Since the introduction of GDPR, and therefore the application of Article 15 (that’s the one about Data Subject Access Requests) many organisations have battled to get a robust process in place. Data Subject Access Requests, or “DSARs”, come with a list of compliance issues, and sometimes it can feel a little overwhelming.
There are lots of things to consider, and this list of top tips is certainly not exhaustive, but it provides some basic checkpoints. Ultimately, DSARs do not need to be a burdensome exercise, but this is dependent on the resources, preparation and understanding.
This guide will give you a better understanding of Data Subject Access Requests, some general rules for DSAR redaction, and the potential compliance issues that come with them. For further information about our DSAR services, click here.
If you have a question that isn’t answered below, please get in touch and we’ll be happy to help.
DSARs can be submitted in any shape or form, which can mean that identifying them can sometimes be troublesome. Ensuring that all staff understand what makes up a DSAR, and what to do if they receive one, means that you are off to a good start. This stops you from using up valuable time to complete the request. Consider including DSAR identification in your basic data protection training to ensure everyone is prepared for the possibility they could receive a request.
The GDPR is very specific when it comes to responding to DSARs.
Article 12 states: “The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request.”
So, as soon as that request lands in your inbox – or maybe on a reception desk – the time starts ticking. Having a structured way to record requests as they come in, and the progress, means you can best keep track of this. There are certain circumstances when this timeframe can be changed to three months, but you must inform the data subject of this.
You may have also heard people talk about the ePrivacy Directive or the EU Cookie Law. This Directive relates to individuals that reside within the EU and is designed to protect online privacy. It is important that if you track cookies of UK and EU residents, you adhere to both pieces of legislation.
The Right of Access is the right to obtain ‘personal data’. Some key things to consider when redacting are:
However, there are exemptions to this and should be considered on a case-by-case basis.
This is key to knowing what to release, or what to redact/remove. We see many organisations releasing reams of documents that are not always necessary. Remember, the Right of Access is the right to obtain ‘personal data’ , not entire reports, documents etc. Make sure you really familiarise yourself with the definition of personal data. You can find the legal definition, as per GDPR, under Article 4 (1). Fully understanding what constitutes personal data is paramount in ensuring compliance, as each DSAR is different, and what is appropriate for one may not be for another.
Context is extremely important, and remember, you can always release data at a late date, but you cannot take it back.
One of the hardest things to establish when responding to numerous DSARs, is consistency. If you have multiple staff members working on documents, it can be difficult to ensure you have a consistent approach to redaction. Personal interpretation of the law can lead to differing approaches to redactions, especially where contextual data is concerned. Employing a robust policy, and a clear outlined procedure allows you to provide some baseline standards, which will therefore communicate your expectancy, as a Data Controller, to your redaction staff. Consider including a table which details personal data which should always be redacted, or perhaps specific identifiers that are common within your organisation. Allowing redaction staff to contribute towards this will make a good working document that adds value to the process.
One of the main principles of GDPR is “Accountability”, which asks that Controllers demonstrate their compliance. Individual Rights Requests are a key component of GDPR, and so should be being recorded accurately, therefore helping your organisation in demonstrating compliance. This can be achieved relatively easily and creates a good management tool to track DSAR progress, oversight of the volume of requests you receive, and time frames you are keeping.
Think about keeping a spreadsheet (or similar), upon which you could detail when the requests are received, the status of the request, whether you have applied any exemptions, and the time taken to complete the request.
DSARs can be submitted in any shape or form, therefore it is vital that you familiarise yourself with the request. It can be easy to presume that the data subject is requesting all the data you have about them, however, they are often only looking for something specific. If the request is unclear, contact the data subject to determine the scope.
Understanding the request before you start redacting is key, and it could save you a lot of time!
Under the legislation, you are obligated to provide as much of the data requested as possible. However, in many circumstances, such as health and social care records, the release of an individual’s data could also identify another individual who hasn’t made the request. When this occurs, you must apply redactions to the data to carefully disclose information that is relevant to only the data subject.
Now that you have understood the scope of the request, ensure you make a copy of the collected data that you will apply the redactions to, failure to do so could permanently damage the original data. For manual redactions using paper copies, make sure each page is single-sided. This will minimise the risk of removing information on one side, leaving the other side unreadable. We recommend, where possible, digitalising your paper copies and using redaction software. For more information or advice on redaction software, please get in touch.
When responding to a DSAR, there are many exemptions that give the data controller the right to withhold information that:
Be sure to document the reasoning behind any exemptions you are applying, as the data subject has the right to appeal such decisions. For a full list of exemptions, please visit the ICO’s website.
When using redaction software, be sure to remove metadata – hidden text/images/data. This will remove the risk of re-identification by hidden methods. Most redaction software has this functionality, so be sure to apply this before you start your redactions.
When marking a document for redaction, make sure your redaction boxes cover the desired text completely, this will minimise the risk of data being accidentally released. It’s best practice to have the redactions checked by a second expert or equivalent to ensure that the quality assurance process and the DSAR policy is adhered to.
If you require specific guidance on DSARs please get in contact. We provide both training and an expert in-house redaction service.
Want to receive a copy of our monthly Data Protection newsletter and news from the DPAS team?
Helping organisations access the value of their data, create a vision, embed the change and build the future.
Please note all information on this website is for your help and guidance. It should not be regarded as an authoritative or definitive statement of the law.
