Under the Data Protection Act (‘DPA’ or the Act), individuals (called ‘data subjects’) whose personal data are being processed by third parties (‘data controllers’) have the right to access and be informed about the processing of that information and to make a complaint to the data controller or the Information Commissioner if their personal data is not being processed in keeping with standards prescribed by the DPA.
Data controllers must therefore be able to effectively manage data subject access requests (DSARs) as well as their complaints.
Tips to assist data controllers in complying with this requirement under the DPA:
- Understand the data subject’s rights to be informed of certain information. This includes:
- The right to be informed about the processing of their personal data.
- The right to direct that their personal data be transmitted to another data controller.
- The right to be informed of the logic behind any automated decision-making involving the processing of their personal data and the right to have the decision reviewed.
- The right to object to the processing of their personal information.
Furthermore, they have the right to have this information communicated in writing and to be provided with a copy of any personal data being processed.
- Appreciate the specific nature or categories of data subject access requests and complaints and what they seek to achieve. Is the data subject merely seeking information or a specific action to be taken? Controllers’ obligations in responding may vary depending on the nature of the request and how personal data is handled.
- Create a data inventory, i.e. a catalogue of personal data being processed, how it is processed, in which systems, for what purpose, to whom it is disclosed, and how it is protected. This will make it easier to gather the information required to respond to requests and complaints.
- Sensitize staff about the implications of the DPA and the importance of responsiveness in dealing with requests and complaints. They must understand that there are legal consequences for failing to comply with an access request and that complaints could relate to a breach for which penalties can be imposed especially if not appropriately remedied in a timely manner.
- Set reasonable expectations by documenting and making public information relating to the processing of access requests and management of complaints. This includes the estimated delivery time for responses and the fee chargeable, which must be the amount to be prescribed in the regulations to the DPA, and in what circumstances the fee is payable. Not all requests for access require a fee to be paid. Complaints should be facilitated and accepted without any charge to the data subject.
- Develop standardized forms and adaptive strategies to facilitate the receipt of requests and complaints. Make these forms readily available to the public, e.g. online or from Customer Service, and provide guidelines for their completion. Ensure as far as possible that forms and/or processes are accessible and comprehensible to all data subjects. For example, persons with disabilities should be facilitated in submitting a request or complaint such as with the use of text-to-talk technology for the blind.
- Create a system for logging requests and complaints received. Ensure the authenticity of requests is verified and the validity of complaints determined before the same are assigned or forwarded for processing. It will also assist to set up automatic reminders or alerts regarding deadlines for responses.
- Have a specific officer (or officers) designated to receive and respond to requests and complaints. In the absence of a data protection officer (where one is not required to be appointed), this may be any other suitable officer. It is recommended that an additional officer be assigned to check responses (i.e. verify they match the request or complaint received and do not contain any inappropriate disclosures) and approve responses prior to them being issued.
- Have a policy outlining considerations relevant to the management of requests and complaints, e.g. nature, timing, frequency, etc., and how they should be applied.
- Establish specific procedures to deal with each type of request or complaint. Requests and complaints require different treatment and different types of requests and different types of complaints may also need to be treated differently. Identify any clear exceptions and how those should be treated.
- Specifically identify requests that require the assistance or action of third parties e.g. a request to rectify or delete personal data may require the external partners with whom the personal data was shared to also rectify or delete the information.
- Develop formats or templates to expedite the provision of responses to data subjects’ requests and complaints. Make these templates customizable by your designated response officer(s). Also ensure that the information is communicated to the data subject in an intelligible form (i.e. in a clear, accessible, and understandable manner) and, if the request is for the transmission of personal data to another controller, that it is done in a structured, commonly used, and machine-readable format and using secure and efficient means.
- Have a checklist for responses to ensure they meet the organization’s quality standards and data protection requirements. Responses to DSARs should provide all the information requested and be delivered in the form and manner and within the 30 days prescribed by the Act. Responses to complaints should acknowledge receipt of the complaint and provide any reference number assigned and advise the data subject of the steps taken to investigate the complaint, any limitations regarding same, the findings following investigation, actions taken or to be taken to remedy the issue if confirmed or the basis of a decision not to process the complaint or that the complaint is unfounded, the procedure for having any decision reviewed, and the right of the data subject to complain or appeal to the Information Commissioner.
- Notify data subjects if additional time or further information is required to process their access request or address their complaint. If additional time is required to respond to an access request (e.g. due to the complexity of the request or a large number of requests being received), or if additional information is required to respond to the complaint (e.g. a date or date range for the incident complained of), then the controller should communicate that an extension of time will be applied. This communication should be sent prior to the end of the 30-day response period and should be clear and transparent, explaining the reason the additional time or information is required and that the data controller is not obliged to comply with the request until and unless it is provided.
- Periodically review responses provided to requests and complaints to ensure, among other things, fairness, accuracy, and consistency of approach. Use errors or discrepancies and teaching tools to improve process and performance.
The provisions of the Data Protection Act serve as a cornerstone in fostering transparency and accountability in data processing practices. By upholding the rights of data subjects to access and review their personal data and have their complaints addressed, data controllers demonstrate their commitment to protecting individuals' data and respecting their privacy.