Data Subject Access Requests (DSARs) can be onerous at the best of times but there are some situations which send a shudder down the backs of many a Data Protection Officer. The DSAR could be from a long-standing customer of many years who has been the victim of fraud. It could come from a parent battling to get enhanced support for a child with Special Education Needs (SEN) on the last day before the summer holidays. The DSAR could come from an employee who has been using email as long as the Queen who believes they have been the victim of unfair discrimination. Whatever the context, something has gone wrong in the relationship between the Data Subject and the Controller. An issue has turned into a complaint and that complaint has been badly handled (or handled in a way that didn’t provide the Data Subject with the outcome they expected). In such cases, the Data Subject, who up until this point had no real interest in the personal data you held on them, now wants to make a Data Subject Access Request. Trying to minimise the effort involved, you ask the reasonable question of whether they can be specific about the information they would like. Unfortunately, and because they feel they have been so badly let down by your organisation, they are seething. The response comes back that they want EVERYTHING!!
But what does ‘everything’ actually mean when it comes to exercising Data Protection rights like the Right to Access? In this article, we’ll look at some of the common myths that get bandied about by Data Subjects looking for copies of their data and how to handle such requests in a kind and helpful way.
DSAR as a Service
It’s quite possible the person receiving the DSAR [probably you] is not the same person handling any underlying interaction with the Data Subject. DSARs are often made to the email on an organisation’s Privacy Notice to the DPO. If this is the typical way you receive DSARs, be mindful that DSARs usually have some context lurking in the background that you may not yet know about. It’s probably worth trying to understand that context ASAP. Be mindful that the DS may now feel [massively] let down by your organisation. They may be angry and upset. They are clearly aware they have a right to access material that you hold but will not always be aware of exactly what this means in practice. Data Subjects, for the most part, are not data protection experts so it’s important those handling DSARs treat the request as a service request. If the relationship with the Data Subject is at rock bottom, the DSAR process can be a way to improve the Data Subject’s perception of the organisation.
Even if you are not aware of a contentious relationship, it’s good practice to consider the possibility. This is because, anecdotally at least, after a DSAR is made there are usually one of four outcomes. The Data Subject is satisfied with the material provided and no further action is required. The DS requests further information or some corrective action is taken. The DS makes a complaint to the Data Protection Regulator. The DS takes legal action against the Controller. The way you deal with the DSAR could ultimately determine whether the DS goes away happy, or your organisation now has to prepare for litigation. You may not be the cause of their frustration, but you could be the straw that breaks the camel’s back.
So how can you avoid making matters worse? Firstly, if there has been a long interchange of emails between your organisation and the Data Subject and it is clear that their identity is already known, please don’t try and delay dealing with the DSAR by invoking some form of arbitrary identification process – it will just P!$$ them off. If you receive a DSAR, acknowledge receipt immediately – people who feel ignored are those who most want to feel they have been heard. Have a template or use case management software to automate the process of acknowledgement if you have too many DSARs. If you want to clarify, do so quickly – the sooner you understand the ask, the more time you have to pull the material together. When you have the material, don’t just send the material with no context – this will just fuel lots of avoidable questions. Send a covering letter that explains the DSAR material and any exemptions you have applied. Above all, set a friendly tone in your communication – comms that sound like they have come from a lawyer are likely to set a combative tone for future interactions. Consider contacting the DS by phone to acknowledge the DSAR, a phone call can be a useful way of humanising the process. Just remember not to commit to anything outside of the DSAR process and make a record of the contact in your case management tool.
The Common Myths
OK, you were amazingly diligent and friendly. You have provided the material within the regulatory deadline and a few days have gone by (if that). The DS comes back and they’re not satisfied with what you have provided. It could be they can’t find the smoking gun they were expecting. They think something is missing, or worse has been deliberately withheld! In these cases, they may come back and ask for more material. But just because a Data Subject is insistent that they be provided with additional material does not mean they are entitled to it. Remember, you want to be helpful but that must fall within the scope of a reasonable request. Let’s look at some of the common follow-ups to contentious DSARs where the DS wants more information than originally provided.
Follow-Up 1: You need to provide me with every email, SMS and WhatsApp that contains my Personal Data
This is probably the most common follow-up to a DSAR but it is simply not true that a Controller must provide every single message. Yes, if the message (and that includes any form or message, not just email) is about the Data Subject, and is not exempted, then it must be provided but a Controller does not need to provide every email, SMS and WhatsApp message solely on the basis that a message contains their Personal Data. So what can be reasonably excluded?
The two primary reasons for excluding messages would be a) Where the only Personal Data contained in a message is the DS’s name/contact details as a recipient/sender. e.g. A Data Subject who sends 10,000 work emails to colleagues about work-related matters is not entitled to copies of these emails (redacted or not). or b) Where a valid exemption exists. e.g. a third party provided a reference, in confidence, relating to the Data Subject. In both cases, all that is required is a description in your covering letter that personal data exists and the reason the data is not being provided.
