does not sit in isolation. It should go without saying [but still worth mentioning] that dealing with a complex DSAR will be more challenging if a Controller is not applying the data protection principles to the personal data they process. Make sure in particular that controls relating to purpose limitation and data minimisation are effectively applied. The less personal data held, for example, means reduced effort in the review, seeking of advice, and redaction stages of the DSAR process.
Use case management tools: Let’s look at the following scenario. Someone gets a phone call from a Data Subject and the employee taking the call agrees to do something that has a legal effect on the Data Subject. An email discussing the issue is sent to someone internally. Somewhere within the chain is a key piece of information confirming what has been agreed. The thing is, what was agreed didn’t happen because someone went on holiday, or left the organisation, and now nobody can find the paper trail. The Data Subject insists their version of events is accurate but has no record because the matter was only discussed over the phone. Someone in the business takes a view that the DS must be mistaken and the DS now faces some negative effect. The DS then complains. The company does not uphold the complaint. The DS then feels compelled to make a DSAR. The email is then found during the searches! A lot of time and effort, not to mention goodwill has been lost.
Had this organisation relied upon case management tools instead of using email as a filing system, there would have been a formal record of the action to be taken, with a unique reference number and, a date showing when the issue was resolved (or if it still remained open). No matter how small an organisation is, case management tools, or service management tools should be one of the first things to be purchased. Such tools aid in keeping customer communication all in one place…and thus reduce the effort of dealing with complex DSARs. From a data protection perspective, they pay for themselves.
Identify technical retrieval issues early: Organisations should not wait until a DSAR hits the desk before thinking about how it is going to be fulfilled. Those tasked with retrieval should not be trying to work it out at the time of a request either. Each personal data source should be mapped out. Detailed procedures should be documented to support the retrieval process on each of those data sources including the search nomenclature to be used. If personal data is held in archives, again consider the data minimisation principle and ensure Information Lifecycle Management (ILM) is baked into each data source.
Develop strategies by wargaming complex case scenarios: Most organisations have business continuity and incident management plans. A key part of these is the testing component where organisational resilience is tested for weakness. The same principle can apply to the DSAR process. Those likely to deal with complex DSARs will benefit from wargaming responses to complex DSARs. For example, if you are in the education sector and regularly need to communicate with legal guardians about their wards, identify ahead of time what should be provided and what would be covered under an exemption? Similarly, if you work in social care and you receive a request for sensitive information about a vulnerable person, what needs to be included? When wargaming such scenarios, consider how other legislation would interplay with data protection law too. If you’re being asked for a pupil record, an extension may not apply and you have half the time to provide this data. Get your legal team involved too and brainstorm scenarios that may require specialist advice. Can an opinion be sought ahead of time to stave off delays during a live DSAR? As a DPO, you could host regular “What if” workshops to tease out how departments would cope in scenarios relevant to organisation-specific scenarios. Once you have wargamed, don’t forget to integrate findings into your continuous improvement programme and ensure policies, processes and procedures are updated to reflect what was discovered.
Understand your exemptions and automate redaction: For organisations dealing with complex DSARs on a more regular basis, it’s likely the same exemptions are going to apply time and again. Where possible, create procedures for applying exemptions systematically. Train staff involved in the DSAR process on what exempt material looks like so it can be quickly identified and redacted. Where possible consider the use of redaction software that can automate the process of removing exempted data that appears frequently in searches. Automation of redaction can also be used to support the removal of third party data too.
Communicating DSAR complexity to the Data Subject.
Ok, so one (or more) of the complicating factors exist, we’ve got all our strategies in place, what now? Basically a bit of breathing space. A Controller can now opt to extend the DSAR by up to 2 months – so that is 3 months from the date of the initial request, clarification, or when identification checks were concluded. They must however communicate the extension to the Data Subject within the original one month deadline. So what should be included in the communication? Good practice is to include:
- Summary of the DSAR as understood. If a scope has been included to narrow focus, consider summarising this too.
- A statement that the DSAR has been assessed as complex and the reason(s) that support this decision. The complicating factors stated by the ICO should be sufficient. There is no need to go into chapter and verse as to why retrieval from a particular system is technically difficult.
- A statement explaining that as a result of the complicating factor(s) identified, the DSAR deadline is to be extended. The statement should also include the authority to which you are able to make the extension (e.g. UK DPA 2018). It is likely complexity will only be identified after some searches have been carried out. Good practice, therefore, is to include the original deadline provided to the DSAR in the initial acknowledgement communication (which hopefully you have already sent) and then state the new extended date.
- A statement detailing the contact details the Data Subject may use to contact the Controller about the request. Good practice is to provide at least one electronic means (e.g. email).
Keeping it simple!
Complex DSARs don’t have to be, well, complicated. Organisations can simplify the process and make dealing with complex DSARs less onerous. Whilst applying the Data Protection principles will be of benefit in the round, mapping your data sources, use of case management tools, wargaming and automation will all help reduce the effort involved in complex DSARs. A word of warning though on extensions. Elongating fulfillment of DSARs by applying an extension could lead to a situation where a higher volume of parallel DSARs exist at the same time. This in itself could become a lot more challenging to manage. The objective should, therefore, be to implement techniques to process all DSARs as quickly and as efficiently as possible – be they complex or simple. Use that extra time wisely! If you need help with the issues discussed in this article, or to learned more about our Outsourced DPO Service, get in touch!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 article 28 awareness bcms BIA business continuity calculating risk change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership monitoring operational resilience Outsourced DPO Privacy processor risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso