A DSAR, or Data Subject Access Request, is a request made to an organisation/company (Data Controller) by an individual (Data Subject) for any and all data the controller has on the subject. Anybody can submit a DSAR and the Data Controller legally has 1 calendar month in which to respond to the request barring any extenuating circumstances. These will be explained later.
A DSAR can be submitted in any format, e.g. written letter, online form, verbally or over social media etc. Some companies/organisations do place limits on formats that they will accept, but if there are no pre-existing restrictions, a request can be made at any time, in any place, in any format!
Data Controller - A body that collects, holds, or processes information on others.
Data Subject - The individual making the access request to retrieve the data held on them.
Clustering - The act of grouping together documents with similar themes.
Email Threading- Collecting and presenting documents that make up the same email/thread of emails together.
ICO - Information Commissioners Office
Manifestly Excessive - When a request is clearly or obviously unreasonable. This works both ways and you can be penalised for providing a manifestly excessive response to a DSAR.
Proportionate Identification - Means of identification that are appropriate to the situation. e.g. a username and login instead of a birth certificate for an online account.
Complex Case - Refers to a case in which the data is very difficult to come by and/or external legal help above and beyond that which is normally sought is required.
The process of completing a DSARs is very similar to that of completing a standard eDiscovery project, with more of a focus on the review for redaction, and fewer constraints on the presentation of the data. We can therefore break down the DSAR process into 6 distinct steps as we have in our eDiscovery process blog post with a couple of changes.
1. Data Collection and Transfer - This is where we collect, or securely transfer (if self-collection is preferred) all the potentially relevant data without altering any file metadata, in order to host the data within RelativityOne. Though you do not have to be quite as careful with document metadata in DSAR cases when compared with eDiscovery cases, it is good practice to ensure forensic recovery of documents.
A note should be made here that if you are using tools outside of your hosting platform for redaction purposes, you must ensure secure file transfers between the platform and the tool also. At Altlaw we use RelativityOne which has its own inbuilt redacting tool among many others, therefore the worry of losing information in file transfer is greatly lessened.
2. Data Processing - Here all file metadata is extracted, duplicate data is identified, and your data is indexed (this makes it searchable). Your data is also checked against lists of common system files, program files, and non-user generated data files that are extremely unlikely to prove relevant in your case. If these files are identified within your data they are removed. This process is called DeNISTing.
3. Early Case Assessment - Document clustering, email threading, and keyword searching tools are applied to your data in order to reveal patterns and determine which data is most likely to be relevant to the request and which data can be quickly discounted. This streamlined data packet is then advanced for review and redaction. At Altlaw, an experienced project manager will guide you through every step of this process allowing you to benefit from their support and expertise. For more information on the analytics tools that can be used to process your data, download our free eBook!
4. Document Review and Redaction - This is the most important part of the DSARs process and also often the most time-consuming! Here your team of reviewers will read through each of the documents left in your data packet to review them for relevance to your case and redact any sensitive information. Redaction is a key component in the process of completing a DSAR and as such you want the very best tools to enable you to complete this swiftly and efficiently. With the in-platform tools offered by relativity, Altlaw prides itself on providing a stress-free redaction process that is both time and cost-efficient! You can read more about the benefits of completing your DSARs within RelativityOne here.
5. Production - Once all the relevant documents have been reviewed and redacted, the data is then produced to the subject. This can either be electronically or in hardcopy paper format. When producing, Altlaw provides one copy of the relevant data to the subject and one to the controller. A separate packet is produced containing all of the documents that were deemed irrelevant, this packet is also given to the data controller.
6. Case Termination - After producing your data, all the data held within the hosting system is then deleted to ensure it cannot be accessed past the termination of the case. The exemption to this is if you wish for the data to be archived, in this case, the data will be stored ready for you to return to it when needed. This is particularly useful if you believe the DSAR has been made as a pre-litigation manoeuvre.
This eBook Includes:
The guidelines for what data can be requested and what manner of response is appropriate can be found within the Data Protection
Act (DPA) 2018 and the UK General Data Protection Regulations (GDPR).
Data that is to be included in a Data Subject Access Request tends to fall into one of two categories:
Correspondence - This includes all emails either addressed to or from the individual or containing the individual’s name in the contents.
Personal information - This refers to the kind of information that would typically be held on a personnel file. Addresses, bank details, next of kin etc.
It is important to note that in the event of a DSAR, any physical copies of this information must be located, collated and sent across
as well. So in addition to going through your systems with a fine-tooth comb, you may need to go rummaging through those filing cabinets.
