A major part of data protection legislation since 1984, Data Subject Access Requests (or DSARs) as implemented in the Data Protection Act 1998 (DPA 1998), enable individuals to find out what information an employer holds about them and whether this data is being processed unlawfully in a way which infringes their privacy. There has been a significant increase in the amount of electronic data held by employers and the legislation now covers manual data.
Owing to their wide-ranging nature, DSARs made under the DPA 1998 can be a useful way for individuals to obtain pre-action disclosure in litigation and their use has been increasing in the last two years. In two reported cases use of DSARs for this purpose was explored, with the outcomes of both cases suggesting that the Information Commissioners Office will require some persuading to dismiss a DSAR as an ‘abuse of process’.
With this in mind, data controllers (the person or persons who control the purpose of and manner for which data is controlled and processed) should take all necessary steps to ensure they respond to the DSAR, regardless of any suspicions they may have about the purpose of the DSAR.
Many organisations do not have processes or protocols in place for collecting personal data relevant to a DSAR which means they must be created while responding to the DSAR. As there is a statutory timeframe for responding to DSARs, being 40 days from the date of receipt of the request and £10 payment, if data controllers or organisations have to create procedures ‘on the fly’, this means that there is less time to actually respond to the DSAR. Even if there are processes in place, there may not be protocols to deal with the information returned by the DSAR.
Employers can take action to reduce the time needed to comply with DSARs prior to their receipt by putting in place procedures for undertaking the necessary searches of data it holds. It is also important to understand the nature of the personal data held, where that data is held and processed, and whom to contact to get a search authorised and underway.
It can be useful to have a document setting out the type of searches an organisation will undertake if it receives a DSAR. While this will not be cast in stone, it can provide a useful starting point as certain criteria (for example full name, initials, surname are always used). Any pre-set DSAR procedure should be flexible, depending on the nature of the DSAR and the volume of data returned.
The General Data Protection Regulation (GDPR) will come into force in early 2018. Amongst other things, the GDPR will reduce the amount of time organisations have to respond to DSARs from 40 days to one month. In addition the maximum fine levied for failure to comply with a DSAR within the relevant timeframe will increase from £500,000 to either 4% of turnover or €20,000,000, whichever is higher.