If you find yourself in dispute with a partner or employee, then you may well find yourself in receipt of a Data Subject Access Request (DSAR). This is an increasingly common occurrence in civil and employment litigation and requires careful handling. In our experience many primary care practices do not have effective systems in place to deal with DSARs, which can then result in significant reputational damage and financial cost.
In this blog, we look at how and why DSARs are being used as a legal tactic in disputes, and how your Practice can minimise the risk of a claim arising out of one.
What is a DSAR?
The UK General Data Protection Regulation 2016 (‘GDPR’) provides data subjects with a right to access their personal data. Many practices do not realise that a DSAR can be made in any format, including orally, and can be made to anyone in the organisation.
The GDPR also provides data subjects with a statutory right to claim compensation from a provider where they have suffered material (eg medical bills, loss of wages) or non-material (eg distress, anxiety) damage. It has been established that non-material damage can include a data subject’s ‘loss of control over their personal data’.
Article 15 of the GDPR gives a data subject a further right to sue a data controller if they fail or partially fail to respond to a DSAR. ‘Fail’ includes responding late and/or not providing the mandatory information. Recent damages paid range from £750 for the ‘frustration’ felt by a data subject whose personal data had not been erased, to £18,000 awarded for distress following the inclusion of inaccurate personal data in a report.
Why are DSARs important?
DSARs, other than those held to be manifestly unreasonable or excessive, are a fundamental legal and human right that the Courts have held to be ‘purpose blind’. This has led to DSARs being used as a weapon by individual claimants and their solicitors to short-circuit the normal legal disclosure process. The hope is to pressurise a data controller into early and higher settlements by highlighting a breach and/or threatening civil action for compensation.
If poorly managed, DSARs can also result in claimants being given information to which they are not entitled, such as other people’s personal data, which would itself constitute a data breach. This then enables the claimant to increase the size of their own claim, and opens the possibility of further claims from new claimants. Unfortunately, the size of the likely awards means that some solicitors are prepared to act on DSARS and data breach claims on a no win/no fee basis, which simply encourages even more claimants to come forward. In this way a DSAR received on a small dispute can quickly snowball into multiple large claims against a practice.
Good DSARs management starts with processes and staff training. Since DSARs can be made to anyone in the practice, all staff must understand what to do if they receive one. This minimises the risk of a DSAR being overlooked. Practices should then have a single point of contact responsible for responding to DSARs, who is trained in the regulations and who has appropriate access to the relevant systems. They should also understand and manage the timelines for responding, and report directly to a responsible partner to enable quick decision-making. It would also be a good idea to know who you will approach in the event you need expert legal help.
The use of DSARs as a litigation weapon is increasing, as are the number and size of claims against data controllers. It is important that primary care practices have robust, formal procedures in place to ensure that:
- all staff can recognise a DSAR;
- all data search, collation, redaction and removal processes are GDPR compliant
- DPA exemptions are correctly applied;
- all non-disclosable information is withheld;
- any consents to disclosure are valid; and
- timeframes are strictly adhered to
Primary care providers who are uncertain about dealing with a DSAR should seek legal advice as soon as possible, particularly if there is a link to a known or potential litigation matter. If you would like more information about this or any other matter, please contact Nils Christiansen or David Sinclair on 01483 511555, email [email protected]