As long as the request is not judged as manifestly excessive, in which case other options become available, the main thing you have to worry about is committing to a proper and thorough process. As data protection laws don’t set many absolute rules, your processes can be a little flexible and take a more risk-based approach. As long as you are meeting the main legal requirement, there are virtually no barriers to doing new things in new ways that best suit your situation.
It is your legal obligation to effectively obtain, collate, and send across all of the information required to fulfil the request. And, in line with the update to the ICO’s guidance in 2019, this process must be completed within one calendar month of the DSAR being made. When responding to a DSAR, as well as the data in question, the controller must also provide the requester with the following information:
The purposes for processing or holding the data
Who the personal data has been disclosed to (or who it will be disclosed to in future)
The length of time the data will be held (or the criteria for determining how long it will be held for)
Where the data has been sourced from (unless it has been collected directly from the data subject)
Clarification of how the data has been or will be processed, and the reason for this
If the employee’s information is to be processed through an automated system or workflow, you are obligated to provide details of this process and its intent.
As well as supplying the right information regarding the data itself, it is also the responsibility of the controller to reiterate some of the rights that the requester has. Be sure to inform the data subject that they withhold the right to object to the processing of their personal data, and may even request that these processes be rectified, erased, or otherwise restricted.
We have spoken above about how the processing of your data for a DSAR works, but what about the steps before you contact your solutions provider with all your data? Here you will find the process laid out from beginning to end.
1. Acknowledge the request - As mentioned above, there is no one way to submit a DSAR, nor one person to whom they can be submitted. It is therefore imperative that your whole team is aware of your DSAR process, and who to contact if they receive one. As soon as the request has been received the clock starts ticking and you should acknowledge the receipt as soon as possible to give you the longest time to collate, review, and redact data.
2. ID the Data Subject - This part can be more complicated than you might think! When dealing with personal data you must be 100% sure the information you are releasing is going to the intended recipient, whether that be the data subject themselves, or an intermediary party acting on their instruction. A third party requesting data on behalf of a data subject is quite a common occurrence, for example, parents requesting on behalf of underage children, or legal professionals requesting on behalf of clients. In cases such as these, not only does the identity of the data subject have to be ascertained via proportionate identification, but you must also make sure that they are aware of the request and are happy for their data to be processed.
3. Determine Scope and Feasibility - This is an important step in both deciding if you will respond to the request (if it is provably manifestly excessive you can choose not to respond to the request or to only respond in part) and determining the scale of your response. As previously stated, manifestly excessive is a term that applies to both the request and the response, and overproducing can not only waste valuable time, resources, and money but can also bring sanctions from the ICO.
Be sure to determine the nature of the request. Is it simply a request for access, or are they invoking other rights, such as rectification or the right to be forgotten? Is the request specific to a certain category of data processing, or limited to a specific time period? Is the request valid? Can it be reasonably completed within the one month permitted? Also, you should determine which format the requester would prefer the data to be in when you send it across. We’ll come back to this in Step 5.
4. Collect Data - Now the real work begins. While collecting the data, check whether the data needs to be amended and if you need to protect the personal information of any other data subjects. And remember, multiple different employees within an organisation may all in some way hold or have access to data relating to the data subject and the scope of the request. It is your duty to ensure that no stone is left unturned.
5. Package Data - Whatever the preferences of the data subject, you must produce your collected data in the formats they require (Hence why we ask them in step 3!) Make sure to factor in the times and costs of producing the data in their specific format into your DSAR process. You don't want to suddenly find out they want everything printed and posted with 24 hours left to go!
6. Inform the Data Subject of Their Rights - Before you send the information across, ensure the data subject is well informed of their rights. These include (but are not limited to) the right to object to the processing of their personal data, the right to request that these processes be rectified, erased, or otherwise restricted, and the right to lodge a complaint.
7. Send Data Across - This is project completion, congratulations!
The biggest challenges that the DSAR process faces come in the form of time, effort, and cost. It is a very labour intensive process that requires a great deal of focus and manpower to pull off in the relatively short timeframe specified.
Time - As I'm sure you are aware, 30 days is not a lot of time to complete something as complex as a DSAR, especially if it is for an employee of many years who has been involved in every facet of your company etc. There are some circumstances that do allow for an extension on the one-month time limit, or for you to "stop the clock" as it were, while you receive necessary clarification and guidance etc. but often cases do not meet the relevant criteria. Add to this that you can be dealing with several cases at once, and suddenly you are very low on available time!
