Since the GDPR rules were introduced in May 2018, data subject access requests (DSARs) have been on the rise. The ICO reports that data protection complaints from the public have gone up: 41,000 since May 2018, compared with 21,000 for the preceding year. Of these, 38% related to DSARs compared with 39% the preceding year; this establishes that DSARs make up a significant proportion of data protection complaints and that this has not really changed since the GDPR came into force.
In employment litigation matters in particular, DSARs appear to be the fashion, whereby individuals request information for the period of their entire employment or for a particular period of time when a disciplinary or grievance matter may have arisen. These requests tend to include a request for all records of discussions shared via email, text messages and/or WhatsApp messages that reference the individual. From a claimant’s point of view, a DSAR can be a useful tool in helping bring about settlement of a dispute, particularly if the respondent employer has repeatedly breached the employment contract or has broken employment laws and does not want to be exposed.
Refusing a request for information
Organisations may well have not understood the work required to respond to a DSAR and that there is not much scope for rejecting a DSAR. An organisation may only refuse to respond to a DSAR if it is “excessive” or “manifestly unfounded”. “Excessive” has a very high threshold and typically applies to repeated requests. In other words, if an organisation has already responded to a DSAR and has provided the information, they are not obliged to repeat the process for that same individual. To be “manifestly unfounded” would imply that the request is vexatious, malicious or designed to harass the data controller or cause disruption, and under Article 12(5) of the GDPR, the data controller has the burden of proof. However, in the context of a genuine dispute, a DSAR will not be deemed vexatious or malicious if the request is only for data that the data subject is entitled to, even if it is substantial, e .g. in cases where an employee has worked for an organisation for, say, 10-15 years.
Extension of time and fees
An organisation may request an extension of time beyond the requisite one month to respond to a DSAR only on the grounds that the DSAR is “complex”. The word, complex, is not defined under the GDPR but the ICO indicates that a complex request could involve for example, a significant number of tasks, manpower or hours and/or would require recruitment of an extra staff member(s) to complete it. If a request is “complex” it does not mean that it is “excessive”.
Under the new 2018 regulations, organisations can no longer charge a fee no matter how large the task is unless the DSAR satisfies the criteria for being excessive or manifestly unfounded (see ‘Refusing a request’ above) and then only a reasonable fee may be charged.
Digitised v paper format and data retention
The GDPR is clear that organisations must be able to efficiently retrieve, update and delete personal data. There are many IT tools on the market that can search PDFs, back-up files and archives so there is likely to be little sympathy, particularly from the ICO, for large organisations with a multi-million pound turnover claiming to be unable to digitise data; adopt the latest IT tools to speed up the searching and collating process and ensure that the personal data they hold is kept securely. Any paper documents would be expected to be stored in locked, fireproof filing cabinets. Given that an organisation must respond to a DSAR within one month, it is imperative for organisations to be able to find and collate data quickly and accurately. The best way to achieve this would be to progress to digitised personal data and to phase out paper formats wherever possible.
In terms of data retention, the GDPR requires that organisations must not retain personal data for longer than necessary. As a guide, organisations should limit personal data retention to a maximum of 6 years (except of course where data must be retained in order to comply with the law). This may also help reduce the burden of responding to a DSAR.
So why do organisations struggle with DSARs?
It is possible that some organisations may be collating more information than necessary. For example, personal data such as email addresses mean that the organisation need only list emails sent to/from the data subject and not necessarily the email content. For example, a company holiday policy sent to employees via email would not typically contain personal data specific to any employee so there is no need to include the email content. The DSAR results can be sent electronically so there is no need to print all the relevant documents and post them – they can be scanned and emailed.
An interesting point with regards to ‘personal data’ is how new technologies/ analytics will continue to push the boundaries of what ‘personal data’ actually means, particularly when it comes to complying with a DSAR. For example, will voice recordings as a means of identifying/authenticating individuals be included?
Organisations may need advice on digitising paper documents and using effective technology for speeding up data searches in response to a DSAR. The ICO has published its Technology Strategy for 2018 to 2021 which sets out eight “technology goals” and how the ICO intends to achieve them.
The strategy highlights three priority areas on which it has focused in 2018 and will continue to do so in 2019. There will be an action plan for each priority area which will be reviewed and updated annually. The three areas are:
- Artificial Intelligence, big data and machine learning; and
- Web and cross device tracking
The intention is to increase public awareness and guidance to organisations, recruit and train specialists and staff, facilitate research and establish networks (both in the UK and internationally) to share knowledge and to explore new and innovative technologies as they develop.
This and also the fundamental definition of personal data is something on which further continuing guidance will be needed as new technologies for recording different types of personal data develop.