Data Subject Access Requests: Should organisations expect the burden of responding to ease?

Emily Carter asks whether the proposed reforms within the  Data Protection and Digital Information (No. 2) Bill (‘the Bill’) are likely to simplify the challenges of responding to Data Subject Access Requests (‘DSARs’) or whether this is an area which is only going to get more complicated and time consuming.

The DSAR dilemma

A DSAR may be made in minutes, but it may take an organisation many weeks, or even months, to prepare a response. A simple request by an employee for ‘all of my personal data’ may create a significant challenge for any organisation, both to identify the personal data and to ensure that other competing rights are not infringed, especially the privacy of other people. Technical support is frequently required to identify and review data, and legal input may be needed.

The ICO Guidance refers to the limits of principles of proportionality and reasonableness but the example given with respect to emails provides. The guidance refers an employee seeking all their data giving rise to 2,000 emails which the employee is copied into as a recipient and which do not contain the employee’s personal data, other than the email address. In reality, an employee in post for 5 years may have sent or received closer to 200,000 emails which may contain personal data of the employee and various other people both internal and external to the organisation. Meanwhile, the guidance on when requests may be refused on the basis that they are ‘manifestly excessive’ or ‘manifestly unfounded’ can be difficult to apply.

Key reforms affect subject access rights

The Government’s reforms are expressly intended to relieve the burden of compliance on organisations. It acknowledged within its consultation response that organisations of all sizes and across range of sectors found responding to DSARs time consuming and resource intensive.  Unfortunately, The Bill is unlikely to relieve the pressure caused by DSARs.

1. When an organisation can refuse to respond to DSARs

It is proposed to amend the current threshold for refusing to respond (or charge a fee for responding) to any individual request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive.’ The relevant factors within the Bill closely reflect the existing factors within the ICO’s guidance, although the Bill specifies that ‘vexatious’ requests include those intended to cause distress, not made in good faith or an abuse or process. It remains unclear:

• Whether making a DSAR for purposes other than the purpose cited within the UK GDPR ie. to “be aware of, and verify, the lawfulness of processing data” (Recital 63) will amount to an ‘abuse of process’ allowing an organisation to refuse to respond.
• Whether the amendment to ‘excessive requests’ provide a lower threshold to existing wording of ‘manifestly excessive’ requests.

Difficult judgment calls will still need to be made. Refusals often lead to complaints, and the ICO will continue to seek convincing justification as to why an organisation should not give effect to an individual’s statutory rights.  Subject access rights are considered a critical component of our data protection framework and the threshold to refuse is likely to remain high.

2. Introduction of a mandatory complaints process

At present, upon receipt of any individual data protection complaint, the ICO will ask whether the organisation has already been given an opportunity to resolve the complaint. The Government proposes making this request a formal requirement.

In accordance with the Bill, organisations will be required to facilitate the making of complaints and take appropriate steps to respond, including making enquiries into the subject matter of the complaint and informing the complainant about the progress of the complaint. Meanwhile, the ICO may refuse to deal with a complaint which has not already been considered by the relevant organisation.

These new measures are designed to ease the burden upon the ICO, which received more than 30,000 data protection related complaints, including 13,000 complaints solely concerning subject access requests, in the financial year 2021 / 2022.[1] However, common sense suggests that the burden will increase upon organisations to deal with concerns and complaints about DSAR responses within a more formal framework.

Conclusion

The Government’s recently updated Impact Assessment indicates that UK organisations may save costs of between £9.3 million and £153 million with respect to the reforms relating to DSARs. This appears to be based upon the assumption that the reforms will lead to a 25% decrease in DSARs received.

Realistically, there is little prospect that the burden upon organisations will lessen. The change in threshold for refusing to respond, given this will remain a relatively rare event, is unlikely to make any significant dent on numbers. Further, requests which are potentially excessive or vexatious often generate significant correspondence themselves. Many DSARs will remain inherently tricky and time consuming where difficult principles based balancing exercises need to be undertaken on a document by document basis. Meanwhile, organisations may also need to demonstrate that complaints receive an appropriate response within a formal process.

DSARs, and the wide range of issues involved, are here to stay. Therefore, organisations will need to cope with the inevitable administrative weight of DSARs, irrespective of the promise of decreased burden of compliance. Further, great care should be taken by the ICO to ensure that organisations have the benefit of clear and reasonable guidance on the issues above, after full consultation, once the Bill becomes law.

A call for evidence

Meanwhile, the UK’s Public Bill Committee is seeking written evidence as it undertakes the important work of scrutinising the Bill line by line. As it is sitting on 10 May 2023, all evidence is sought as soon as possible with the expectation that the committee will report on 13 June 2023.