IAPP CIPM – Subject Access Requests (SARs/DSARs) – how to deal with

  1. Overview of SARs

Hi guys. In this lesson, we will discuss an overview of subject access requests, or SARS. A SAR or DSAR is a request from a data subject to be provided with a copy of the personal data being processed by a controller and an explanation of the purposes for which personal data is being used. A complaint or general query about how personal data is being used does not constitute a DSR. For example, a query about why marketing is being received or where you got someone’s name from a database A “subject access request” is specifically when anyone asks to receive a copy of the personal data you may hold for them. A request does not need to be formally called a “subject access request” or “access request” for it to constitute one, and they will rarely be entitled to either.

As such, a request could be sent to any department and come from a variety of sources. Individuals do not need to officially write a letter addressed to the DPO for it to be a valid request. They might be submitted by email or social media and addressed to the wrong department or person. So what are the changes under the GDPR? To begin with, it takes less time to respond. The timescale for responding to a Data Subject Access Request has been reduced from 40 days to one calendar month, representing a challenge for many organizations, and there is no fee. Organizations can no longer charge a ten-pound fee for a DSR. However, where the request is deemed excessive or manifestly unfounded, organisations can charge a reasonable fee to cover the administrative costs of complying with the request.

There is also the ability to charge a reasonable fee if an individual requests further copies of their data. But even if you suspect the request may be malicious, this is very unlikely to be sufficient grounds for refusing to respond. Article 15 of the GDPR sets out the information that individuals have the right to be provided with, broadly defining providing information about what personal data is being processed and the purposes for which it is being processed. Who has access to the personal data or who will be informed about the existence of any automated decision making, including profiling, and, at the very least, what logic is being used for that purpose and how long the data will be retained, or at least the criteria used to determine this. If no personal data is held about the individual, they must also be informed about this. If the information you have gathered contains personal data relating to other individuals, you need to carefully consider, on a case-by-case basis, whether and how to redact this or judge it to be reasonable to disclose.

Such information can be disclosed with the consent of other parties. Where consent is not feasible, you need to consider the privacy impact and how your duty of confidentiality to these other parties could be broken, and then you should disclose the information. Any justification for disclosing a person to third parties should be documented. So, what is your official response? The information you provide must be in an intelligible form. In other words, one that the average person would be able to understand. Avoid using jargon or terms that people outside the business might not understand and explain any codes. Ensure the information you are providing meets the requirements under Article 15. When supplying the information, use a traceable delivery system. If agreed with the individual, send it via secure electronic means, and we will discuss this in more detail about SARS and different challenges in the following lessons. see you in the next one.

  1. How to recognize a valid SAR

Hi guys. In this lesson, we will discuss how to recognise a valid SAR. Many data subject requests have already been sent since GDPR went into effect, but the question of identifying the data subjects sending the requests and ensuring GDPR compliance remains unanswered. It’s an important question because obviously personal data needs to be protected, and you need to ensure confidentiality, integrity, and availability ability. More than ever, any data subject access request made by unauthorised persons will result in a breach. At the same time, you must process the data subject requests made under the GDPR promptly and in a way that allows data subjects to exercise their rights, such as access, rectification, and data portability rights. to withdraw consent.

Right. to object, the right to be forgotten, the right to restriction of processing, and not to be subject to automated decision-making and profiling, which would have a significant impact on the individual’s rights and freedoms. Also, the data subjects have the right to contact your DPO if you have one. Personal data breaches are naturally feared by data controllers for good reason and should be avoided. On the other hand, you should be aware of being overzealous, as you can also be very well penalised for either making the request process too burdensome for the data subjects or for collecting excessive amounts of personal data just for the authentication itself. So how can I be penalised for doing my best to authenticate the data subjects? Basically, if you make it too difficult for the data subjects to exercise their rights by creating for them unreasonable and disproportionate requirements, you will in fact infringe on the very basic rights of the data subjects.

This way, you risk the highest administrative fines, that is, up to €20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. It is highly recommended that you do not obtain clearly more sensitive or potentially more harmful data for the purpose of authentication than the data that is subject to the request. If you do require additional information, it should be limited to what is necessary in the given context. This is important not only because of the principle of data minimization but also to ensure purpose limitation and fairness. Accordingly, the highest administrative fines as provided by GDPR may fall on you. So what should be specifically avoided? Asking for a copy of an ID document, such as a passport or other official government-issued documents such as a birth certificate, as a standard way of verifying the identity of a data subject should be definitely avoided. The obvious reason why is because it is disproportionate and not always relevant.

