What is a Data Subject Access Request (DSAR)?
An individual can submit a Data Subject Access Request (DSAR) - which can be up to 80 pages long to specify the information sought - to any organization. The organization has to comply within 30 days. DSARs are often followed by a “Right to be Forgotten Request” on reported information.
A typical DSAR consists of the name of the person (including various spelling variations and nicknames) and all related information the requester is interested in (such as data related to a job or credit application). Or if the requester is a former employer, all the projects he or she participated in, and all communications about the requester with other employees and even people from other organizations. A simple request can already involve a lot of data.
It gets more complicated when a former employee asks to access his PII. In this case, relevant data typically includes employment history, education, skills and qualifications, health information, performance data, pay history, disciplinary actions, bank details, next of kin details, etc. Some of this information will be stored in personnel files and payroll records, but even more will be stored as unstructured email data spanning possibly hundreds of mailboxes scattered all over the organizations.
Typical motives for a DSAR
- Transfer to another provider/supplier/dealer/employer;
- Privacy concerns;
- Employment related conflicts;
- Other legal matters.
Sometimes the reason for a DSAR is simple. A customer is switching to a different provider/supplier/dealer/employer. They, therefore, requests to retrieve and delete all of their personal data related to their purchase and shipping history with the company of which they are no longer a customer or employee.
Sometimes, a request is made out of privacy concerns. Individuals are now more aware of their rights and more concerned about data privacy. The number of organizations that are involved in data privacy issues and scandals is increasing exponentially. Concerned individuals submit DSARs to see what data of theirs is being collected, potentially at risk and whether they should follow the right to access with the right to be forgotten.
There is also an increasing number of DSARs being used as tactics by aggrieved ex-employees to cause maximum disruption to their former employers.
Global law firm Squire Patton Boggs reported in a recent survey, a particular increase in DSARs being used where an individual is facing a disciplinary or performance issue and wants to cause problems for the business or to get advance disclosure prior to raising a claim.
The survey states that a little less than a quarter (24.4%) of all respondents noted that DSARs involved employees seemingly just wanting to know what the organization has on record about them. However, 65.5% of the companies also report they had dealt with DSARs that were connected to a workplace issue (for example, grievance, redundancy, performance management, etc.), while specifically among the 64 companies identifying an increase in DSARs since the GDPR, 92% confirmed they had dealt with DSARs connected to a workplace problem.
Sometimes actual and potential litigants use DSARs or as a “fishing expedition” to obtain either pre-action disclosure or disclosure whilst proceedings are on-going.
What is a Right to be Forgotten Request?
Either subsequently or additionally, a data subject can request erasure of the data from a data controller, provided the data meets any of the following conditions:
- The data is no longer needed;
- The subject withdraws previously granted information to process their personal data;
- The subject exercises their right to object to the processing of their data;
- The data is unlawfully used by the data controllers and/or processors;
- Data has a legal requirement for retention;
- The data was collected when the data subject was a child.
There are some exceptions such as compliance, legal requirements to hold data or matters of national security or public interest, but one should not seek to use such exceptions lightly.
Data controllers are typically obligated to erase personal data “without undue delay” which means within a month.
What does Notification of Data Breaches mean?
Organizations must notify authorities of data breaches within 72 hours of discovery and keep records of all breaches. Data subjects must be notified of any breaches affecting their unencrypted personal data.