"Data Subject Access Requests" (or DSARs as they are affectionately known) are not a new concept. Employers have been wrestling with their obligation to allow individuals access to their personal data for many years now. However, with the advent of the new era of GDPR, DSARs have been reformed.
As 'data controllers', law firms are knee-deep in the new regime, and countless hours of training have undoubtedly been endured to make ready. This article isn't intended to be a recap of every facet of the new system (albeit a bit of scene-setting is needed for dramatic effect); it is really intended to provide a few pointers for firms who have yet to really grapple with life pre-Brexit but post-GDPR. Specifically, it is intended to address a trend that, as a litigator specialising in the defence of claims brought against the legal profession, I am seeing more now than ever before, being the use of DSARs as a litigation tactic. Tempting though it is to cry foul at this blatant attempt to circumvent the legal process and obtain an early advantage, the Courts (and more recently the ICO itself) have validated this as a legitimate tactic, so we can expect to see more of this as knowledge of the new system expands.
The DSAR regime
Under the GDPR, law firms are required to hold personal data subject to seven overriding principles, being:
• Lawfulness, fairness and transparency of use
• Limitation of purpose
• Minimisation of data
• Accuracy of data
• Limitation of storage
The DSAR process is intended to give identified or identifiable living individuals the right, subject to certain exceptions, to obtain a copy of all personal data held by the firm at the date of the request that relates to them. It is intended to be a safety check for the individual – who need not be a client of the firm - to be able to ascertain whether the information being held about them is being administered consistently with the seven principles.
For the firm facing the prospect of a claim, dangers lurk at every turn. Disclosing a document that, at best, need not - or, at worst, ought not - to be disclosed is likely to have enormous repercussions in the litigation that follows. But a careless DSAR response may also attract the attention of the Information Commissioners Office (ICO), which will inevitably fan the flames of the dispute yet further. The remainder of this article is split between precautions that firms might be wise to take in preparation for the inevitable uptick in DSAR activity, and actions that they might initiate once a DSAR is received.
What to do before the request comes in
At the risk of stating the obvious, if personal data relating to the individual has been previously held by the firm but has been legitimately deleted or anonymised before the request is received, not only will that make the searching process easier but that data won't be caught by the DSAR. So, the best way to make life easy under the new regime - and to avoid criticism or exploitation in the DSAR process - is to ensure that firms only hold the bare minimum amount of data necessary to fulfil their business needs. A meaningful review (rather than the possibly cursory, pre-May 2018 review that many of us undertook) of how data is entered, stored and retained on your systems would be time well spent not only to ensure regulatory compliance but also to minimise future litigation risk. Do you really need to store your client files for 15 years and a day when Law Society guidance says 6? Even if so, can some of the data be deleted or anonymised? Can you take some of the data 'offline' so as to minimise the risk of data breach? Do you need to keep your entire file on each former employee or can aspects of it be deleted? Could you make it part of your exit protocol to undertake a search of all data held about the exiting employee, so that you can at least pool all of the data in one place, ready for review if a DSAR comes in?
Next, given that DSARs can be made to anyone in your organisation verbally, in writing or via social media, it is important that all staff are made aware of what a DSAR is, and the need to report the receipt of one as quickly as possible. Deadlines for responding will pass in a flash even when you have all of the time available, so don’t run the risk of delayed notification making life harder still.
Finally, have a process that works (road test it), and then have someone in your organisation own it. As I set out below, amending or deleting data (or metadata) after the request comes in is very dangerous territory, and criminal sanctions exist to catch out the unwary. It is imperative that someone in your organisation knows the regulations inside out and backwards, so that they can see the pitfalls and know how to avoid them. I would suggest that the same person owns each request so that not only do they assimilate and collate the data but they also ensure that only what is required is provided, it is provided in the right way (using clear and appropriate language and with all abbreviations explained), and that everything is done within the statutory timeframe.
Ultimately, you will want the DSAR process to take up as little valuable management time as possible, so having the least amount of data held in the fewest possible locations and administered by the best trained staff has to be in your interests, and those of the individual making the request.
