News, events, media, seminars and more
Data Subject Access Requests are currently under section 7 of the Data Protection Act 1998. They entitle employees, as “data subjects”, the right to:
When the GDPR comes into effect from the 25th May, this entitlement will continue as normal. Except companies now have 30 days to comply instead of 40 days.
“Personal data” is information that relates to a person in their personal, family, business or professional life where the individual is the focus or central theme of the information, rather than some other person or event.
For data subject access requests to be valid, it should be made in writing. If a request does not mention the Data Protection Act specifically or even say that it is a subject access request, it is nevertheless valid and should be treated as such if it is clear that the employee is asking for their own personal data. A request is also valid even if the employee has not sent it directly to the person who normally deals with data requests. It is therefore important for an employer to ensure individuals within the business recognise a data subject access request and treat it appropriately.
With regards to the authenticity of a request from a legitimate former employee, an employer should not assume that the person making the request are who they say they are. Employers should verify the identity of the “data subject” and should request a copy of the subject’s passport or driving license. Some requests may come through third parties, such as solicitors. DSARs relate to providing personal data, so employers will need to be satisfied that the request has been authorised by the individual.
Data Subject Access Requests are relatively straight forward to make but can be significantly time-consuming, expensive and problematic for employers. Their main purpose is to enable an employee to check that their data is being lawfully processed in accordance with the Data Protection Act, and as of 25th May, the GDPR. However, they can be used as a weapon by a disgruntled employee due to the cost and time implications on a business. They can also be used to gather necessary data prior to legal action engaged by an employee.
The ICO code of practice indicates that an individual who makes a written request and pays a fee is entitled to be:
However, the employee should provide sufficient information on the requested data so that the employer understands what is being requested in order to find it. For example, is the information requested contained in emails, and if so, what was the relevant time period? If the request is not sufficiently clear, the employer can ask for more details to help to locate the requested data.
If an employer fails to comply with a Data Subject Access Request by not meeting the deadline, or by not providing an employee with access to all relevant personal data, then they can incur significant penalties. The Independent Commissioners Office (ICO) has multiple tools available to enforce the GDPR requirements, including:
According to ICO official statistics, the mishandling of data subject access requests is the number one data protection issue complained about by the public. In 2016, 42% of the more than 18,000 data protection-related complaints lodged with the ICO concerned individuals’ rights to access their personal data held by organisations.
There are some documents that employers can legitimately exclude. These exemptions only apply in certain circumstances in relation to the nature of the personal data. Under the GDPR, organisations can withhold personal data if disclosing it would cause prejudice to a part or function of an organisation.
An employer cannot exclude data on the basis that it may be difficult to access or locate. Extensive efforts are required to locate the information, in a reasonable and proportionate manner. Due to the strict timescales and the potential scope of the data involved, online review platforms are an excellent option to source the specific data quickly and effectively.
Online document review platforms are powerful tools that are specifically designed to quickly filter large volumes of electronic data and help streamline the identification of documents. They are typically utilised within the electronic discovery process during litigation and dispute resolution matters. However, if an employer receives a data subject access request that requires them to search through a vast amount of historical data, they become a perfect solution. This could include the analysis of a range of data sources, such as back-up tapes and hard-drives.
As customisable platforms, they enable data to be identified by applying specific keywords and search terms relevant to your request. Therefore, if an employer needs to find all data relating to ‘Joe Bloggs’, this name can be applied as a keyword. The platform will then run an automated process to identify all the information relating to this individual quickly and efficiently. This is invaluable in efforts to ensure that the GDPR timescales are adhered to, no fines are imposed and all data is retrieved.
Another factor is that it enables employers to quickly identify only personal data relating to the employee, excluding non-relevant data, such as documents authored by the employee but not, in fact, personal information. This would not be disclosed by the employer as it relates solely to the business and could contain sensitive company information.
Response time: Under the new GDPR rules, an employer must respond promptly to a valid data subject access request. The time limit for compliance will change from 40 days to “without undue delay and in any event within one month”. Despite the standard time limit for responding being reduced, the one-month period may be extended by a further two months when complex and numerous requests are involved. During such matters, the employee must be contacted within one month of making their request and informed as to why an extension is required. The ability to extend the time limit will be extremely useful for employers dealing with particularly time-consuming requests.
Fee: Under current data protection law, businesses can charge a £10 fee for responding to a DSAR. However, under GDPR, a copy of the information will need to be provided free of charge, unless the request is ‘manifestly excessive or unfounded, particularly if it is repetitive.’ In this scenario, the ICO guidance explains that employers may charge a ‘reasonable’ fee.
There are a number of steps employers can take to ensure they are prepared for the GDPR changes and any data subject access requests:
Recognised as industry experts within Digital Forensics and Electronic Discovery, CYFOR has the necessary expertise to assist organisations dealing with data subject access requests. We have at our disposal specialised online document review platforms that are perfectly designed to search, filter and analyse large volumes of electronic data for subject access requests.
We can also provide a data flow map, which is designed to help you understand the general flow of personal data through your business, allowing you to improve efficiency in DSAR and GDPR compliance.
London: 0207 438 2045
Manchester: 0161 797 8123