The UK General Data Protection Regulation (‘UK GDPR’) gives every individual a number of key, fundamental rights relating to use of their personal data. One of the most commonly used rights is the right of access, or the ability to make a Data Subject Access Request (‘DSAR’), asking an organisation to provide a copy of the personal data it processes about that individual. DSARs are generally considered to be the key gateway to enforcing all the other UK GDPR individual rights, as it allows individuals to understand (and potentially complain about) how their personal data has been/is being used.
However, DSARs can also be logistically challenging and resource intensive for organisations, and can represent very significant and unexpected costs – particularly large DSARs can require review of tens of thousands of documents, and potentially tens of thousands of pounds in legal fees. The aim of this article is to give Local Authorities some key tips to potentially reducing some of the burden.
Tip #1 – Scope
Often, DSARs will be phrased to be as wide ranging as possible – stating ‘give me all the data you hold about me’ or similar phrases. However, organisations are allowed to (and we’d strongly recommend) clarifying the scope with the data subject. This might include asking them to define specific individual mailboxes they want you to search, or specifying keywords, date ranges, or contexts to look for information. This might, for example mean you only have to search an employee’s HR file, rather than their entire email inbox. If you do seek clarification from the data subject, you’ll need to do so before the request is 1 calendar month old, and the deadline is effectively on pause while waiting for the response.
Tip #2 – Proportionality
An organisation is only required to carry out ‘reasonable and proportionate’ searches for material in response to a DSAR. What is reasonable and proportionate will always depend on the specific context of a request; however if, as a general rule of thumb, you’re looking at tens of thousands of documents, it’s more likely to be unreasonable and proportionate, especially if the data subject has refused to limit the scope of their DSAR. Refusing a DSAR on these grounds will always be somewhat risky, but considering the costs of complying with a large DSAR, the risk may be more appetising to an organisation than trying to comply with the request.
Tip #3 – Search Strategy
Your search strategy will be key in reducing the potential scope of the DSAR. Whilst the level of sophistication in search ability will vary between organisations, there are some common parameters that you can place on searches to reduce scope but still meet the requirement to “reasonable and proportionate”:
- Date ranges – if the subject has given you a date range, then you can use that if reasonable. If they refuse, you may be able to use the context of the DSAR to identify a suitable range. For example, if you have a member of staff that has worked for the organisation for 20 years, they may have asked for “everything”, but you know that they are going through a disciplinary process that relates to events over the last 2 years. It’s therefore reasonable to restrict the search to that period. Also remember that the “final” date is the date of the DSAR unless otherwise specified, so that can be your cut off date.
- Location – it may not be necessary to carry out a wholesale search of your systems. A reasonable and proportionate search will identify where information that is the requestor’s personal data is most likely to be found, and limit the search to those areas. In an employment context, a data subject’s own inbox is unlikely to identify any personal data about which they are not already aware, and most of the information there will be related to their work, and not necessarily personal data. You could, therefore, exclude an individual’s mailbox from a search. If the request is linked to an HR process, then you could limit the searches to HR files. If there is a complaint or grievance ongoing involving more than one party, a DSAR will often be made as a means of obtaining additional information about the issue. However, if you consider that searching a third party’s inbox or documents will only identify exempt information, it may be reasonable to exclude those mailboxes entirely. If the DSAR is from a service user, and they have been corresponding with your planning team recently, limiting searches to the planning team’s systems would be reasonable.
- Search terms – when selecting search terms, you should be using those that will identify and return the most personal data. If an individual has a name that’s unique to your organisation, that’s a good place to start. Even if an individual requests that you use specific search terms, you are not obliged to use these. Searches for initials, for example, are not reasonable and proportionate if the initials form a commonly used word or abbreviation (such as “AT” or “ST”). They are also not reasonable and proportionate if you are unlikely to ever recorded information about them using their initials. Searches for a first name only also may not be appropriate if the results are not targeted. If Bevan Brittan had 3 employees named “Vicki” and 25 client contacts also with the name “Vicki”, a search for “Vicki” on its own will not identify my personal data, so further search terms or parameters should be added.
- Software solutions – Bevan Brittan use a nifty piece of software that can help remove duplicate documents, limit date ranges, and manipulate larger sets of information to reduce the amount of information that you are required to review line by line. If you get large volumes of DSARs, it is worth looking at investing in something similar, or get in touch with one of the team here to see how we might be able to help reduce your review bundle.
Tip #4 Exemptions
There are several significant exemptions which permit or require an organisation to withhold information in response to a DSAR. Considering how you apply these exemptions can also be helpful in reducing the burden of responding. The entitlement is to personal data, and not necessarily the documents containing the personal data, so it may be easier to extract the personal data into a fresh table. Whether this is more or less time consuming than redaction will depend upon what you are extracting, but extraction can also allow you to provide some mixed personal data, because taking it out of context may enable you to meaningfully anonymise the information.
Conclusion
DSARs can appear unwieldy, and daunting in terms of the resources required to remain compliant with the related obligations. However, there will always be tools and venues available to streamline the process and seeking advice on the proper approach can leave you in a robust, compliant and practicable position.
Vicki Bowles is a partner at Bevan Brittan.