Data Subject Access Requests (DSARs) have become an increasing common tool used by employees who feel a sense of grievance at the manner in which they are treated. Given the increasing volumes of data used and stored by business dealing with them has become an increasingly time consuming and expensive exercise.
Whilst not setting out new law the ICO’s Detailed Guidance does indicate the approach that the ICO will take and highlight factors that employers dealing with DSARs should consider. The Guidance is detailed with several useful examples. Below I have highlighted a number of issues that are raised.
Frequently those responding to a DSAR will argue that it is complex to extend the time for responding to it. The Guidance indicates that determining what is complex is fact specific and will vary from controller to controller. Matters which might increase complexity include:
Technical difficulties retrieving information;
Applying an exemption involving large volumes of data;
Clarifying confidentiality issues;
Needing to obtain specialist legal advice – but only if this is not regularly obtained.
However, the Guidance makes it clear that simply because a request involves large quantities of data does not make it complex.
One can expect a greater degree of scrutiny from those submitting DSARs as to the reason why a particular DSAR is complex and complaints to the ICO if the extension is deemed not to be warranted.
“Stopping the Clock”
Even if a request is not complex, it is still possible to gain more time in which to respond to it by “stopping the clock”. The clock will be stopped if the data controller seeks clarification of the request. From the time the request is sent to receipt of the reply the clock for responding is stopped. Examples of when and how the clock is stopped are given in the Guidance.
If a large amount of data is held it is not necessary to seek clarification and a controller can carry out a reasonable search instead.
A data controller is required to conduct a reasonable search and is not required to conduct searches which are unreasonable or disproportionate. To determine whether a request is disproportionate consideration should be given to:
The circumstances of the request;
Any difficulties in finding information;
The fundamental right of access.
A reasonable search will still be extensive but will not require no stone to be left unturned.
“Charging a Fee”
The DPA 2018 abolished the small administrative fee that could be charged and provided that exceptionally a “reasonable fee” can be charged for the administrative costs of complying with the request. Fees can be charged where the request is “manifestly unfounded or excessive” (see below) or there is a request for additional copies. In determining the fee account can be taken of assessing whether the information is being processed; locating it; providing a copy and communicating the response to the individual. A reasonable fee can include copying and postage costs, equipment (e.g. discs and USB devices) and staff time. Currently there are no limits on the fee charged.
Those who consider charging should have a set of unbiased criteria which explain the circumstances in which a fee will be charged; the standard charges and how the fee is calculated. If a fee is to be charged it should be requested promptly.
Given that there is some greater clarity around when it might be reasonable to charge a fee, one might expect that organisations will consider when it might be reasonable to charge.
Refusing to Comply with a Request
One issue that is frequently raised when faced with a request involving large volumes of data is whether it is necessary to comply. Requests can be refused where they are “manifestly unfounded” or manifestly excessive”
The Guidance indicates that a request will be manifestly unfounded if:
There is no intention by the individual to exercise their right of access
The request is malicious and being used to harass the organisation with no real purpose. Examples are given of the requester stating explicitly that it is intended to cause disruption or a particular employee is targeted.
The problem is that demonstrating that a request is manifestly unfounded is problematic because those requests usually come in the form “I want access to all the data you hold about me”.
Could such a request be “manifestly excessive”? To determine this it is necessary to take all the circumstances into account;
The nature of the requested information;
The context of the request and the relationship between the controller and the individual.
Where a request is likely to result in a large volume of data, seeking clarification of the request and arguing the request is “manifestly excessive” is a starting point. However, where a controller wishes to rely upon a request being manifestly excessive it will need to have “strong justifications” to demonstrate this to both the ICO and the individual. The courts have already indicated that simply because there is a large volume of data does not make a request “manifestly excessive. Considerations may include the relationship between the parties, the time and cost involved in finding the data. It may, in fact be difficult to know how extensive a search will be and the volume of data recovered until the search has been undertaken.
Personal Computer Equipment
In a world where many are working from home, possibly on personal computer equipment an issue that frequently arises is the extent to which a DSAR will extend to personal equipment. A DSAR only extends to data over which the data controller has control, a data processor will be covered and if data is held on employees’ own laptops or telephones this is likely to be caught.
There has been an increasing trend for those submitting DSARs to refer to employees’ personal computers and phones; making compliance with the request more difficult and time consuming. Employers should, so far as possible have clear policies on the extent to which personal devices can be used to store its data.
The Guidance is a helpful tool for employers reminding them of their obligations, helping them prepare for and deal with DSARs. Inevitably the examples and guidance given will become much argued over in the years to come in the tussle that exists between data subject and data controller.