The less obvious reason is that this is not considered a secure and efficient method of authentication and provides little assurance as to the real identity of a person. In contrast to what some might think is quite low, authentication in an online environment is widely disputed, and most people will tell you that you should not use information that basically stays the same for all your life. or for a long period of time, such as social security numbers or government-issued identifiers. As it is likely that such data may already be in the possession of unauthorised persons simply because it has existed for a long time, Also, if this were a prevalent practise, many companies would be—and sometimes already are—in possession of such information, and they very often fall prey to breaches and hacker attacks. Last but not least, by collecting such information, you will create additional risks for data subjects, as such data may be used for identity theft or fraud, for example, and you will need to protect it with higher security measures than for the innocuous data that is subject to the request itself, for example, the history of purchased items or the like.

Before implementing such an authentication method, you would almost certainly need to conduct a data protection impact assessment under the GDPR. So how should I authenticate data subjects? To be compliant, you should follow a few easy yet distinct and very important rules in order to be compliant and to meet the privacy expectations of individuals. First, consider the context and reasonable expectations of the data subjects. Basically, if some method of verifying identity was good enough when you obtained the data in the first place, for example, by email, it should be good enough when you receive a request, for example, an email sent from the same email address. The GDPR is clear about withdrawing consent, saying that it should be as easy to withdraw as to give consent.

Apply the same caution to other data-subject requests unless you believe it is unreasonable. In the context of risks to data subjects, this means that you also should consider how sensitive the data is and what the risks are. The more sensitive the data, the more effort to authenticate is expected. This is in accordance with the risk-based approach, and you can justify asking for more information or more critical or sensitive information. If you do this to protect the data subjects against possible risks to their rights and freedoms, even then, use the data you have rather than ask for more new data. It means that you should try to verify the data subject’s knowledge, for example, by asking some questions in relation to such data that are subject to the request or that you hold for relative purposes. And also consider how the data were obtained in the first place. If a method of authentication was previously a nickname and password, the very nickname and password should enable you to process a request if the nickname or password were lost.

Of course, requesting name and surname would be pointless if they were not linked to the profile. In the online context, the GDPR explicitly says that identification should include the digital identification of a data subject, for example, through an authentication mechanism such as the same credentials used by the data subject to log into the online service offered by the data controller. Consider also widely available industry-recognized standards, such as the NIST’s Digital Identity Guidelines.

They should help you apply state-of-the-art methods of identification, authentication, and authorization that belong to the foundational concepts and tenets of information security. What if I can still not confirm the identity of a data subject who did send a request? Do not despair or panic. In such a situation, you may refuse to process the subject request unless the data subject provides you with additional information. in cases where you do not take action on the request of the data subject. The data subject needs to be informed accordingly, within GDPR time limits, without delay, and at the latest, within one month of receipt of the request, about the reasons for not taking action and the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The GDPR also says that if the purposes for which a Controller processes personal data do not or no longer require the identification of a Data Subject by the Controller, the Controller shall not be obliged to maintain, acquire, or process additional information in order to identify the Data Subject for the sole purpose of complying with the GDPR. Where this is the case and the Controller is able to demonstrate that it is not in a position to identify the Data Subject, the Controller should inform the Data Subject accordingly, if possible. In such cases, the data subject rights specified in Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification. Again, the final and clear guideline is that you should not collect identifying information if you do not need it. Otherwise, unless the data subject himself or herself wishes to prove her identity, It seems that it is far better and wiser to avoid having too much data in accordance with the principle of data minimization and thus refuse to process some subject requests when not in a position to identify her than to be overzealous and collect too much information just for the purpose of authentication. This is all for now. See you next time.

  1. Responding to a SAR

Hi guys. In this lesson, we will discuss responding to a subject access request. You must act on a DSR without undue delay and respond within one month of receipt. However, it is possible to extend the time in which to respond by a further two months if the DSR is particularly complex or if a number of requests from the same individual have been made, in which case you must let the individual know within one month of receiving the DSR that you need the time.

You cannot ordinarily charge a fee for complying with a DSR. However, if a DSR is manifestly unfounded or excessive, you are able to first charge a reasonable fee to comply with the DSR or, second, refuse to deal with the request at all. GDPR Article 12.5: In relation to what might be seen as a reasonable fee, every country will need to define it in their national interpretation of the GDPR. Until such guidance is published Requesting money from an individual in order to comply with their DSR should be approached with caution. Similarly, while the right to refuse to deal with the DSR may be useful for organisations dealing with litigators who make multiple identical requests, it is still unclear what constitutes unfounded or excessive, so caution should be exercised when considering refusing a DSR.

