Pensions Pod: Cyber and AI Bytes – Demystifying Data Subject Access Requests

Today, Helen and I will be talking about data subject access requests or DSARs from a pensions perspective.

Hi, Helen. Thanks so much for joining me today. This episode is really interesting as we go into the intricacies of data subject access requests, or DSARs, but through a pensions lens.

Helen Haworth, Associate, Burges Salmon (00:52)

Hi Sam, happy to be here.

Samantha Howell (00:55)

So, Helen, for those who might not be familiar, can you give us a brief overview of what a DSAR is and its relevance to the pension sector?

Helen Haworth (01:01)

Absolutely. A DSAR is essentially a request from an individual to access their personal data held by an organisation. It’s a right that they have under the GDPR, which I’m sure most of the listeners will have heard of. In the pensions context, a member might make a DSAR to obtain further information on a perceived issue with their pension perhaps.

Samantha Howell (01:23)

That makes sense and can you just clarify what is meant by personal data?

Helen Haworth (01:27)

Yeah, sure. Personal data is defined as any information relating to a person, known as a data subject, who can be identified directly or indirectly from that information. So, it’s information from which an individual can be identified, which might be something straightforward, such as their name or email address, or it might be a combination of information from which someone can be identified. So, it might be someone’s ID number in combination with their name or a description of them, such as their job title or details of their role.

Samantha Howell (02:01)

Yeah, OK, so it’s a very wide definition then. And I understand there’s a time frame within which DSARs need to be addressed.

Helen Haworth (02:09)

Yes, there is. So, organisations have one month from the date of receipt to respond to a DSAR, but that can be extended by a further two months in complex cases. So, for example, a request might be complex due to technical issues retrieving the data, or there might be a need to seek specialist legal advice. So, it will depend on each case.

Samantha Howell (02:29)

Okay but even with an extension it’s quite a short period of time. In a pensions context who has to deal with the DSAR? Is it the trustees or is it the scheme administrator?

Helen Haworth (02:39)

Usually, the trustees will be responsible for complying with the requests, but they will inevitably need assistance from the scheme administrator. So, in the language of the GDPR, the trustees are the data controller because they control the purposes for which the data is being used. And the scheme administrator is the data processor because it processes the data on the trustees’ behalf. And that’s quite an important distinction because under the GDPR, it’s the data controller.

So, it is the trustees who are liable for any failings in dealing with a DSAR.

Samantha Howell (03:12)

Thanks, it’s helpful to understand there where the risk sits, that it’s with the trustees, the data controllers. Who can actually make a DSAR then?

Helen Haworth (03:23)

The DSAR has to be made either by or on behalf of the member, former member or beneficiary or the spouse of a beneficiary, so the so-called data subject. So, if a DSAR is being brought by a third party on behalf of the data subject, the data subject’s identity has to be verified. So, confirmation should be sought that third party is actually authorised to act on behalf of their data subject.

And usually that would be a signed letter of authorisation from the data subject giving that authority.

Samantha Howell (03:57)

Okay that makes sense and if you had to get that ID or that authorisation does that pause the one month deadline?

Helen Haworth (04:03)

Yes, it does. The Data Use and Access Act, which came into effect in June 2025, makes it clear that the clock is stopped pending the receipt of any satisfactory identification of the data subject and the trustees wouldn’t have to respond to the DSAR until that information is received. I would also add that the clock is also stopped if the scope of the DSAR needs clarifying with the data subject after it’s been brought.

And that clock would restart when the scope of the DSAR is clear.

Samantha Howell (04:35)

Okay, great. So, for listeners who’ve heard our other episodes in this series, you’ll know that Amanda Leiu from Burges Salmon’s Data Protection and Technology team spoke about the Data Use and Access Act and some of the key aspects of it are relevant to pension schemes. And one of the points we talked about there was the changes to DSARs brought into force by the Act. We discussed that the stop the clock rule was previously part of the ICO’s guidance, but has now been codified into the legislation.

Helen Haworth (04:59)

Yes, exactly. That’s right. Another point that the Act codified was the extent of the search to be carried out.

Samantha Howell (05:06)

Okay, so how extensive does that search for personal data need to be then?

Helen Haworth (05:11)

So, the Data Use and Access Act  makes it clear that the obligation is to carry out a reasonable and proportionate search. So that was previously the search standard in the ICO’s guidance, but as with the stop the clock rule, this has now been codified in the legislation. And we can come back to that in a minute.

Samantha Howell (05:30)

Okay thanks. And will the member, as the data subject, be entitled to all search results?

Helen Haworth (05:37)

Not necessarily. While the starting principle is that the person is entitled to their personal data, there are various exemptions that might mean that some personal data does not have to be provided. So, for example, if you’re providing the data subjects personal data, but that would result in the disclosure of other people’s personal data, a balancing act will be needed. Or where personal data is contained in legally privileged documents, they will be exempt. Having applied any exemptions,

The relevant personal data is then provided to the data subject.

Samantha Howell (06:08)

Thanks, that’s a helpful overview. And I think there’s a few specific issues you see cropping up with trustees dealing with DSARs. The first one is how do trustees or the scheme administrator know if a person is making a DSAR?

Helen Haworth (06:22)

That’s a good question. People tend not to badge a request to the trustees as a DSAR and a DSAR doesn’t have to be brought in any specific format under the GDPR or be directed at a specific person in the organisation. And they also don’t have to state that they would be a DSAR. So as long as it’s clear that an individual is requesting their own personal data, that would constitute a DSAR.

