Our Data Protection expert Kerry Smith has put together this helpful guide.
What to do in the event of an Article 15 Request (commonly known as a Data Subject Access Request “DSAR”)
- Verify the DSAR
Verify the DSAR is a legitimate request. Where reasonable to do so ask the Requester (Data Subject) to provide evidence of their identity and ask for clarification as to the scope. It may be an ‘all data’ request however it may be that the Requester is seeking to obtain something specific or in relation to a particular matter.
- Date the DSAR and diarise
There is only one month to respond to a DSAR- this is not long given the work involved!
Steps taken to verify the DSAR does not delay the start time therefore do not wait for a response as this could materially impact on your ability to meet the one-month timescale.
- Create a DSAR Team
Internally you will want to create a DSAR taskforce. This will include the Data Protection Officer, the most senior IT resource, representation from the Board of Directors, drawing in other resource as required. You may want to appoint outside professional help.
- Scope out the DSAR Project
A DSAR requires a review of all electronic and manual (paper) records that refer to the personal data of the data subject.
Create a documented plan as the scope and decision making needs to be recorded as it may be subject to review at a later date.
You will need to be able to provide an answer to the following points:
• The purposes for processing (i.e. storing, using, transferring data)
• The categories of personal data processed (i.e. employment information, information required for AML purposes)
• Recipients of classes of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries (i.e. Banks, Insurers, Investment Managers, Pension Providers)
• The envisaged period for which the personal data will be stored where possible, or, if not possible, the criteria used to determine that period (i.e. what is the document retention policy in place)
• The source of the data (if available) if they were not obtained directly from the data subject (i.e. has anyone else provided you with the personal data)
• Details of any automated processing or profiling and the logic involved
• Details of the appropriate safeguards (Applied GDPR, article 46) relating to transfers of personal data to any third country (i.e. any country outside of the EU who may not have equivalent safeguards in place)
• Details of the rights to rectification, erasure and restriction of, and/or objection to, processing; and
• The right to lodge a complaint with the Commissioner
You will need details of all relevant servers, drives, email systems, databases and manual systems in place where personal data could be stored. This includes archived filing systems.
Set the search criteria. This will include all variations of the data subject’s name:
- Full name
- Abbreviated name
- Any other identifiers such as employee number or title
Set a date range search where appropriate. For example, you may only want to obtain search results for a defined period i.e. from the commencement of employment onwards.
5. Undertake the search
All electronic systems will need to be searched including outlook, drives, document management systems.
Note that this only includes data in an identifiable storage system i.e. any piles of unidentified paperwork will not need to be reviewed.
All manual records including HR files, finance files, client files, compliance files etc.
All data and potential hits should be recorded in accessible form for the DSAR Project Team to review.
6. Identify the personal information
The first decision to make once the searches are complete and you have gathered all the information together, is what information constitutes the “personal data” of the data subject making the DSAR.
If it is not “personal data”, the right of access does not apply to that information.
Care needs to be taken and where you are in any doubt you should seek advice from an Advocate with experience in this area.
Some useful points worth considering:
Personal data should ‘relate’ to the data subject. Data relates to an individual if it refers to the identity, characteristics or behaviour of an individual, or if the information is used to determine or influence the way in which that person is treated or perceived. Guidance generally states that to ‘relate to’ it should be ‘about’ that person. It is more than simply identifying that person; it must concern them in some way.
You may be able to apply some restrictions and exemptions. Some of the more common ones include:
- Third party data
Third party identifying information should not be provided unless the third party agrees, or, it is reasonable to make the disclosure without the consent of the third party. If not, you should consider balancing the requirement to disclose with the rights and freedoms of the third party. You may need to consider redacting the document in certain scenarios.
- Management information
This includes management forecasting or planning (inc. changes to staffing & redundancies) but only if prejudice an investigation.
- Legal or professional privilege
Information for which legal professional privilege could be claimed in legal proceedings.
- Publicly available information
Where an organisation is obliged by or under an enactment to make information available to the public, personal data that is included in that information is exempt from the right of access.
- Confidential References
Applies to confidential references given by the data controller.
If you decide to apply any of the exemptions or restrictions, then you must document and record the reasons why.
7. Supply the personal information to the data subject.
You do not need to provide full copies of all the documents containing personal data.
You should consider how best to provide the documentation ensuring it is presented in a secure, easily understandable format.
You will need to decide whether this is:
Print all information, review, redact, apply restrictions and either provide a paper copy of the documents that remain, or scan the information and provide an electronic copy (the guidance suggests if the request was made electronically the results should be provided electronically); or
Review, redact, apply restrictions, then cut and paste all relevant data in to one long document which would look like a series of extracts; or
Review, redact, apply restrictions then input the data relating to the personal information in to a schedule which identifies the reason for processing, the data category, the relevant dates and parties, the source of the data, where it was stored, who is was shared with and if/when it will be destroyed.
Whatever format is agreed, a full copy should be maintained identifying any redactions or restrictions that have been applied.
You should ensure you contact the data subject prior to providing the information to ensure they are able to access the data in the agreed form. Do not leave this until the deadline.
8. Post DSAR
A DSAR is likely to result in cost and disruption to your business. It is therefore an opportune time to review your Data Protection Policies and Procedures in place, your Document Retention Policy and to initiate a project to destroy and personal data that as a business you no longer need to hold.
Useful sources of information:
None of the information set out in this document should be construed as legal advice. If in any doubt you should always seek professional legal advice.
There are several sources of useful information and guidance, including those set out below:
Need help? Get in touch with the team here.