Sponsored content
Paul Byrne, of PropelFwd, explains why this valuable tool is sometimes misused and what organisations should do if a valid request is made
A DATA Subject Access Request is a mechanism by which individuals can access the personal data organisations process about them. It is one of the rights provided to data subjects in the Data Protection (Jersey) Law 2018 and aims to promote transparency, accountability and control over personal information.
However, recent trends suggest a shift in how DSARs are being used. In employment disputes and commercial conflicts, some individuals are submitting DSARs not to verify or understand how their data is being processed, but to gain early insight into internal communications, pressure organisations or support legal action. This has led to growing concern that DSARs are being weaponised, misused to extract information outside the proper legal disclosure process or to create unnecessary burdens.
The purpose and scope of DSARs
Under Article 27 of the DPJL, individuals have the right to know whether their personal data is being processed and, if so, to access that data.
They are also entitled to receive information about how and why it is being used, who it may be shared with and how long it will be retained. They are also informed of their right to have inaccuracies corrected or the data erased, and of their right to complain to the Jersey Office of the Information Commissioner.
The law does not require organisations to hand over entire documents or explain business decisions. Nor does it require them to respond to vague or overly broad requests for “all information held”. A DSAR applies only to personal data in the legal sense.
Misuse of DSARs in legal disputes
DSARs are often submitted during the lead-up to employment tribunal claims, particularly where redundancy, grievances or discrimination are alleged. This has raised concerns that DSARs are being used not to understand data processing but to access disclosure prematurely.
Article 28 of the DPJL provides protection against such misuse. It allows organisations to refuse or limit a DSAR that is manifestly unfounded, vexatious or excessive.
Consider a situation in which an employee facing redundancy requests access to internal strategy discussions. If those communications are about the future structure of the organisation or the viability of certain roles, they are not personal data. The DPJL allows such information to be withheld to protect the integrity of business forecasting and planning.
Deer v University of Oxford: A cautionary tale
The legal boundaries of DSARs and their appropriate use were tested in the case of Deer v University of Oxford [2017] EWCA Civ 121. Dr Cécile Deer, who was engaged in a long-running employment dispute with the university, submitted broad DSARs requesting access to data held in emails and files across multiple departments. The university declined much of the request, arguing that it was being used as a substitute for litigation disclosure and that many of the documents were not personal data.
The Court of Appeal made several important findings. First, it emphasised that a DSAR seeks personal data, not documents. Just because a name appears in an email does not mean the entire email is disclosable. The content must relate to the individual in a biographical or evaluative sense.
Second, the court confirmed that while the law did not require a data subject to explain why they were making the request, a court may consider whether the request was being made for genuine data protection purposes or merely as a tactical step in a dispute. If the latter, this may influence whether the court chooses to enforce the request.
Third, the court addressed proportionality. The university had already reviewed more than 500,000 documents at a cost exceeding £116,000. The Court of Appeal held that reasonable and proportionate efforts were sufficient. Even if further searching might reveal more data, this does not make earlier searches inadequate if they were reasonable in scope.
Finally, the court confirmed that it retained discretion when deciding whether to enforce a DSAR. Even where some non-compliance has occurred, the court is not compelled to order disclosure. If the data subject has already received the relevant data through other means or if further disclosure would serve no real purpose, the court may decline to act.
What constitutes personal data?
The definition of personal data is set out in Article 1 of the DPJL. It refers to information that relates to an identified or identifiable individual. But this concept has been the subject of detailed interpretation in the courts.
In Durant v Financial Services Authority, the Court of Appeal explained that not all data that mentions an individual is personal data. To qualify, the data must be biographical in a significant sense or focus specifically on the individual. A passing reference to a person’s name in a document does not make the document their personal data.
When data can be withheld
There are several important exemptions under the DPJL that allow controllers to withhold information, even if a DSAR has been validly made.
One such exemption applies to management forecasting and business planning. Organisations are not required to disclose personal data if doing so would prejudice commercial activities such as restructuring or redundancy planning.
Another common misconception involves documents related to physical property or objects. Insurance claims, building condition reports or vehicle damage assessments are not usually considered personal data.
Controllers must also protect the rights of third parties. Where responding to a DSAR would involve disclosing personal data about someone else, the controller must balance both parties’ rights. In many cases, this will mean redacting information. If redaction is not possible without compromising confidentiality, the document may be withheld entirely.
Misconceptions about names and mentions
A common misunderstanding is that individuals are entitled to access any document where their name appears. This is not the case.
If a person is listed in meeting minutes or copied into an email that contains no evaluative content about them, the data is unlikely to fall within scope. Only when the content includes assessments, decisions or comments about the person’s conduct, performance or character would it be likely to qualify.
Complying with DSARs
Organisations must respond to DSARs within four weeks of receipt, provided the request is valid. The first step should be to verify the identity of the requester. Once confirmed, controllers should clarify the scope of the request if it is unclear, too broad or likely to generate excessive volumes of data.
The search itself must be reasonable and proportionate, focusing on structured systems and known locations where personal data is likely to be held.
In some cases, the standard four-week period may not be sufficient. The DPJL permits an extension of up to a further eight weeks, making the total possible response time 12 weeks. This extension can only be applied where the request is complex or where the controller has received multiple requests from the same individual. The controller must notify the data subject of the extension within the original four-week period and explain the reasons for the delay, citing either complexity or volume as the legal basis.
Controllers are not required to retrieve data from unstructured archives, legacy systems or backups unless doing so is reasonable in the circumstances. Where data is withheld or redacted, the organisation should explain this clearly in its response. Keeping a full record of the search process and the rationale for decisions taken is essential, especially if the response is later challenged.
The JOIC’s view on responsible use
The Jersey Office of the Information Commissioner expects organisations to act lawfully and transparently when responding to DSARs, but it also recognises the potential for misuse. Individuals who abuse the DSAR process, whether to harass, delay or pressure an organisation, may see their requests refused or limited. Controllers are encouraged to develop a clear internal DSAR policy and ensure staff are trained to recognise when exemptions apply.
Ensuring balance and purpose
DSARs are a valuable and powerful right, but they are not without limits. They are not intended to replace litigation disclosure, nor should they be used to extract internal business information or pressure employers during a dispute.
When used appropriately, DSARs enhance accountability and trust. When misused, they risk distorting the intent of data protection law and undermining the balance between privacy rights and operational integrity.
