TLDR: As a Thirdfort client and Data Controller, you are legally responsible for responding to Data Subject Access Requests (DSARs). Thirdfort offers two support options: sending DSAR data to you for review or responding directly to the consumer. When disclosing data, use professional judgement to determine the scope, redact third-party information, and handle screening results sensitively to avoid misleading or alarming consumers.
Managing Data Subject Access Requests (DSARs)
As a Thirdfort client, you act as the Data Controller for the personal data processed during a verification check. If an individual submits a DSAR to you, the legal responsibility to respond rests with your firm.
To support you in meeting your obligations under the UK GDPR while maintaining the security of our reports, please follow the guidance below.
Fulfilling a DSAR
Should you require, we provide two streamlined options to help you fulfil your obligations as a controller:
Option 1: provide assistance
You can ask us to send the DSAR response package directly to you first. This allows your compliance team to review the data we hold before you share it with the consumer.
Option 2: direct fulfilment
You can instruct Thirdfort to respond directly to the consumer. We will provide the data we hold in relation to their specific check on your behalf as your processor.
Scope of DSAR requests: screening considerations
When responding to a DSAR, it is important to recognise that not everything contained within a Thirdfort report is automatically in scope for disclosure. This is especially relevant for screening results (PEPs, Sanctions, Fitness Probity and Adverse Media). When defining the scope of your response, please consider the following:
- Potential matches and your obligations to protect third parties: Our reports are designed for professional use and include screening results that often contain "potential matches" or "false positives." These are tools for your risk assessment rather than confirmed facts about the individual. You should exercise professional judgement to determine whether these raw screening results fall within the scope of the individual's data subject access request. You are required to ensure that disclosing a report does not adversely affect the rights and freedoms of others. Any information relating to third parties identified within a report should be carefully reviewed and redacted where appropriate.
- Professional judgement: You are required to exercise judgement as to whether these sections are in scope for the specific request and carry out any necessary redactions. We recommend extra sensitivity when disclosing raw screening data to ensure the consumer is not misled or unnecessarily alarmed.
Consumers unfamiliar with how AML screening works may be distressed to see unrelated matches on their report. We recommend a sensitive approach; if you determine that certain screening data is in scope, you may still need to provide context or carry out redactions to ensure the consumer is not misled or unnecessarily alarmed by "false positive" results.
If you require assistance under Option 1 or 2, please also provide guidance as to what screening results (if any) you wish to share/redact.