Data Protection Law
Data subject access requests are a key element of GDPR. Although an individual’s right to access their data has been a major part of data protection legislation since 1984, the development of technology has led to a massive expansion in the nature and quantity of data being processed. This blog takes a look at data subject access requests, how they work, and the impact that the GDPR has had upon them. We specialise in data protection so if you have any questions about this blog please get in touch. Our lead lawyer for data protection advice is Neil Williamson.
What are data subject access requests?
Put simply, a data subject access request is a request that allows individuals to find out what personal data an organisation holds about them, why they hold it and who the information is disclosed to. For information to be personal data, it must relate to an identified or identifiable natural person. Such information, either on its own or in combination with other data, may include personal contact details about that individual, information about their appearance, or information about sick leave.
How do I make a data subject access request?
For data subject access requests to be valid, they must come from an individual or from someone acting on their behalf. Often, this will be a solicitor acting on behalf of a client but can also be a family member or friend.
Individuals can make data subject access requests verbally or in writing. The ICO even suggests that individuals can make data subject access requests through social media sites such as the organisation’s Facebook or Twitter. A request does not have to include the phrase ‘subject access request’ or refer to Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.
How do I respond to data subject access requests?
To avoid inadvertently disclosing personal information to the wrong person, an organisation should first seek to establish that the individual making the request is who they say they are. If there are doubts, organisations can request proof of ID or request proof of a relationship with the individual. Some organisations may find it easier to provide individuals with a specially designed form. These forms can help organisations track data subject access requests and streamline internal processes and procedures. However, individuals are not obliged to use these forms and could still request their information in other ways.
In addition to a copy of an individual’s personal data, organisations must provide other information. This information includes the retention period for storing the data, the individual’s right to request erasure of their data, and the safeguards in place when their data is transferred to an international organisation. The full list of information is set out in Article 15 of the GDPR. An organisation may find that they have already disclosed most of this information in their privacy notice. In this case, an organisation can point an individual towards this.
Organisations should be mindful where an individual’s personal data includes information about other individuals. The Data Protection Act 2018 states that an organisation does not have to comply with a request if it means disclosing information about other individuals unless the other individual has consented to the disclosure or it is reasonable to comply with the request without that individual’s consent. In determining whether it is reasonable to comply, there are a number of factors that should be taken into consideration. These include the type of information being disclosed, any duty of confidentiality owed, and any express refusal of consent. If the other individual does not give their consent and it is not reasonable in the circumstances to disclose the data without their consent, an organisation should consider removing or redacting the data about that other individual.
What will happen if I don’t respond to a data subject access request?
The ICO has a range of enforcement tools available to it under the GDPR including issuing warnings, notices, ordering compliance and imposing fines. These fines can be very large; up to 20 million euros or, if higher, 4% of an organisations worldwide annual turnover.
Are there any exemptions?
The Data Protection Act 2018 sets out a number of exemptions which allow information to be withheld from individuals where it would usually need to be disclosed. These exemptions include:
- Legal advice and proceedings – organisations do not have to disclose data which is covered by legal professional privilege;
- Confidential references – organisations do not have to provide access to confidential references that they have given in relation to an employee’s employment; and
- Management information – organisations do not have to disclose data which relates to management planning and forecasting.
Can I use a data subject access requests for the purposes of litigation?
As data subject access requests are limited to personal data, they are less wide-ranging than general disclosure obligations. Nonetheless, actual and potential litigants often use data subject access requests as a tactic in litigation or as a means of collecting information from their opponent. In Dawson-Damer v Taylor Wessing LLP (2017), the Court of Appeal decided that the motivation behind a data subject access request was irrelevant. Data subject access requests are valid even if the collateral purpose is to obtain information for the purposes of litigation.
The GDPR does not refer to the intention behind a subject access request and therefore the starting point is that any individual is entitled to exercise their right of subject access. The ICO makes clear that companies cannot refuse to supply information simply because the information requested in connection with actual or potential legal proceedings.
How has the GDPR changed data subject access requests?
The time limit for acting on data subject access requests has been reduced from 40 days to one calendar month. An organisation must now act without undue delay and in any event within one month of receipt. The time limit can be extended by a further two months if the request is complex or there has been a number of requests from the individual. In these circumstances, an organisation must let the individual know within one month of receiving the request and explain why the extension is necessary. Unfortunately, there is no specific guidance on what would constitute ‘complex’ at this stage.
In most cases, organisations can no longer charge a fee for carrying out a data subject access request. However, where the request is manifestly unfounded or excessive, a “reasonable fee” may be charged for the administrative costs of complying with the request.
Refusal to deal with the request
Organisations can refuse to deal with data subject access requests if they are manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If an organisation refuses to comply with a request, they should inform the individual about the reasons for their decision, the right to make a complaint and the ability to seek to enforce this right through a judicial remedy. An organisation may also refuse to deal with a request if the person to whom the subject access request was addressed is not the data controller or the request infringes the EU doctrine of abuse of rights. In all cases, an organisation must inform the individual within one month.
Individuals can now make data subject access requests electronically. Where an individual makes a request electronically, an organisation should provide the information electronically, unless the individual requests otherwise.
If you have any questions around data subject access requests please contact Neil Williamson.