How to carry out data retrieval

What happens when someone asks for the data held about them? In her latest column, Mandy Huntley, a data protection specialist, explains the process and how you can be supported if a request is made.

In data protection law, the people about whom we hold data are called ‘data subjects’; therefore, when they request access to the data held about them it’s called a Data Subject Access Request (DSAR). In my experience, these requests are normally made when there’s a dispute, commonly an employment dispute. DSARs have become more common in recent years, as people are becoming more aware of their rights and a change in the law prevented businesses from charging people in most cases.

Once a request is received, generally the business has one calendar month in which to respond. This can be hard to meet if the volume of information exceeds the resource available to collate and prepare it. Sadly, people know this, and what is intended to be a useful right enshrined in law is sometimes misused as a way of causing disruption.

Case in point

A business owner contacted me, as they had received a DSAR from an outgoing member of staff requesting everything which identifies them. There was very limited capacity to pull the information together. As the law states that companies need only undertake a reasonable search for information and can seek to scale back the request where it is excessive, I advised them to write to the data subject and explain that a reasonable search may not provide them with everything and, therefore, it may not provide them with the information they required. I suggested asking the data subject to narrow their request allowing the company to focus on a specific area or type of record.

Unfortunately, they took conflicting advice and offered a one-off payment as final settlement with the person on the condition that they drop the DSAR. Of course, soon after, the next DSAR landed from another former employee who is quite friendly with the first.

Top tips for data subject access requests

1. Identify it and don’t ignore it: It’s unlikely to go away. Think of any request where a person is asking for information in which they are identifiable as a DSAR. Some requests can be dealt with informally and quickly, but you should have a process nevertheless.
2. Confirm the identity of the person: If it’s a customer, ask them to prove their identity. In the case of a member of staff, speak to them directly if necessary. If the request is from a third-party, take some advice from a professional as it can be more complex.
3. Assess the request: You will need to redact (blank out or obscure) information about other people so consider the resource available within your one-month timeframe. You can’t refuse a reasonable request because you don’t have the resource available. You would be expected to find resource or bring it in. A client of mine recently brought in a virtual assistant for a defined number of hours to compile the information for a DSAR. If the request is excessive, you can go back and ask the person to narrow it down.
4. Collate the data: Search electronic and paper-based systems. Have a process for this and ensure you have somewhere secure to store all the collated information.
5. Redact information which cannot be disclosed: There are certain circumstances where information cannot be disclosed: firstly, information relating to another person; for example, if it’s a disciplinary record, you would redact the name of the person who made an allegation. Likewise, you might want to redact commercially sensitive data which a former employee is no longer entitled to.
6. Preparation for disclosure: Your final preparations should include a full copy of the data so that you can see what was disclosed in the future if necessary. Consider how you are disclosing the data. If by post and the data is sensitive (relating to health, race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, sex life or sexual orientation) send it by special delivery or courier so that it is tracked end-to-end. If sending electronically, get the informed consent of the person and password to protect the data. If possible, hand the data to the data subject personally and ask them to sign to confirm receipt.
7. Send it: Once you are sure it’s ready, complete and secure send it. Confirm receipt of the information with the recipient.

This is an area where the Information Commissioners Office, the UK data protection regulator, has acted against owners of businesses of all sizes. It’s vital to have a process and follow it if a request is received.

If you would like to arrange a call with Mandy to talk through DSARs or any other aspect of data protection, please email mandy@mandyhuntley.co.uk.

To connect with Mandy on LinkedIn, click here.