What next for Data Subject Access Requests (DSARs)? The direction of travel

Data subject access requests (DSARs) are a cornerstone of the data protection regime, being fundamental in helping individuals to exercise their rights. If individuals do not know what information an organisation has about them then how can they understand if their information is being used lawfully? While DSARs have been around for many years, the introduction of the General Data Protection Regulation (GDPR) in the EU and its equivalent legislation in the Channel Islands brought awareness of this right to the centre stage, with those who had never previously thought much about data protection becoming aware of their personal rights. This energised the use of DSARs and many more organisations have, often for the first time, had to respond to a DSAR (see our article here for more information about what to do if you are facing a DSAR.)

Click to view article

The pain of getting it wrong

Much has been written about the stiff penalties under the current data protection regimes. A failure to properly respond to a DSAR may result in the individual submitting a complaint to the relevant data protection authority and upon receiving a complaint the authorities in the Channel Islands are obliged to investigate (except, in Jersey, if the complaint is clearly unfounded, frivolous, vexatious, unnecessarily repetitive or excessive or the authority has taken a different action). While the initial contact between the authority and the organisation is made promptly, the rest of the investigation can take months, if not years, before reaching a conclusion. Where a breach determination is made, the authority can impose a reprimand, warning, enforcement order or an administrative penalty together with a public statement. The Guernsey authority works on the presumption that a public statement will be made. The Channel Island’s data protection regulators, being the Office of the Data Protection Authority (ODPA) in Guernsey and the Jersey Office of the Information Commissioner (JOIC) in Jersey have taken different stances in responding to DSAR failures by organisations.

In Guernsey, the ODPA has taken a robust positon on these failures. Of particular note for Guernsey organisations are two decisions, outlined below.

  • One business was given a public reprimand by the ODPA over a delayed and incomplete response to a DSAR. The business had not responded within the required time frame of one month and it did not inform the individual of the business’ reasons for not complying with the DSAR. In reaching its decision the ODPA noted both the efforts made by the business to respond to the DSAR and that the nature of the DSAR required the business to access archived information, the retrieval of which was not straightforward. It was also acknowledged that the business cooperated with the ODPA. Notwithstanding this, the ODPA issued a public reprimand.
  • In the second decision the facts were very similar in that a business received two DSARs and then failed to respond within the required time frame as well as not notifying the individual of the business’ reasons for not complying with the DSAR. In this case however, the business had sent an initial response to the individual but it was not deemed to be a complete response. The ODPA stated that the business “did not have an appropriate understanding of the statutory obligations it had as a Controller under the Law. It was clear that this and the lack of established internal procedures, contributed to the failure to comply with the requests in the manner required by Law”. In the circumstances, even though a partial response had been given, the ODPA imposed a public reprimand.
The position in Jersey differs in that, even though Jersey has nearly twice the population of Guernsey and a larger number of businesses and organisations, the JOIC has not yet issued any public reprimands to private organisations about DSAR failings. The JOIC has thus far repeatedly emphasised the educational element of its remit.

Dissatisfaction

The increase in use of DSARs by individuals, accompanied by potential penalties (actually or theoretically) under the data protection legislation, has caused something of a backlash by some organisations who see DSARs as either being a tool used by individuals for causing inconvenience and trouble (for example where a former employee is engaged in an on-going dispute with the organisation) or that the effort needed in order to properly respond to a DSAR is disproportionate.

On the other side individuals frequently feel frustrated by the DSAR response they receive from an organisation, with a sense that the organisation has not responded properly by either undertaking an inadequate search or by withholding personal data it ought to have provided. When looking at a DSAR response it is very difficult for an individual to know what has been omitted and even if they make a complaint to the relevant data protection authority, unless the individual actually knows what they should be seeing in the response, it is very difficult to know if the organisation has actually done what it ought to have done in responding to the DSAR.

The data protection authorities in the Channel Islands and elsewhere also feel the pain of DSARs. While they have emphasised that the individual’s DSAR right is a free standing right, as is the right to complain to the authority about an organisation’s DSAR failings, the authorities have acknowledged that these rights are tools for litigation, with the authorities’ limited resources being used in investigating DSAR complaints which may later be withdrawn upon the litigation settling.

Where next?

On 28 January 2022, the European Data Protection Board (EDPB) published draft guidelines on DSARs which was then followed by period of public consultation.   While much of the guidance was well received as being sensible, it contained a catch: the assertion that there is no proportionality limit on the need to respond to a request. Many businesses facing a DSAR struggle most with deciding on a reasonable scope for the search, so would have welcomed the ability to take only proportionate steps to recover personal data, but the EDPB did not provide this comfort and instead acknowledged that the amount of data that the search may reveal is very vast. While the EDPB is significantly influential on other regulators, including the ODPA and the JOIC, it does not make laws and there are various cases relating to DSARs moving through the national courts of the EU.

Post Brexit, the EDPB’s guidance may not have much impact in the UK. The direction of travel in the UK is from a historic position where DSARs made in the UK required an organisation to search more broadly than an organisation in the EU would be required to search. However, there appears to be a movement towards DSARs becoming easier for organisations to respond to. The UK government has suggested that a cap should be imposed as to the costs that an organisation needs to spend in responding to a DSAR, with that cap being of only a few hundred pounds. Similarly, the Information Commissioner’s Office (ICO) in the UK has issued guidance that the organisation does not need to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.

Data protection regulators watch and are influenced by the actions and decisions of each other. The two key regulators influential on the Channel Islands’ authorities are the EDPB and the UK’s ICO and it seems that the path as to the scope of the necessary searches is dividing. No indications have been given so far by the ODPA or the JOIC as to which path they would expect Channel Islands’ organisations to follow so it seems that, to be safe, organisations should follow the EDPB’s position as best practice. This is particularly so in Guernsey given the first of the decisions referred to above. However, an organisation, if backed into a corner, could look to argue reliance on the ICO’s position. Whether this UK position would be acceptable in the Channel Islands is yet to be confirmed.

GUERNSEY
Chris Hutley-HurstPartnerT +44 (0) 1481 758 950chris.hutley-hurst@walkersglobal.com
Sarah AshGroup Partner*T +44 (0) 1481 748 935sarah.ash@walkersglobal.com
Jamie BooklessSenior CounselT +44 1481 748 926jamie.bookless@walkersglobal.com
Danielle BrouardSenior CounselT +44 (0) 1481 748913danielle.brouard@walkersglobal.com
Jarrad KnoetzeAssociateT +44 (0) 1481 748 944Jarrad.Knoetze@walkersglobal.com

JERSEY
Daniel ReadPartnerT +44 (0) 1534 700 764daniel.read@walkersglobal.com
Tatiana CollinsSenior CounselT +44 (0) 1534 700 757tatiana.collins@walkersglobal.com
Jenny BruntonAssociateT +44 (0) 1534 700 766Jenny.Brunton@walkersglobal.com