If you do choose to refuse to deal with the desert, you must inform the individual without undue delay and within one month of receipt of the request of the reasons you are not taking action, their right to make a complaint to their supervisory authority, and their ability to seek to enforce their right through a judicial remedy. And we will discuss in the following lessons some situations when refusing the invitation really makes sense. In my experience, responding to DCARs can be a time-consuming and labour-intensive exercise, especially when an individual makes a broad request for access to all of their personal data. So if you process a large amount of information about an individual, you can ask them for more information to clarify the request. That means, where a particularly broad request is received, it might be sensible to seek to agree on the search parameters with the requester.

However, you should only ask for information that you reasonably need to find the personal data covered by the request. Further, while the period for responding to the request only begins when you receive the additional information, there could be a supervisory authority audit related to any organisation seeking clarification simply as a delaying tactic. In any event, if an individual refuses to provide the additional information requested, you are still obliged to comply with the request by making reasonable searches. We would advise that every organisation have someone in charge of coordinating the search for an individual’s data and responding to a DSR. Specialist document management providers can assist with carrying out searches using date,  range, and keyword parameters. While such services are not free, investing in this technology will not only ensure that you comply with the DSR on time, but will also demonstrate to the requester and the supervisory authority that you did everything possible to capture all relevant personal data.

One of the most challenging aspects of dealing with the DSAR is deciding what an organisation can legitimately withhold from the requester. Usually, you can withhold personal data if it is necessary and proportionate to do so too. Avoid obstructing an official or legal inquiry, investigation, or procedure. Avoid prejudicing the prevention, detection, investigation, or prosecution of criminal offences or the execution of criminal penalties to protect public security, national security, or the rights and freedoms of others of particular concern. We’ll be ensuring that in responding to the DSR, you are not disclosing the personal data of other individuals. Here, you do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information unless the other individual has consented to the disclosure or it is reasonable to comply with the request without the individual’s consent.

However, we will go over this in greater detail in the following lesson. Deciding whether to disclose information relating to a third party will involve balancing the data subject’s rights of access against the other individual’s rights. In responding to a request, organisations need to provide the following information to the requester: the purposes and legal basis for the processing of personal data. The categories of personal data concerned recipients or categories of recipients to whom the personal data had been disclosed. The period for which it is envisaged that the personal data will be stored The existence of the data subject’s rights to request from the controller rectification or erasure of personal data or the restriction of its processing; the existence of the data subject’s rights to lodge a complaint with the commissioner or supervisory authority; and the communication of the personal data undergoing processing and of any available information as to its origin. While the above list may seem quite long, much of the information should already be set out in an organization’s privacy policy or statement, and so can be lifted from that in terms of the form of the response itself.

The GDPR requires that the information you provide to an individual be in a concise, transparent, intelligible, and easily accessible form using clear and plain language. It should be noted that the obligation to provide access to personal data applies to the information itself, not the documents containing the information. However, in reality, it may be too difficult and time-consuming to separate the information from the documents, and for this reason, it is not unusual for responses to DSRS to attach a series of documents held by an organisation that contain the individual’s personal data. There is a suggestion in Recital 63 of the GDPR that the response to the DSR should be made available to the individual via a secure online system. However, this is not a strict requirement. and an organization’s ability to do so will depend on its size and resources. This is our situation for now. see you in the next one.

  1. Dealing with SARs involving other people information- part 1

Hi, guys. In this lesson, we will discuss dealing with subject access requests involving other people’s information. Responding to Asar may involve providing information that relates both to their request and to another individual. For example, an employee makes a request to her employer for a copy of her human resources file. The file contains information about identity, identifying managers and colleagues who have contributed to the file. This will require you to reconcile the requesting employee’s right of access with the third party’s rights with respect to their own personal data. The basic rule says that you do not have to comply with the SAR if to do so would mean disclosing information about another individual who can be identified from that information, except where the other individual has consented to the disclosure, or if it is reasonable in all the circumstances to comply with the request without the individual’s consent. So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so.

In each case, this decision will involve balancing the data subject’s rights of access against the other individual’s rights with respect to their own personal data. If the other person consents to you disclosing information about them, it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway. You should make decisions about disclosing third-party information on a case-by-case basis. You must not apply a blanket policy of withholding it for the avoidance of doubt. You cannot refuse to provide a subject access to personal data about an individual simply because you obtained the data from a third party. To help you decide whether to disclose information relating to a third-party individual, it helps to follow the three-step process. Step One: Does the request require the disclosure of information that identifies a third party? You should consider whether it is possible to comply with the request without revealing information that relates to or identifies a third party.