Effort - As previously stated, DSARs are a very labour intensive process, even with automation making lives easier! The need for quality control and the meticulous handling of personal and sensitive data means that there is a lot of pressure on the teams that have to deal with these requests.
Cost - As can be expected, requiring large teams of people to load, review, and redact large numbers of documents in order to complete a case costs a lot of money. This is especially true when separate redaction or outdated software is used to complete the process as this increases the load time of documents and the difficulty for those reviewing subsequently decreasing morale and productivity. This all factors into a very expensive review process, which we know is the biggest cost driver of most DSAR projects.
This leads us to ask, what can we do to improve this process for ourselves? Well, there are two obvious solutions...
Automation - In today's tech-savvy world where we have countless systems in place to make our lives easier... why not make use of them? Automating mundane and repetitive tasks can not only speed up your workflows but can also relieve some of the stress on your team and boost morale by removing the tedious aspects of the process. There is also much less likelihood of error as long as the initial set-up is quality checked. Computers do not make human errors.
Not only can automation improve the efficiency of your current workflows, but it can also bring new capabilities and tools that were not previously accessible. RelitivityOne's Auto-Redact tool is a prime example of this!
Outsourcing - Though automation is definitely a solution you will want to implement whether outsourcing your data or not, the one issue with automation is that it often requires specialist software to get the best results, and this can be very expensive. Unless you are dealing with DSARs on an incredibly regular basis, purchasing this software is rarely economical. This is where outsourcing comes in. Outsourcing your DSARs process can not only alleviate a large proportion of the costs of reviewing and hosting your data but also makes available to you industry experts who can help and support you through your project.
Many people worry about what will happen to their existing teams if all work is outsourced, but there is no need! While the option to fully outsource your DSAR process is available to you, there are also options to simply licence the software and support of a third party hosting platform, whilst maintaining your original team of reviewers. This is often viewed to be the best option as no one will know your data better than your own team and with this option, they can combine their own expertise with that of the supplier to provide a stress-free and efficient DSARs process.
There are some situations in which the clock can be stopped, your deadline extended, or even, the request refused altogether. Knowing what these situations entail and what criteria you have to meet is a great way of making sure you are only doing the work you absolutely need to do in the longest time frame possible.
Stopping the Clock - Stopping the clock simply constitute a pause in the process while you wait for specific information to be provided. This is the most common occurrence across DSAR processes and usually takes place at the beginning of the process when completing step 2 of the above 'How do DSARs Work' section - identifying the data subject. It is important that you make use of this pause at the beginning of your process as, if you request a pause towards the end of your allotted 30 days to verify the identity you will likely not be granted the pause due to the fact that data subject identification is one of the preliminary steps in the process.
Extending the time limit - If the request you have received can be deemed as complex, here meaning the data is difficult to retrieve and/or outside legal advice above and beyond that which you would normally seek is required, then you can request an extension of up to 3 months beyond your 1-month time limit.
Refusing the Request - In some cases the amount of data being requested is simply too much to be collected in the allotted DSARs time limit, and in others it can be proven that the request is malicious. In cases such as these, the data controller can choose either to partially fulfil the request (this is often the case when there is a lot of data to collect, but the event in question can be narrowed down to a more specific subset of the available data) or refuse the request entirely in the case of the malicious request. All decisions must be presented to the ICO, and in the case of request refusal, the reason for refusal must be provable. You can find further reasons a DSAR can be lawfully rejected in the FAQ section!
It is worth noting that all of these requests should be made to the ICO at the earliest possible convenience to ensure you are likely to have the extensions etc approved. Waiting until the end of your project to suddenly request an extension will not go down well.
Who can submit a DSAR?
Anybody can submit a DSAR to a body that holds information about them, whether it is a customer interested in how you process their data or an employee interested in exactly what information you hold on them. You can also submit DSARs on behalf of other people with their permission, though identification of the data subject will still be required.
Can you charge for processing a DSAR?
A data controller can charge a subject up to £10 for the processing of a DSAR.
Can you reject a request?
Yes, you can! As mentioned above there are circumstances in which a DSAR can be partially or completely rejected, here are a few examples...
It is important to remember however that applications for refusal/extension are viewed on a case-by-case basis and must be made at the earliest possible opportunity.
If you find that a DSAR is manageable when only focussing on a specific type of data or time period etc you can request a partial refusal and simply provide the information that you are capable of producing under the time constraints.