Blog
Suspension of the UK’s Refugee Family Reunion scheme: an afront to the principle of family unity
Oliver Oldman
Emily Carter asks whether the proposed reforms within the Data Protection and Digital Information (No. 2) Bill (‘the Bill’) are likely to simplify the challenges of responding to Data Subject Access Requests (‘DSARs’) or whether this is an area which is only going to get more complicated and time consuming.
A DSAR may be made in minutes, but it may take an organisation many weeks, or even months, to prepare a response. A simple request by an employee for ‘all of my personal data’ may create a significant challenge for any organisation, both to identify the personal data and to ensure that other competing rights are not infringed, especially the privacy of other people. Technical support is frequently required to identify and review data, and legal input may be needed.
The ICO Guidance refers to the limits of principles of proportionality and reasonableness but the example given with respect to emails provides. The guidance refers an employee seeking all their data giving rise to 2,000 emails which the employee is copied into as a recipient and which do not contain the employee’s personal data, other than the email address. In reality, an employee in post for 5 years may have sent or received closer to 200,000 emails which may contain personal data of the employee and various other people both internal and external to the organisation. Meanwhile, the guidance on when requests may be refused on the basis that they are ‘manifestly excessive’ or ‘manifestly unfounded’ can be difficult to apply.
The Government’s reforms are expressly intended to relieve the burden of compliance on organisations. It acknowledged within its consultation response that organisations of all sizes and across range of sectors found responding to DSARs time consuming and resource intensive. Unfortunately, The Bill is unlikely to relieve the pressure caused by DSARs.
It is proposed to amend the current threshold for refusing to respond (or charge a fee for responding) to any individual request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive.’ The relevant factors within the Bill closely reflect the existing factors within the ICO’s guidance, although the Bill specifies that ‘vexatious’ requests include those intended to cause distress, not made in good faith or an abuse or process. It remains unclear:
Difficult judgment calls will still need to be made. Refusals often lead to complaints, and the ICO will continue to seek convincing justification as to why an organisation should not give effect to an individual’s statutory rights. Subject access rights are considered a critical component of our data protection framework and the threshold to refuse is likely to remain high.
At present, upon receipt of any individual data protection complaint, the ICO will ask whether the organisation has already been given an opportunity to resolve the complaint. The Government proposes making this request a formal requirement.
In accordance with the Bill, organisations will be required to facilitate the making of complaints and take appropriate steps to respond, including making enquiries into the subject matter of the complaint and informing the complainant about the progress of the complaint. Meanwhile, the ICO may refuse to deal with a complaint which has not already been considered by the relevant organisation.
These new measures are designed to ease the burden upon the ICO, which received more than 30,000 data protection related complaints, including 13,000 complaints solely concerning subject access requests, in the financial year 2021 / 2022.[1] However, common sense suggests that the burden will increase upon organisations to deal with concerns and complaints about DSAR responses within a more formal framework.
The Government’s recently updated Impact Assessment indicates that UK organisations may save costs of between £9.3 million and £153 million with respect to the reforms relating to DSARs. This appears to be based upon the assumption that the reforms will lead to a 25% decrease in DSARs received.
Realistically, there is little prospect that the burden upon organisations will lessen. The change in threshold for refusing to respond, given this will remain a relatively rare event, is unlikely to make any significant dent on numbers. Further, requests which are potentially excessive or vexatious often generate significant correspondence themselves. Many DSARs will remain inherently tricky and time consuming where difficult principles based balancing exercises need to be undertaken on a document by document basis. Meanwhile, organisations may also need to demonstrate that complaints receive an appropriate response within a formal process.
DSARs, and the wide range of issues involved, are here to stay. Therefore, organisations will need to cope with the inevitable administrative weight of DSARs, irrespective of the promise of decreased burden of compliance. Further, great care should be taken by the ICO to ensure that organisations have the benefit of clear and reasonable guidance on the issues above, after full consultation, once the Bill becomes law.
Meanwhile, the UK’s Public Bill Committee is seeking written evidence as it undertakes the important work of scrutinising the Bill line by line. As it is sitting on 10 May 2023, all evidence is sought as soon as possible with the expectation that the committee will report on 13 June 2023.
Should you require assistance with your organisation’s response to a Data Subject Access Request, or support with any other aspect of compliance with the data protection legislation, please contact Emily Carter or the Data Protection team.
Emily Carter is a Partner in our Public Law team with expertise in Data Protection law and and regularly assists organisations with respect to data subject access rights.
We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.
Oliver Oldman
Charlotte Daintith
Sharon Burkill
Skip to content Home About Us Insights Services Contact Accessibility
Share insightLinkedIn X Facebook Email to a friend Print