Once the preliminary steps are out of the way for handling a Data Subject Access Request (DSAR) and you are ready for action, how do you make sure you perform a search for personal data which complies with the GDPR requirements?
Understand the request
Go back to the request and make sure you comply with any parameters set out in it – such as time periods, geographical locations where the personal data is held etc.
Make sure you consider the request carefully to ensure you understand what the data subject is asking for and if you don’t understand, ask for clarification.
Where is the information?
Map out systems, devices, apps and hard copy data filing systems – considering where data is likely to be stored – remember this will include archives and backups.
What is the standard of the search?
The ICO guidance makes it clear that businesses should perform a reasonable and proportionate search.
What is reasonable and proportionate will depend on:
- The circumstances of the request;
- Difficulties involved in finding the information; and
- The fundamental nature of the right of access
We recommend you document the approach you take to the search by completing a search scope and fulfilment form setting out the scope of the DSAR and the approach taken to searching for the personal data to ensure that your approach is reasonable and proportionate in all circumstances.
When carrying out your search, an important point to note is that “deletion” can mean a number of things. If an email is moved to a deleted mailbox, it will still be searchable and a document which is deleted from a company’s active systems might still be retained in back up or archive, both of which would be searchable. However, information which might technically be able to be reconstituted with great effort and expense after it is removed from your systems is unlikely to fall within what is reasonable and proportionate for you to search. You should always consider this point on a case-by-case basis and document your decision and thought process in your search scope and fulfilment form.
What is personal data when fulfilling a DSAR?
When conducting a search for personal data it is really useful to go back to this basic question – what is personal data? Personal data is defined as “any information relating to an identified or identifiable natural person”.
Some personal data is obvious, such as names, addresses etc. but don’t forget about things like inferred data, which is information which is personal data which is inferred about a person by the controller based on information the controller processes and pseudonymised personal data, which is where direct identifiers (such as a name) are removed from personal data and held separately. Pseudonymised data is personal data in the hands of someone who holds the additional data. It’s also easy, in this tech driven era to overlook paper records (those which are or are intended to form part of a structured filing system).
Not all personal data falls within the scope of a DSAR though. Just because an individual’s name appears on an email chain or in a document, you must consider is the focus of the document or email “obviously” about them, for example, business emails relating to landing a new client which have the focus of the contract negotiation in are unlikely to be “personal data” relating to the individual. However, the context of the request is important and all documents containing personal data need to be reviewed on a case-by-case basis.
How to perform a search
So how do you go about actually searching for information? There are several techniques that might be relevant. You could consider appropriate key words to use to search for data, date ranges may be appropriate and geographic search areas might work in some instances. Considering who the requester has come into contact on a day-to-day basis is also a good indicator of who may have personal data relating to them. The use of these techniques will of course depend on the circumstances of the DSAR in question, therefore the scoping questions should be carefully thought out to maximise the locations that personal data may be held in.
For more complex DSARs or DSARs with large volumes of personal data, you might opt to bring in the experts (that is us by the way ) who can use expertise and technology to quickly and efficiently locate, exclude and then review information.
What about third-party data?
When the information has been gathered, it will need to be reviewed for relevance, to establish whether any exemptions are relevant (which we will discuss later in the month) and to consider what to do about any third-party data which is contained within the information.
Third-party data cannot be disclosed to the person making the DSAR unless the third party has consented or you have reasonable grounds to disclose the information without the third party’s consent.
One way of dealing with third party data is to redact it. This is not always straightforward as you need to ensure that the method you used to redact is effective and not reversible (for example if you use pen to redact it may be possible to still see the information if it is held up to the light), you also need to be aware of the fact that simply removing the third parties name is often not enough to ensure they cannot be identified. There may be indirect identifiers in the information which would allow someone to work out who the third party is.
If you are considering disclosing the information without the third party’s consent you will need to balance the data protection rights of the third party against the data subject’s right of access. Before you do this you should consider whether you can remove the third parties personal data, whether it is possible to ask for their consent and finally if it’s reasonable to disclose without consent. This assessment will depend on a number of factors such as the sensitivity of the information, duties of confidentiality, whether the information is known to the data subject, the significance of the information to the requestor and circumstances surrounding the lack of consent to disclosure.
