Data Subject Access Requests (DSARs) are a fundamental right under data protection laws, allowing individuals to access the personal data about them that is being held by organisations. However, there is a growing trend where disgruntled employees utilise DSAR not for genuine data access, but as a tool to burden employers, especially during disputes or litigation.
The rise of weaponised DSARs
Recent reports highlight a significant increase in tactical DSARs use by former employees. Such requests often coincide with employment disputes, aiming to pressure employers into settlements or to uncover information for litigation purposes.
This phenomenon isn't confined to the UK. Across the EU, there is a noticeable update in DSARs being used strategically in employment disputes. The European Data Protection Board, (EDPB) has acknowledged this trend, emphasising the need for organisations to handle DSARs diligently while being aware of the potential abuses.
Strategies for employers
- Implement a clear DSAR policy: ensure your organisation has a well-defined DSAR policy outlining the process, timelines, and responsibilities. This clarity can deter misuse and streamline genuine requests.
- Train staff appropriately: equip your HR and legal teams with training to recognise and handle DSARs, distinguishing between legitimate requests and potential abuses.
- Assess for "manifestly unfounded or excessive" requests: under data protection laws, organisations can refuse any request deemed manifestly unfounded or excessive. However, this determination must be made carefully with documented justification.
- Maintain comprehensive records: document all DSARs received, actions taken, and communications with the requestor. This record keeping is crucial, especially if the request’s legitimacy is challenged.
- Seek legal counsel when necessary: if a DSAR appears to be used as a litigation tactic, consult with legal professionals to navigate the complexities and ensure compliance without compromising your organisations position.
The ability to weaponise a DSAR has become more common partly due to the simplification of the online request process, and partly to the growing understanding of how much these requests can inconvenience an organisation.
To address the misuse of DSARs, the Information Commissioner’s Office (ICO) could consider:
- Providing clear guidance: offering more detailed guidelines on identifying and handling vexations or abusive DSARs can empower organisations to respond appropriately.
- Implementing a review mechanism: establishing a system where organisations can seek ICO's opinion on questionable DSARs could help to manage potential abuses.
- Promoting awareness: educating the public about the intended purpose of DSARs and the implications of misuse can deter frivolous or malicious requests.
In conclusion, whilst DSARs are vital for transparency and individual rights, their misuse poses challenges for employers. By adopting proactive strategies and seeking guidance where necessary, organisations can navigate these challenges effectively. Collaboration between regulatory bodies like the ICO and businesses is essential to ensure DSARs serve their intended purpose without becoming tools for undue pressure or disruption.
The information provided in this article is provided for general information purposes only, and does not provide definitive advice. It does not amount to legal or other professional advice and so you should not rely on any information contained here as if it were such advice.
Wright Hassall does not accept any responsibility for any loss which may arise from reliance on any information published here. Definitive advice can only be given with full knowledge of all relevant facts. If you need such advice please contact a member of our professional staff.
The information published across our Knowledge Base is correct at the time of going to press.