In doing so, you should take into account the information that you are disclosing and any information you reasonably believe the person making the request may have or may get hold of that would identify the third-party individual. In the previous example about a request for an employee’s human resources file, even if a particular manager is only referred to by their job title, it is likely they will still be identifiable based on information already known to the employee making the request. As your obligation is to provide information rather than documents, you may delete names or edit documents if the third-party information does not form part of the requested information. However, if it is impossible to separate the third-party information from that requested and still comply with the request, you need to take account of the following steps: Step number two: has the third-party individual consented? In practice, the clearest basis for justifying the disclosure of third-party information in response to ASR is that the third party has given their consent. It is therefore good practise to ask relevant third parties for consent to the disclosure of their personal data in response to OSR. However, you are not obliged to try to get consent, and in some circumstances, it will clearly be reasonable to disclose without trying to get consent, such as where the information concerned will be known to the requester anyway. Indeed, it may not always be appropriate to try to get consent.

For instance, doing so would inevitably involve the disclosure of personal data about the requester to a third party. Step Number Three: Would it be reasonable in all the circumstances to disclose without consent? In practice, it may sometimes be difficult to get third-party consent. For example, the third party might refuse consent or be difficult to find. If so, you must consider whether it is reasonable in all the circumstances to disclose the information without the third party anyway. You should take care of these factors when making the decision: any duty of confidentiality owed to the third party individual; any steps you have taken to try to get the third party individual’s consent; whether the third party individual is capable of giving consent; and any stated refusal of consent by the third party individual. This is all for now. Let’s continue in the next lesson.

  1. Dealing with SARs involving other people information- part 2

Hi, guys. Continue with aspects of confidentiality and other relevant factors to consider when deciding whether to respond to an SAR involving other people’s information. Confidentiality is one of the factors you must take into account when deciding whether to disclose information about a third party without their consent. A duty of confidence arises where information that is not generally available to the public and that is generally confidential has been disclosed to you with the expectation that it will remain confidential. This expectation might result from the relationship between the parties.

Medical for doctor and patient; employment employer and employee; legal solicitor and client; financial bank and customer; and caring counsellor and client, for example, would all have a duty of confidentiality in relation to information disclosed. However, you should not always assume confidentiality. For example, a duty of confidence does not arise merely because a letter is marked confidential. Although this marking may indicate an expectation of confidence, it may be that the information in such a letter is widely available elsewhere and does not have the necessary quality of confidence. Or there may be other factors, such as the public interest, that mean that an obligation of confidence does not arise. In most cases where a duty of confidence does exist, it will usually be reasonable to withhold third-party information unless you have the third-party individual’s consent to disclose it. In addition to the factors already discussed, the following points are likely to be relevant to a decision about whether it is reasonable to disclose any information about a third party in response to a SAR.

These points are generally known to the individual making the request. If the third-party information has previously been provided to the individual making the request, is already known to them, or is generally available to the public, it will be more likely to be reasonable for you to disclose that information. It follows that third-party information relating to a member of staff acting in the course of their duties, who is well known to the individual making the request through their previous dealings, for example, would be more likely to be disclosed than information relating to an otherwise anonymous private individual. Circumstances relating to the individual making the request and the importance of the information to the requester are also relevant factors. The need to preserve confidentiality for a third party must be weighed against the requester’s right to access information about his or her life. Therefore, depending on the significance of the information to the requester, it may be appropriate to disclose it even where the third party has withheld consent. Health, educational, and social work records Special rules govern subject access to health, educational, and social work records. In practice, these rules mean the relevant information about health, education, or social work professionals should usually be disclosed in response to a SAR. Whether you decide to disclose information about a third party in response to a SAR or to withhold it, you will need to respond to the requester.

If the third party has given their consent to the disclosure of information about them, or if you are satisfied that it is reasonable in all the circumstances to disclose it without consent, you should provide the information in the same way as any other information provided in response to the SAR. If you have not gotten the consent of the third party and you are not satisfied that it would be reasonable in all the circumstances to disclose the third party’s information, then you should withhold it. However, you are still required to communicate as much of the requested information as you can without disclosing the third-party individual’s identity. Depending on the circumstances, it may be possible to provide some information after having edited or redacted it. To remove information that would identify the third-party individual, you must be able to justify your decision to disclose or withhold information about a third party. So it is good practise to keep track of what you decide and why. For example, it would be sensible to note why you choose not to seek consent or why it is inappropriate to do so in the circumstances. This is all for now. See you in the following lesson.

img