The Data Production Act of 2018 allows any individual to contact a business and request how their personal information is being used. Businesses of all sizes, from small privately-owned shops to multi-national firms, must record how personal information is used and provide the necessary data to the consumer when requested.
When a data request is made, the business generally has 30 days to respond to this request. Steps must be taken during this time to also protect the information if the consumer requires more data. Businesses will respond to consumers in the same manner as they would if this was a request for eDiscovery or part of an eDisclosure.
Businesses must understand that when they receive a DSAR, they must respond to the request, even if the consumer did not accurately call it a DSAR or a data request. The person contacting you may request it under the Data Production Act, GDPR, or may incorrectly request it under the Freedom of Information Act, or they may simply ask for the data being held about them by your company.
However, it is worded, it all falls under the umbrella of a DSAR, and companies must honor this request.
Eight Steps To Follow When Filing A Request
1. Establish Identity
Have a plan in place that will accurately establish that the person requesting the information has the right to obtain this data. You will want to request a picture ID or a similar form of identification. If a solicitor is making this request, you will want to verify the authority.
2. Act Immediately
Under the law, you have 30 calendar days to respond to this request. If it is a very complex issue, you may be able to extend this up to 90 days, but this is rare. You should contact the individual immediately and inform them that you are gathering the requested information and will be providing the data to them shortly.
3. Cease All Data Destruction
Most companies have automatic data destruction protocols in place. On average, a company may retain personal customer information regarding a transaction for 45 days after purchase. The length of time that the information is kept will depend on the company. To ensure that any information you are looking for in the request is not destroyed, put a stop to all data destruction until a full audit is completed.
4. Collect All Data
Under the law, all data that you have collected about your client must be disclosed. This includes any recorded phone calls with customer service and any CCTV footage that you may have of the client while on your property.
You will also need to disclose all of the vendors that you have provided this information as part of doing business. For instance, if you are a retail location and a purchase was made online, you will need to disclose that the credit card processing company has received your payment information to process their charge and that the shipping company was given their address to deliver the package.
5. Redact Necessary Information
You have a legal obligation to protect information about other individuals when you provide DSAR data. This means if you are going to release email information regarding correspondence with your company, you must redact all the information that will identify other people that may have personal information on those emails.
This is where many companies have the most problems filling a data request. They must make sure that all people within the chain of communication are protected, including in transcripts, letters, and emails.
6. Prepare Information
You will want to provide the information in a format that the recipient can easily read. This may include using common formats like PDF or spreadsheet (Excel, CSV) files so that the recipient is not required to have special readers or software to review their information.
You should also confirm how the recipient wishes to receive the information. It is common for a business to receive electronic communication and respond to that electronically. However, since a lot of this information is very personal (e.g., PII, PHI) and contains information that could be risky if exposed, the requesting party may wish to have it in paper format and delivered to them by post or courier.
7. Inform Recipient Of Their Rights
You will need to provide a document that informs the recipient of their rights regarding the data you are providing. This includes the right to request the removal of the data from the business systems at an earlier time than routine data destruction and their right to file a complaint with the Information Commissioner’s Office (ICO) if they feel there is a violation.
8 Keep A Record For Your Business
The ICO has stated that there has been a significant increase in the number of complaints against businesses in the last few years regarding data storage. Keep a record of your actions concerning the request so if there is an inquiry, you will have the documentation you need.
DSAR Requests Regarding Employees
The General Data Protection Regulation (GDPR) of 2018 enhances the rights of employees to collect data about themselves from their employers. This data collection can often be extensive, but it also falls under all of the same rules as a DSAR request,
Employers only have 30 days to respond to the employee with the finalized data collection information. The only exception to this policy is that if there is an exhaustive amount of data regarding said employee, the employer may request an extension to 90 days to complete the task.
Employers can also turn to the Recitals of the law if the information is very complex. Recital 63 states that the employer can request that the employee be very specific about the data they would like released so that the employer can focus on that information alone.
The GDPR will also allow employers to charge employees up to £10 for the request. While this small amount in no way covers the cost for gathering and processing the request, it is still a formality that the employer should use to keep the data request on a professional level.
It should also be understood that employers have also been granted an additional “reasonable” fee if the requests made by the employees are deemed excessive, repetitive, or unwarranted. The ICO has guidelines for determining if the requests fall under all of these categories.
As of May 25, 2018, the ICO has also stated that employees must be able to have access to make their data requests through electronic means. The ICO further states that employers can “guide employees to make these requests through one electronic format, but cannot prevent them from using any electronic communication to make the request.” This means that employees may contact employers through third-party means, including social media sites like Twitter and Facebook, and make the data request, and the employer must still comply and follow the deadlines for the request as if the request came through the preferred channel.
Protections Under The Law
Employers do have some protections under the law as well as some obligations when it comes to releasing information to employees.
Legally, the employer cannot release any data that could “adversely affect the rights and freedoms of other employees.” In some cases, this may mean a redaction of information on the data provided. On other occasions, it may mean withholding the information altogether.
Other protected data includes:
- References – an employer does not have to disclose any information they give other employers about the employee.
- Managerial information such as business forecasts, business plans, product information, or other protected business information.
- Any information protected by legal privilege.
- Intellectual and proprietary secrets
- Lawsuit settlement information
- Information concerning national security
- Crime prevention information (work-related)
The ICO can review additional items to determine if they are protected information. The business would have to petition the ICO for review of the type of information within the allotted time frame for providing the data to the employee.
Employers are encouraged to keep detailed logs of employee data requests so that if it becomes necessary to show that the requests are excessive, they will have the relevant information to provide proof. Additionally, keeping track of the requests is also good for the employer to show that it remains in compliance with the laws governing data requests.
Five Tips For All Businesses Concerning Data Storage And Requests
Everyone understands that there are inherent risks that come with processing personal information using any type of technology. There is always a risk of a data breach, regardless of security systems put in place. All businesses are encouraged to use the following tips to protect themselves and their clients.
1. Establish A Data Procedure System
You will want to make sure that there are procedures in place that deal with your data collection and storage practices. You will want to make sure that these procedures are all in compliance with the law and that everyone understands the importance of following these procedures.
2. Establish A Procedure For Dealing With DSAR Inquiries
If you have a system in place in your business for the possibility of receiving a data request, it will make it much easier to process. This will also ensure that your information stays organized so that it can always be accessed when necessary.
3. Create A Position To Manage These Requests
At least one person on your staff should be familiar with data collection, storage, and destruction laws. They should also know exactly what to do if a request for data arrives. By streamlining these requests to a single person or department (e.g., Legal, HR, Risk) you will know that any requests are handled accurately and promptly.
4. Remember The Deadlines
Your business will only have 30 calendar days to respond to the request for information. Make sure that these requests are always handled as an urgent priority. Failure to meet this deadline can result in large fines.
5. Have Protocol In Place To Protect Data.
It is always essential to have the right protocols in place to protect data. Often, the request for data comes as a result of a breach, and the end consumer or employee wants to know if their information (such as PII or PHI) has been exposed. Always make data protection one of your highest Legal, IT, and HR priorities.
Conor Looney is also an advisor to the Electronic Discovery Reference Model’s (EDRM) Global Advisory Council.
Connect with Conor Looney