Data Subject Access Requests (“DSARs”) are nothing new, but the volume of noise arising is. Following the implementation of the EU General Data Protection Regulation (“GDPR”), the Information Commissioner’s Office (“ICO”) has seen a 98% rise in complaints relating specifically to DSARs. In addition, many law firms have seen a substantial rise in the number of DSARs being received. This is for a number of reasons:
A law firm will inevitably hold much personal data relating to its clients, which will often be confidential in nature;
The GDPR has increased data subjects’ awareness of their privacy rights;
The GDPR has removed the £10 fee that used to be imposed, meaning that Data Controllers can no longer charge for a DSAR; and
Given the obligations now imposed on data controllers as a result of the GDPR, DSARs are increasingly being used as a tactic in contentious matters.
For those not familiar with DSARs…
A DSAR is a request from a data subject to be provided with a copy of their personal data being held and / or processed by a Data Controller, together with confirmation on why it is being held and / or processed in that way. A request does not need to be labelled as a ‘Data Subject Access Request’ for it to so constitute, but the request must be made in writing.
Per Article 15 of the GDPR, individuals have a right to know what data is being held about them and how that data is being used. When making a DSAR, a data subject can seek to obtain any or all of the following:
a) confirmation that the recipient is processing their personal data
b) a copy of that personal data; and
c) supplementary information, such as the purpose of the processing and categories of data concerned.
Given that DSARs are anything but declining, it is important for law firms to understand the scope of their obligations, as well as the tools available in order to respond appropriately.
A DSAR must be responded to within one month. This can be extended if the request is particularly complex. In the event that a firm wants to extend the time period for responding, it should write to the data subject within one month of receipt of the request to explain in detail the difficulties in responding within the one month timeframe, and explaining that the response will be given within three months.
If a DSAR is made electronically, the response (unless otherwise requested) must also be made electronically.
All responses must be transparent, written in clear, plain language and be provided in an easy accessible format.
Exceptions for lawyers
While the scope of information which a data subject is entitled to obtain is at first glance quite broad, there are certain exceptions, a number of which are applicable to the legal profession. These are as follows:
The obligation in response to a DSAR concerns the data subject’s ‘personal’ data. This may appear obvious, but it means that there is no obligation to provide the document in which that data resides, nor any other data contained in that document.
A Data Controller is not required to provide the personal data if it would unavoidably disclose a third party’s personal data. This rule does not apply where the third party has consented to the disclosure. Furthermore, the onus is on the solicitor to prove why measures such as redacting will not provide sufficient protection.
There is an exception for legally privileged information. However, in the case of Ittihadieh, the court recognised that not all information exchanged between a solicitor and a client is subject to privilege. The case clarified that solicitors facing a DSAR must carry out a proportionate search to separate the privileged and non-privileged data.
DSARs are subject to the principle of proportionality. Although solicitors have been discouraged from refusing to respond to a DSAR on the grounds of proportionality, the courts have nevertheless recognised that the option is open to firms who can positively show that it will be disproportionate to address the request in full. In Gaines-Cooper v Commissioners for HMRC, the court held that partial compliance with an excessive DSAR was a proportionate response, despite the fact that not all relevant documentation had been reviewed.
Finally, Article 57 of the GDPR allows data controllers to refuse to respond to a DSAR, or charge a fee for doing so, if they can demonstrate that the request is “manifestly unfounded or excessive in nature”. The only example of this given to date involves the making of repetitive DSARs.
Clarification on the scope of the DSAR
The GDPR provides that before responding to a DSAR, in cases where the data controller processes a large quantity of an individual’s data, the Data Controller can ask the data subject to specify the information or processing activities to which the request relates. Unfortunately, the legislation does not address the point on whether making such a request for clarification extends the time limit for responding to the request. Furthermore, it is presently unclear whether a failure of the data subject to respond to a clarification request provides the Data Controller with an excuse not to comply with the request. Regardless of the uncertainties this option creates, it is a useful tool which solicitors may be able to employ where appropriate to narrow the scope of search and disclosure of complex DSARs.
We have a dedicated team dealing with data protection issues including DSARs. Our fixed price packages allow organisations to pass their DSARs over to us, taking away the time, stress and effort of managing this process.