Subject Access Request exemptions: When can information be withheld?

Photo Credit: Unsplash

Now more than ever, we are acutely aware of the significance of personal data. Important questions are being asked on a daily basis as to how companies process data, how long data is being stored, and what it’s being used for. Individuals have a legal right to know the answers to these questions, and companies have a legal obligation to provide the information.

Over the past few years, and especially since the pandemic, there has been a significant rise in the number of people submitting Data Subject Access Requests (DSARs).

This blog will cover some helpful background about DSARs and explore the frequently asked question: what should be included in a DSAR and what can be withheld?

What is a DSAR?

Data Subject Access Requests (DSARs), also known as Subject Access Requests (SARs), are formal inquiries by individuals to organisations, seeking details about their collected and stored personal information.

Under the European Economic Area’s General Data Protection Regulation (GDPR) and UK GDPR, individuals have a legal right to access the personal information held about them. A DSAR can be made verbally or in writing (including social media and messaging platforms), and doesn’t need to be directed to a specific person within an organisation.

These are all examples of DSARs:

• “I want to know what information you have about me”

• “Can I see my HR file?”

• “Can you send me a copy of my email correspondence?”

• “What are my account details?”

Why are DSARs important?

DSARs promote transparency of data processing practices within organisations and empower individuals to have control over their personal information. However, DSARs are often seen as a burden. In-house resources are frequently unavailable, with staff and managers lacking experience in best practice DSAR processes.

DSARs can bring many benefits and should be seen as a helpful assistant for achieving strong data governance. DSAR processing can lead to improved operations, better staff awareness, and offer a valuable opportunity to enhance customer trust and satisfaction.

Trust – Fulfilling DSARs demonstrates respect for the privacy rights of customers and staff, which builds trust and increases loyalty. For the life sciences, it is crucial to gain the trust of clinical trial participants.

Confidence – Promptly addressing DSARs reduces the risk of complaints and disputes is and bolsters business reputation.

Improved internal operations – By reviewing requested data, companies can gain crucial insights and make important improvements to data protection practices.

What should be included in a DSAR response?

Each DSAR needs to be tackled on a case-by-case basis and the information to be included depends on the specific details of the request.

In general, these are the most common types of DSARs companies need to process:

Data summary – This type of request typically requires a company to provide a complete list of all personal data held about someone. If the data includes other individuals’ personal information, it must be redacted to prevent a breach.

Data processing confirmation – Individuals have the right to seek confirmation regarding the processing of their personal data. Companies must provide this information upon request, including details such as the purposes of the data processing, the categories of data collected, and the retention period. These details are similar to those included in a Privacy Policy.

Data correction – Individuals sometimes contact a company to ask for confirmation of their details and then ask for updates such as new address or payment details. For this type of request, the information needs to first be provided and then revised as requested.

Employee requests – These are just as important as customer requests and should be treated with equal urgency. Companies often store sensitive information, such as medical details, which would require additional care in terms of data protection.

Timeframes and deadlines

A DSAR must be responded to within one month of receiving the request. The pause button can be pressed if anything requires clarification, but this cannot be used as a delay tactic.

The response time can be extended by a further two months (giving three months in total), but only if the request is deemed complex or if multiple requests have been submitted by the same individual.

Complex requests might include:

• Technical difficulties in retrieving stored information

• Public authorities needing to search large volumes of unstructured manual records

• Clarifying confidentiality issues around the disclosure of sensitive medical information to an authorised third party

• Needing to obtain any specialist legal advice

These are not necessarily deemed complex:

• Large volumes of information (although this can add challenges to a complex case)

• High volumes of separate DSARs

• Needing to retrieve data from multiple systems

Exemptions: What are the grounds for withholding data

DSAR exemptions have caused significant confusion for organisations, with the misinterpretation of guidelines recently resulting in over 15,000 complaints to the UK’s Information Commissioner’s Office (ICO) between April 2022 and March 2023.

There are several exemptions that allow organisations to withhold data in response to a DSAR. However, the individual must receive an explanation why data is being withheld within one month of receiving the request. Additionally, they have the right to file a complaint with a supervisory authority and to seek a judicial remedy.

These are some of the main reasons for valid exemptions:

Manifestly unfounded or excessive – This means the request is clearly baseless or unreasonable and is determined case-by-case. Examples of this are requests made with the sole purpose of harassing or disrupting, or an unspecified request so broad and vague it would require a disproportionate amount of time to fulfil.

To safeguard other individuals’ data – There is an exemption for disclosing data that would identify another person, unless the other person has given their permission.

To protect the rights and freedoms of others – This is outlined in Article 15(3) of the GDPR. An exemption applies if disclosing information in response to a request could impinge upon the rights and freedoms of others, for example revealing identities or personal opinions.

Crime prevention – Personal data processed for crime and tax-related purposes is exempt from the right of access and includes the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of a tax or duty. The exemption applies only to the extent that complying with the right of access would likely prejudice these purposes.

Information used for management forecasting or planning – There is an exemption from complying with a DSAR if it relates to personal data being used for management forecasting or planning such as sales projections, staffing plans and financial forecasts. Disclosing this information could prejudice the business and reveal sensitive information about company operations and future plans.

DSAR best practice

The key to a successful DSAR is good preparation and solid data governance. If you are struggling to respond to a request, it might be a red flag to review your overall data management processes.

Here are some helpful tips for DSAR best practice:

1. Data mapping – Essentially, know what data is stored and being processed in the company. This can be done through a Record of Processing Activities (RoPA) and visual data maps.

2. Clear internal procedures – A DSAR Policy and Procedure document is vital. This should include an explanation of what a DSAR looks like and steps for how to process a response.

3. Staff training – General data protection training for staff is a crucial element of successful data management and will help to enforce a positive privacy culture. Training also ensures employees can identify a DSAR and helps them to understand their responsibilities.

4. Regularly review points 1-3