Dealing with the request
Now, this is all well and good, but what about when the DSAR arrives? The first thing to do is to start the stopwatch; one calendar month is now available within which to respond fully and substantially (down from 40 days under the previous regime), calculated from the day after the request is received (whether or not a working day). If that falls on a non-working day, the date for compliance will be the next working day thereafter.
The timeframe is extendable by up to two months but only if the request is deemed by the firm to be complex or if a number of requests have been received from the individual concerned. This is a subjective test, determined by you as the responding party, but it needs to be communicated to the individual within the first month. Before thinking this gives you three months in every case, beware of the disgruntled individual receiving the news of an extended deadline and reporting the matter to the ICO. Ensure you give good reasons when you explain and make sure they are genuine.
No fee can ordinarily be charged for compliance with a DSAR. It is possible to charge a reasonable fee for the administrative costs of compliance if you feel the DSAR is "manifestly unfounded or excessive" but, as above, be prepared to explain your reasons for making a charge to the ICO if the individual takes a different view.
The first thing to consider when you have a suspicion that a DSAR may be being used as a litigation tactic is to consider whether the request is a legitimate use of the individual's rights or an abuse of them, designed to tie up your resources and distract your focus from elsewhere. As stated above, you cannot refuse to comply with a request purely because you believe it is being used as a form of pre-litigation disclosure. However, if you feel that the request is motivated by malice, it is possible to refuse to comply. This will require very careful thought and very clear documenting before embarking down this route since, the individual is almost bound to go to the ICO to complain if they are not receiving what they want (indeed you are under an obligation to let them know of their right to do so when you send your refusal). However, it is well worth bearing in mind.
If you have concluded that the request is not malicious, we move onto the practicalities of the search for data. In my dealings with the new regime to date (and consistent with our online age), I have definitely found that most of the data that comes out of the DSAR process is digital. Involve your IT team immediately - it amazes me how few firms do - and ensure that they are properly briefed to undertake full and targeted searches of the systems. Remember that data which 'relates to' the individual need not be limited to data bearing their name; an IP address or cookie history may equally betray their identity and so this sort of information needs to be searched for and considered for disclosure, alongside the more obvious categories of data.
Equally, don't overlook physical files. In the panic to comply, all too often these are forgotten especially if held off site or at an alternative office location.
The key thing here is to only disclose to the individual what is absolutely necessary; nothing more, nothing less. Beware in particular data that relates to multiple parties in addition to the one that has made the request; disclosing the data of a third party without their explicit consent may well amount to a breach of their confidentiality and expose you to claims elsewhere.
Certain categories of data are also exempt from disclosure in their own right, and this is where extra special care must be taken. In particular, documentation that is subject to legal professional privilege will not fall for disclosure, and this could be a real life-saver in the context of a litigation-oriented DSAR, but only if you have ensured that all communications after the prospect of a claim was first identified have been drafted and labeled so as to attract the privilege. In the employment context, confidential employment references do not fall to be disclosed, so these can be legitimately withheld, as can documents which relate to actual or anticipated settlement discussions with the individual. These are all very powerful exemptions; quite often, they will operate so as to deny the individual access to the very information at which their entire DSAR is aimed. So build in sufficient time in the process to give them your full attention.
Finally, and crucially, you are almost bound to uncover some data during your search that you would really rather not disclose but which, sadly, doesn’t appear to fit within one of the exceptions above. Generally speaking, you should supply the data in the format it was in when the request was received. Tempting though it may be, it is not acceptable to amend or delete the data if you would not otherwise have done so. Indeed, to do so is a criminal offence if the intention is to prevent or avoid disclosure. If the data is unfavourable to you or your organisation but falls outside of an exception, it will need to be disclosed and flagged internally for risk purposes.
And that brings us neatly back to what I feel is the key message for coping in this brave new world; DSARs have the potential to really hurt a firm in the context of possible future litigation, so the proactivity that I advocate in educating staff and cleaning up data at source, and as part of a regular cleansing regime is key for firms that value their claims records. Not only will it make life easier further down the line, but it could well prevent a lot of heartache and embarrassment, not to mention civil claims.