And given the tight timeframes, it is important to have a good process in place to assess whether a request is a DSAR and if it is, to then pass it over to the right team quickly. It’s also worth noting that whilst there’s no obligation for a data subject to bring this in a particular way, signposting your preferred way for someone to make a DSAR can ensure that triaging requests are kept to a minimum.

Samantha Howell (07:11)

Yeah, that does sound like good advice and taking your point on the time frames for responding. It can be really helpful in practice for trustees to be made aware of a DSAR or potential DSAR quickly by their scheme administrator. As we’ve talked about, ultimately the trustees as data controllers have the responsibility for responding within the 30 days in a legally compliant way. Another common issue is the an individual requests all the data that’s relevant to them, which can often be substantial, particularly if the request comes from a member with a significant number of years pensionable service. What can trustees do to manage this type of request?

Helen Haworth (07:48)

Yes, you’re right, that is pretty common. So, as I mentioned, data subjects are entitled to request all their personal data, but the obligation for data controllers is to run a reasonable and proportionate search only. So, if a search for all personal data returns an excessively large number of documents or data set, the data controller can ask the data subject to clarify the scope of their request.

So that might include suggesting a timeframe for the request, specific mailboxes to search or particular search terms to reduce the volume. If the data subject refuses and insists on all their personal data, the data controller is entitled to then carry out what they consider a reasonable and proportionate search and inform the data subject accordingly of what they’re proposing to do.

Samantha Howell (08:35)

Okay great, so you did mention as well earlier the personal data of others. Can you expand on what trustees should do if the individual is requesting information which contains not only their personal data but another individual’s personal data?

Helen Haworth (08:48)

Of course, a member’s personal data may be held alongside the personal data of others, such as other members, their beneficiaries, and often the data of the administrator’s staff. And under the GDPR, you don’t have to provide information that identifies someone else unless either that person consents or it would be reasonable to disclose without their consent. So, what that means in practice is you’ll need to decide on a case by case basis whether to share third party information.

And as part of that, you may need to consider whether to ask the third party for consent, although in practice you might be reluctant to do so. And as I’ve said, the need to protect the privacy of third parties could justify withholding data from the response to a DSAR. In practice, that might be done by redacting parts of documents that contain third party data.

Samantha Howell (09:38)

And what about where trustees don’t hold the data but another entity does? The obvious example of that is the scheme administrator, but it could also include things like the scheme actuary depending on the data that’s requested.

Helen Haworth (09:49)

It’s a good question. The DSAR will cover personal data held by the data controller, so the trustees, and it will also cover personal data held by third parties such as the scheme administrator who process personal data on behalf of the trustees. And where that’s the case, the data controller, i.e. the trustees, should ask the data processor, the administrator, to carry out appropriate searches so that the personal data that they hold on the data subject can be incorporated into the DSAR response from the trustees.

Samantha Howell (10:24)

Great. An interesting point that we see in practice is that the scheme administrator carries out the review of the documents and makes any necessary redactions to respond to the DSAR. But obviously, as data controller, the trustees remain responsible for that response. Therefore, the risk sits with the trustees. And even though they don’t actually hold the data to be able to respond to it themselves, there is the risk there. Because of that risk, we often see trustees asking their scheme administrator to provide a sample of documents they intend to use to respond to the DSAR for them to check, which we as legal advisors then can help with.

Helen Haworth (10:57)

Exactly. And another point to be aware of is whether the scheme’s administration contract contains the necessary data protection provisions to allow the trustees to comply with their DSAR obligations.

Samantha Howell (11:08)

Yeah, that’s another good point to bear in mind. We’ve talked about the legal framework and some useful practical steps, but making sure you’ve got the proper protection in your contracts with parties is really important. Another question is what happens if you don’t comply with the DSAR?

Helen Haworth (11:23)

Well, the short answer is that an individual can make a complaint to the Information Commissioner’s Office, the ICO. As a result of a complaint, the ICO can investigate and can take enforcement action. They also have the power ultimately to issue significant fines.

Samantha Howell (11:38)

Yeah and I suppose a fine wouldn’t be very welcome but neither would the amount of work it takes to comply with a regulatory investigation. Finally then, how can we help trustees to manage DSARs?

Helen Haworth (11:51)

So, we work with a number of organisations to support them on managing DSARs. And that support ranges from ad hoc advice on particular queries to full-scale comprehensive management of DSARs involving the use of e-disclosure technology to process data efficiently, deduplicate email thread, and so on. So, we would be happy to help in any way that we can.

Samantha Howell (12:17)

That wraps up our discussion on the data subject access request from a pensions perspective. Thanks again to Helen for joining us. The key takeaways for trustees that I took from our discussion are to remember that as data controllers, you are responsible for responding to DSARs, but that this will need to be done in practice in conjunction with your advisors who hold the relevant data, usually your scheme administrator. And that will need to take into account the tight time frames to respond, usually a maximum of 30 days.

That was another episode of Cyber and AI Bytes, part of the Burges Salmon Pensions Pod. If you’d like to know more about our Pensions and Lifetime Savings team or our cyber specialist throughout the firm and how our experts can work with you, then you can contact myself, Samantha Howell or any of our team via our website. And as we say every episode, all of our previous episodes are available on Apple, Spotify, our website or wherever you listen to your podcasts. Don’t forget to subscribe and thanks for listening.