Data subject access requests can be a compliance headache for businesses. The first of our series on DSARs looked at how data protection “by design” can make the job easier. But what about deciding whether or not to resist a DSAR when it actually lands?
So, you have received a data subject rights request (DSAR) from a person whose personal data you are processing. What now? Before starting to collate all the information requested, a controller must consider whether the DSAR, or aspects of the DSAR, should be resisted either because it is manifestly unfounded or excessive, or because an exemption applies.
Manifestly unfounded or excessive requests
Under Article 12 of the UK GDPR, controllers can refuse to comply with manifestly unfounded or excessive DSARs. The UK Information Commissioner’s Office (ICO) advises that a request may be manifestly unfounded if the requestor clearly has no intention to exercise their right of access, for example because it is demonstrably a tactic to gain some other advantage, or if it is clear that the intent is to cause disruption, or there is malicious intent, or a sustained campaign. To be manifestly excessive, it needs to be obviously unreasonable, for example where someone makes a new request before the controller has had the opportunity to fully address an earlier DSAR covering the same ground.
A difficult call
Determining whether a DSAR is manifestly unfounded or excessive may be a difficult judgement call. It is for the controller to justify its position and retain sufficient evidence to demonstrate that it has a right of refusal. European case law confirms that (at least in the EU) a requester’s motive is not relevant to the controller. So a DSAR refusal must be based on the nature of the request itself, not on any background information which the controller has about the data subject. This can be difficult to navigate where DSARs arrive in the context of an existing dispute.
If a DSAR is manifestly unfounded or excessive under the UK GDPR but the controller still complies with the request, they may charge a reasonable fee taking into account the administrative costs of compliance. In practice, as refusal and eligibility to charge are always both possible for these types of DSARs, confident controllers often opt for refusal, viewing a charge as a compromise that bears both the burden of fulfilment and the residual risk of non-compliance.
Exemptions
In addition to these rights of refusal, there are DSAR exemptions which may apply to all or part of the applicant’s personal data held by the controller.
A frequently used exemption among the many available is where the requester’s personal data is inseparably mixed with personal data of another third-party (‘mixed data’). Others include where the information requested is subject to legal professional privilege, or where the data is being processed for scientific or historical research in accordance with certain strict conditions.
Taking care
While applying an exemption may appear a safer path than an outright refusal, the correct application of exemptions requires careful consideration.
For example, in cases involving mixed data, the controller needs to reconcile the requester’s right of access with the third-party’s rights in respect of their own personal data and confidentiality. Where the third-party does not consent to disclosure, the controller must carry out a balancing test of both parties’ rights to determine which information is disclosable. Evidence of the decision-making process will be particularly important.
Furthermore, each exemption has rules governing its application and must be considered on a case-by-case basis. If an exemption applies, the controller may have a choice about compliance, or it may (depending on the circumstances) be obliged not to comply (either wholly or partly) with a DSAR.
Given their number and complexity, putting exemptions into practice can be challenging and time consuming, particularly when the underlying DSAR involves a high volume of potentially disclosable data.
Search scope: an exemption by stealth?
Controllers may seek to exclude certain materials in the course of determining which systems or locations (or even search parameters) would be reasonable and proportionate to search, as their obligations under the GDPR do not extend beyond this.
This is not strictly recognised as a form of exemption and is unlikely to allow for the selective exclusion of materials that can be achieved by applying exemptions. But it is an important part of the debate as the initial decision of what and how to search for personal data can often have the single biggest impact on the amount of material ultimately excluded from the information provided in response to a DSAR.
A final word of caution
While controllers can, and at times need to, consider these paths of resistance, controllers must not set up artificial barriers aimed at deterring data subjects from validly exercising their rights. Finland’s Data Protection Authority (the FDPA) recently ordered that a controller was in breach of the GDPR by requiring DSARs to be delivered in person to its premises together with a signed form with the name, personal identification number, address, telephone number, email, and official photo ID of the sender. The process was judged excessive and in breach of the requirement for data minimisation and facilitation of data subject rights. Although a European case, it provides useful guidance on how DSAR obligations under the UK GDPR are likely to be interpreted.
Need help?
If your organisation is struggling with the delicate balancing act often required to correctly manage DSARs, including applying exemptions, you may be interested in Shoosmiths’ end-to-end DSAR product, SmartSAR.
SmartSAR streamlines the entire DSAR handling process and provides clear guidance on refusals and exemptions, alleviating what can otherwise be a complex compliance burden for businesses. Contact us today to learn more.
Disclaimer
This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.