As an aside, it is a useful part of any DSAR process to apply filters to your searches to automatically exclude messages where the only personal data is in a recipient/sender field. This will save you a lot of time down the line in other stages of the DSAR process. Most decent e-Discovery tools can do this for you.
Follow-Up 2: I want to see the whole CCTV footage for the day my car was parked there.
Picture the scene. The Data Subject’s car has been damaged by another driver in a car park who fails to leave their details. As the car park operates Automatic Number Plate Registration (ANPR) and they were personally captured on the CCTV covering the car park they submit a DSAR to get the footage to identify the other driver. The Data Subject’s logic is that their car registration is personal data and so they should be able to see all footage where their car or themselves is present. Again, a Controller does not need to provide hours of CCTV showing an inanimate car. The CCTV where the Data Subject is present would however need to be provided. Instead, the Controller can provide a written summary that the Vehicle Registration was present in the footage from time X to time Y (and as ANPR is in place, this would be pretty easy to achieve). In any case, access to the footage is moot as any third party present in the footage would need to be redacted (or more likely pixelated) so as to render them unidentifiable. Remember, the Data Subject is only entitled to copies of their Personal Data. They are not entitled to the Personal Data of another Data Subject.
Follow-Up 3: I want to see ALL messages between Person X & Person Y.
The Data Subject believes Person X and Person Y, who work together, are also in a personal relationship. The DS believes that this relationship presents a conflict of interest which has ultimately disadvantaged them personally in some way. It could be they believe their manager is having an affair with one of their team and as a result, chose to promote their lover over the Data Subject. The DS wants all the messages between them to prove they were disadvantaged. Again, the Data Subject is not entitled to personal data about other people. If, however, Person A talked about the Data Subject to Person B and the interaction was not covered by an exemption, then this message would need to be provided to the Data Subject.
What the above examples highlight is that just because a Data Subject wants Personal Data, doesn’t mean they can have it.
NB: Now before someone puts it in the comments, the above examples are simplistic. There will be nuances to every DSAR which could render Personal Data exempt or mean it must be provided – but that’s why you have your Data Protection Officer on hand to help deal with such complexity!
Handling the Response
Whether it’s one of the above follow-up requests, or something similar where it is clear the Data Subject is not entitled to the data they are requesting, how do you handle the situation to avoid future conflict? Here are a few tips…but the overarching theme though is, essentially, plan ahead!
- Pre-empt the possibility of follow-on requests. If you are aware of the context, you can head off a number of potential follow-up personal data requests.
- Never just send an email with a Zip file saying “PSA your Personal Data” write a full response. Have templates for common types of DSAR (Customer, Parent, Employee, Patient, Joe Public) For example, explain in an Employee DSAR cover letter that the employee’s name appears solely as a recipient/sender in work emails but these messages are not included. The more information you can provide upfront, the less likely you will get follow-ups.
- Every time you use an exemption or exclude Personal Data, point to the specific guidance that permits the exemption. You will find this on your Supervisory Authority website (in the UK this is the ICO). Again, in your template letters, you could have common exemptions pre-populated. You could also tag documents as they are redacted with the exemption used and then use some automation to read those tags and populate your cover letter. This can save a lot of time if you are dealing with large document sets or many exemptions.
- If there is still a follow-up, refer back to your original letter explaining why the data has not been provided. This will be useful to demonstrate an audit trail if required. If the follow-up relates to requests for other people’s data, again have a response ready explaining why this is not something that can be provided and provide references to the regulator guidance.
- If you have erred, rectify the situation quickly. If an exemption was incorrectly applied, don’t double down hoping it will go away. Put things right.
- If the Data Subject is still not satisfied, you need to politely restate why you cannot comply with their request then let them know they can complain to the Data Protection Regulator in their country. This is something you must do. Don’t forget!
If a complaint is made, and you have followed the above steps, you should be in a good position to defend a complaint.
Summing Up…
Contentious DSARs are unfortunately a fact of life under GDPR. An organisation can have the most amazing Data Protection regime but if other aspects of the organisation are lacking then it is not uncommon for Data Subjects to utilise the DSAR process to achieve their original goal. In another article, I wrote about how organisations can avoid DSARs altogether. If you haven’t seen that, have a read here. If you are already struggling with contentious DSARs and would like to discuss how Fox Red Risk can support you with our Outsourced DPO Service or Data Protection Consultancy offerings, feel free to get in contact – we can help.
Contact Us
If you would like to have a conversation to discuss your needs, fill out the form below and we can arrange a time to call you over Teams, Zoom, or Google Hangouts.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
