GDPR: Subject Access Requests

Napthens - November 8th 2017

This update focuses on a specific data subject right, the right of access to personal data. Such a right is exercised by the data subject making a request, commonly referred to as a “subject access request” (a SAR).

SAR’s are easy to make, but can be problematic and time consuming to deal with. A failure to process a SAR properly could result in a complaint (and a claim) to the Information Commissioners Office (ICO).

Although the right of access is intended to enable a data subject to check what personal data is being processed (and that it is being processed lawfully), it is fact that SAR’s are commonly received by organisations prior to some kind of litigation.

Although many will already be familiar with this right, as it is nothing new, there have been some changes which are worthy of note.  Given the enhanced publicity of the GDPR, the enhanced rights of individuals and the removal of a fee, we can expect to see an increase in SARS moving forwards.

As explained in one of our previous articles, the GDPR retains and enhances the right of access to personal data being processed by a data controller.

Providing information about the Right of Access

The GDPR grants data subjects the right to receive certain information about the data controller's personal data collection and data processing activities. This right forms a part of the data controller's obligation to ensure the fair and transparent processing of personal data. The GDPR requires the data controller to provide detailed information to data subjects.

This is usually achieved through a privacy information notice, perhaps directing the data subjects to supplementing policies.

It follows that one of the rights a data controller needs to notify data subjects about is the right to access their personal data. Therefore organisations are encouraged to ensure that they have in place a detailed data protection policy setting out both the rights of the data subjects as well as the process to follow to exercise such rights, including making a SAR.

Any SAR policy needs to be clear and take into account the tight time frames to handle a SAR. It should also set out who a SAR should be directed to (a person with authority), who will oversee the processing of a SAR, the timescales for compliance, and how it will handle requests relating to rectification, erasure or restriction on processing.

Consider implementing service standards in handling a SAR with template responses to use and a clear timetable to work to.  For those tasked with handling a SAR, training is imperative to ensure that they understand the legal rights, obligations and exclusions as well as the policy and procedure of the organisation.

To what is the right of access?

The data subject has the right to:-

  • Obtain confirmation from the data controller that it is processing their personal data
  • Access their processed personal data including receiving a copy on request (unless this adversely affects the rights and freedoms of others)
  • Obtain certain information about the data controller’s processing including
    • Purpose of processing
    • Categories of personal data processed
    • Recipients or categories of recipients who receive personal data from the data controller i.e. payroll provider, pension provider etc. and in particular if the recipient is outside the EEA
    • Retention rules of the organisation over their personal data
    • Where the personal data has come from if not collected directly
    • Whether or not there are any automated decision making procedures and if so the consequences of this for the data subject
    • The rights to correction, erasure, restriction and objection and making complaints to the ICO

Importantly there are some legal considerations when handling a SAR, for example:-

  1. What constitutes the “personal data” of the data subject?
  2. Does the information contain personal information that identifies another individual and as such affect their rights?
  3. Are there any exemptions which would entitle you to withhold disclosure? Legal Privilege/confidential references/criminal activity/data relating to negotiations etc.

Whoever processes the SAR will need to understand the legation position and identify any categories of information that may be caught by the above and then make a judgement call on whether or not to withhold disclosure or make partial disclosure.

Under the GDPR, there is no strict criteria to determine personal information that relates to a data subject. The context in which the data is held, and the way it is used, can have a bearing on whether it relates to an individual and therefore whether it is the individual’s “personal data”.

Our earlier article on “How to audit the data you hold” will help you establish what is/isn’t personal data. Having identified what information is or could be personal data, consideration then needs to be given about the rights of others as well as the applicability of the exemptions.

Changes under the GDPR

As stated at the outset, the GDPR retains all of the existing rights but also enhances them. Changes to be aware of are:-

  • There is no fee for processing a SAR unless:-
    • additional copies are requested where an administrative fee can be charged; or
    • a request is “manifestly unfounded or excessive” and for which a reasonable charge could be applied
  • SAR’s could be refused on grounds of “manifestly unfounded or excessive” requests, but we would advise caution in applying this rule. Under the current code of practice, the ICO is clear that every effort should be made to comply with a request as far as reasonably practicable. Rarely will a blanket denial be acceptable
  • Electronic Requests – it must be possible to submit electronic requests (e.g. by email). Where a SAR is made electronically, the information should be provided in a commonly-used electronic form unless requested otherwise
  • Content of the Response needs to detail the information set out earlier in this article
  • The time limit to respond has been reduced to “within one month” and without unreasonable delay. This can be extended for a further 2 months where requests are particularly complex and the data subject has been notified of the extension
  • There is a recommended “best practice” for an organisation to provide the data subject direct access through a secure system

Your action plan

  •  Review your data protection policy and ensure it is updated/extended to set out the data subjects rights and the process to make a request
  • Assess your organisations ability to quickly locate and isolate personal data to process a SAR, perhaps by undertaking a “SAR dress re-hearsal”
  • Consider how you will publicise your data protection policies, particular if processing personal data of individuals outside your organisation, through training and awareness projects; including the differing responsibility and expectations given your organisation’s structure
  • Consider setting up an electronic method to submit a SAR (or social media platform) and a data portal to access directly
  • Appoint an individual within the organisation with ultimate responsibility for handling SARS and identify a team to process SARS
  • Develop a SARs service standards/timetable with template responses to ensure all elements of supporting information are provided

For more information, please contact our GDPR specialists on 01772 888 444 or by email to GDPR@napthens.co.uk