The Right of Access – Subject Access Requests: how to handle them
The right of access is nothing new, but there are some changes ushered in by the EU General Data Protection Regulation (GDPR). There’s also the anticipation that increased awareness (and the removal of the fee) will see the number of requests received rise.
It’s crucial that employees are aware of what a Subject Access Request (SAR) is and the importance of immediately passing such requests to the Data Protection Officer or relevant member of staff/team. Time is of the essence!
What is a subject access request?
A SAR is a request from a data subject to be provided with a copy of the personal data being processed by a Controller and an explanation of the purposes for which personal data is being used. A complaint or general query about how personal data is being used does not constitute a SAR, for example a query about why marketing is being received or where you got someone’s name from. A SAR is specifically when anyone asks to receive a copy of the personal data you may hold for them. A request does not need to be formerly called a “subject access request” or “access request” for it to constitute one, and they will rarely be entitled as such.
A request could be sent to any department and come from a variety of sources. Individuals do not need to officially write a letter addressed to the Data Protection Office for it to be a valid request. They might be submitted by email or social media and may be addressed to the “wrong” department or person.
What are the changes under the GDPR?
Less time to respond: The timescale for responding to a SAR has been reduced from 40 days to one calendar month, representing a challenge for many organisations.
No fee: Organisations can longer charge a £10 fee for a SAR. However, where the request is deemed to be excessive or manifestly unfounded organisations can charge a “reasonable fee” to cover the administrative costs of complying with the request. There is also an ability to charge a “reasonable fee” if an individual requests further copies of their data. But, even if you suspect a request may be malicious this is very unlikely to be sufficient grounds for refusing to respond.
Article 15 of the GDPR sets out the the information that individuals have the right to be provided with. Broadly this covers providing information about:
- What personal data it is being processed
- The purposes for which the personal data is being
- Who the personal data has or will be disclosed
- The existence of any automated decision-making, including profiling. And, at least where this produces legal or similarly significant effects, what logic is being used for that purpose.
- How long the data will be retained for (or at least the criteria used to determine this)
In order for a formal SAR to be valid it must come from the individual themselves (or an authorised agent/parent/guardian) and needs to be accompanied by enough information to enable you to extract the personal data pertaining to the individual from your systems.
It is very important to establish that the individual asking for the information is who they say they are, to avoid the damage of inadvertently disclosing personal information to the wrong person. There have been several instances of fraudulent requests in order to aid identity theft.
If the information the individual has provided in their request is insufficient, you should ensure you have a standard initial response process so you can immediately ensure you have enough details to fulfil the request. For example you may need to:
- request proof of ID (if the requester is an employee or ex employee this may not be necessary if it is obvious to you who they are)
- request proof of relationship/authority (for example if information is requested about a child or by an agent)
- ask if they are interested in specific information (if they request ALL personal data you cannot restrict this)
- ask what their relationship is with your organisation
- ask if they wish to see CCTV images of them (if relevant) and request a photograph, description of clothes worn, dates of visits etc.
- ask if they require the information to be provided in writing or whether they will accept it in an electronic from
You have one calendar month to provide your formal response to the individual
Gathering the information
Ensure you have a standard process to efficiently check all relevant systems and liaise with other departments. A SAR covers most computerised personal data you hold (including archives and backups) and some paper records (where these are held in a systematic and structure format). Email systems will need to be checked for emails pertaining to the individual (where they are referenced by name or are identifiable).
Do you need to include deleted records? The ICO’s view in its Subject Access Request Code of Practice is “if you deleted personal data held in electronic form by removing it (as far as possible) from your computer systems, the fact that technical expertise might enable it to be recreated does not meet you must go to such efforts to reponse to a SAR”.
Review the information
If no personal data is held about the individual they must be informed of this.
If the information you have gathered contains personal data relating to other individuals you need to carefully (on a case by case basis) consider whether/how to redact this or judge it to be reasonable to disclose. Such information can be disclosed with the consent of other parties. Where consent is not feasible you need to consider the privacy impact and/or how your duty of confidentiality to these other parties could be broken should you disclose this information. You should document any justification for disclosure of personal relating to other parties.
Your formal response
The information you provide must be in an “intelligible form”, in other words one in which the average person would be able to understand. Avoid using jargon or terms that people outside the business might not understand and explain any codes. Ensure the information you are providing covers the requirements under Article 15. When supplying the information use a traceable delivery system. If agreed with the individual send it via secure electronic means.
And finally, keep a record of your response!
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.