[GDPR] Basics – What is a Data Subject Access Request (DSAR) – Part 2

What is a Data Subject Access Request?

This part 2 of a series of articles on ‘What is a Data Subject Access Request’ you can read Part 1 here. 

The Importance of staff training

I’ve said it before but it’s very important that you have a procedure in place and that your staff are trained what to do when they received a request. It’s unlikely that unless you have a very large company that you’ll have staff dedicated to dealing with DSARs it’s most likely going to be your Data Protection Officer, or data protection lead and they will need to be informed of the request as soon as possible. It’s likely then that they will request another staff member who is able to extract the information from different digital systems do so and provide them with it, so these staff members to need to be trained on how to safely extract the information required and in what format to do it. Now I know what you’re thinking – It’s a quick and easy thing and they’ll all learn together the first time it happens – except 30 days isn’t a long-time when you’re busy running a company and other people have other roles to fill – It doesn’t leave much time for the double-checking that needs to take place and getting it all back to the data subject in the first place (of course remembering to verify them in the first place). Make sure your staff are trained in both identifying a request in the first place and then that they’re comfortable with the procedure in place (and that the procedure works). If you suddenly are the victim of a cyber attack and suddenly a number of your customers/clients/data subjects want to know everything you knew about them then you’ll find yourself very quickly overwhelmed (and even missing requests) if you haven’t trained your staff.

Just to really drum in that staff training element – If you do end up under investigation by the ICO – Who do you think they’ll going to be more lenient on – The company that trained its staff or the company that didn’t.

In what format should I provide it to the data subject?

There is a crossover here from another of the new GDPR rights – the Right to Data Portability. This was designed to allow data subjects the ease and freedom to transfer their data between organisations (such as between banks, energy suppliers etc). The crossover, however, means that you need to provide the requested data to the requester in a clear and universal format (or a reasonable alternative if requested).

On top of this if the subject access request is made in electronic form, then the information that you provide back to them should also be available in an electronic format as well. If your organisation offers no digital records, storage etc is completely paper-based and as such even the subject access request was paper-based then you do not need to make your data response to them in a digital format.

When you send the response to the DSAR back you need to do so in a secure and recorded manner. The more sensitive the data the more precautions you should take, if your dump of data and breakdown of how it was processed is accidentally sent to the wrong person this would infringe on the data subjects rights and freedoms in a major way (Think about NHS and medical information in particular here and how sensitive that would be or even Bank details where the data subjects risks to identify theft grow) If digital then perhaps it should be ideally sent as a link to an encrypted file that is only available for a set period of time to download where the password required to decrypt the file or access the file is sent via text message or provided over an authenticated phone call to the client (A multi-factor scenario). Where the information is posted it should be sent in an envelope marked as confidential but giving no further clue to its contents, again depending on its level of risk and sensitivity it should be sent using a service that allows tracking and provides evidence of delivery.

A Strange Scenario to make you think

While I write this guide the Covid-19 pandemic is on-going and the UK remains under social distancing, It’s now regular and an accepted occurrence that your courier or postman will sign for your parcel and leave it on your step – Some will wait to see you open the door and take it while others are already halfway down the next drive or in their van and down the road (My Postie, for example, waits about 3 metres away and we exchange pleasantries or he tells me he will sign for something for me now he’s seen me, all in all, Glenn is a great postie) but this has left to a quite an interesting problem.

I’ve had an incident reported to me where someone has requested their records from the NHS to be posted to them – The NHS has obliged within the 30 days HOWEVER the Royal Mail has delivered them to an incorrect address – the item was signed for and tracked but was signed for by the Postman as he posted it through the wrong door (The NHS had labelled it with the correct Name and address). After the consignment didn’t arrive the data subject reported it to the NHS and they sent another… which the Royal Mail then again delivered to the wrong address. The issue comes that 1) The actual address where it was delivered is unknown 2) This data subjects sensitive personal data is now in the hands of an unauthorised party 3) The Royal Mail claims to have successfully delivered it and has tracking (albeit signed by the Postman which is accepted evidence at the moment) to say as such.  I’m told the NHS won’t send another copy and consider that they’ve completed the DSAR to the letter of the Law, The Royal Mail won’t classify it as lost or know where they actually delivered it. 

So who’s at fault? – I’ve told the person who reported it to me to speak and get advice directly from the ICO because Covid-19 and the Government restrictions make this a massive grey area. You could make the argument that the NHS did everything they were meant to and followed a secure method and that in pre-COVID times the change of a Postman or Courier signing for something and popping it through the door instead of getting confirmation of delivery were nil – It is a safe way of delivering documents (In-fact while the RM may not do it, this is how Passports and other legal documents are delivered by the Government).  Then comes the argument that we’re in June, the lockdown started in March and it’s common knowledge around delivery so did the NHS do enough to protect this person’s rights and freedoms – Could they not have sent it with a courier that verify the receipt and does not allow for the courier to self-sign, could they seek permission by the requester to have sent a thumb-drive containing an encrypted copy or digital copy instead of physical? – What about the Royal Mail? they must continue to be responsible for the sending of secure goods that are very sensitive, they must have a procedure in place already available to the NHS and other organisations – Either way, this scenario is a minefield of both blame and innocence and one to be reported to the ICO. 

The moral of that scenario expect the unexpected, and if you can’t then you must at least update your procedure in times of pandemic – You are responsible for your data subjects information, even in transit until it arrives with them.

Can I charge for fulfilling a DSAR?

In short – No. While the Data Protection Act 98 allowed you to charge a flat fee for any request as well as any copies of that request the GDPR removes that and requires you to provide it free of charge.

Longer version – Still unlikely but It is possible for a controller to charge a reasonable fee based on administrative costs for unreasonably large or repetitive requests. If you do charge for a DSAR it’s likely you’ll find the data subject challenging this, and even more likely that whatever you say and evidence they’ll take that to the ICO so make sure if you choose to charge that your defence is rock-solid.

Can I take longer than 30 days to deliver the results of a DSAR to a data subject?

Where the DSAR can be evidenced as complex, or large then it can be extended by 30 days – twice. This, however, is the maximum it can be extended. Do remember however if you can’t evidence the complexity of the request and that the time is needed to deliver then it’s likely the data subject will report you to the ICO and you’ll have to defend it to them so only use extensions where legitimate.

Can I refuse a DSAR?

Yes, you can but similar to charging you better make damn sure you’ve got a good enough reason and you need to alert the data subject that you intend to refuse the DSAR.

You can legally refuse to a DSAR if it would “adversely affect the rights and freedoms of others” which includes in certain scenarios the protection of trade secrets and confidential business activity – in most scenarios, however, this would mean that you accepted the DSAR but provided a redacted set of records and results that had the information covering those trade secrets, confidential business activity or personally identifiable information about another subject.