Let’s face it, there is nothing straightforward or simple about responding to a data subject access request (DSAR). The words ‘I want all of my data’ equate to hours of trawling systems, reviewing content, redacting files, and collating information before any disclosure can take place.
Dealing with DSARs can be a costly exercise, both in terms of resources and time. Furthermore, as you cannot charge a fee, it means you cannot recoup any of the costs associated with providing the data subject with their data. Not to mention the required 30-day turnaround time (approx. 20 business days!) which adds further pressure on your privacy team.
Whilst responding to DSARs can be onerous and time-consuming, you cannot take any shortcuts. It is vitally important that DSARs are handled fairly and independently, particularly where the request is internal and may involve HR records, which can vastly narrow down your options for individuals who can process the DSAR internally. To demonstrate independence and transparency, HR representatives, for example, should not process an employee’s DSAR.
There are other factors to consider when responding to a DSAR. Human intervention for example, rather than electronic, has a number of clear advantages.
As per the Information Commissioner’s Office (ICO) guidance, it is essential to understand the context of a DSAR. This can only be achieved where the raw material is read by the human eye. Simply putting a name into redaction software is really not sufficient.
Factors to Consider
- Has any personal data been provided to you in confidence, such as from a confidential informant? You particularly need to think about HR requests, grievances, and formal complaints.
- Is dealing with the request going to be time-consuming or particularly extensive? Is it a vexatious request? Is it manifestly unfounded or excessive and therefore does not need to be responded to?
- Is the request being made on behalf of someone else? How do you manage third-party requests and consent? A careful balancing exercise should be carried out before disclosure.
- What if the request concerns a child?
- What if your response to the request contains the names, or other personal information, of other staff or staff from other stakeholders?
Pivotal to the redaction of documentation is deciding what elements of the document need to be removed and a legal exemption (from the list in Schedule 2 of the Data Protection Act 2018) applied justifying the removal.
This is a time-sensitive process. Redaction should be performed and overseen by someone who is knowledgeable about the records and the statutory exemptions available, and who can determine what material should or should not be redacted.
Removing just the third party’s name may not be sufficient, as they may still be identifiable from the rest of the information. Again, a task that can only be achieved with human input and judgement, not solely by automated decision-making (i.e., redaction software alone).
Also, don’t forget the ICO guidance. A name on its own is not always personal data disclosable in response to a DSAR. To understand this, you must review the context of the DSAR, and your collated documentation, and redact with this in mind.