Commonly referred to as ‘subject access’, the Data Protection Act 1998 entitles individuals to the right to find out what personal data is held about them by an organisation, why the organisation is holding it and who their information is disclosed to by that organisation. An individual may exercise this right by submitting a ‘subject access request’ (SAR).
Under the new General Data Protection Regulation (GDPR), the Information Commissioner’s Office (ICO) indicates that you will have less time to comply with a SAR, with information being provided at the latest within one month of receipt. That being said, the period of compliance can be extended by a further two months where requests are complex or numerous. The ICO’s website highlights that ‘if this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is “necessary."
In preparation for the regulation, the ICO has also recently issued a revised code of practice on SARs, including new guidance on SAR procedures.
The new code emphasises that supplementary information such as “the type of personal data an organisation is holding”, what the purpose of the SAR processing is, “details of the third parties to whom the requesters’ data maybe disclosed, as well as the logic involved in any decisions taken on the basis of personal data processing carried out by automated decision technology and computer algorithms” are required as part of the initial SAR response, reminds Pinsent Masons’ recent article.
In addition, the new code of practice sets out requirements for companies who operate ‘bring your own device’ (BYOD) initiatives, where employees may use their personal devices for work purposes. The ICO states that whilst “it is good practice to have a policy restricting the circumstances in which staff may hold information about customers, contacts or other employees on their own devices or in private email accounts,” if an organisation does “permit staff to hold personal data on their own devices” then employees “may be processing that data on your behalf” and in which case “it would be within the scope of a SAR you receive.”
The ICO continues “the purpose for which the information is held, and its context, is likely to be relevant in this regard. We would not expect you to instruct staff to search their private emails or personal devices in response to a SAR unless you have a good reason to believe they are holding relevant personal data.”
Another key revision is a nod towards SARs submitted via social media channels, highlighting the increasing disruption brought about by the digital age. “Individuals may make a SAR using any Facebook page or Twitter account your organisation has, other social media sites to which it subscribes, or possibly via third-party websites” comments the ICO. They recognise that whilst this “might not be the most effective way of delivering the request in a form you will be able to process quickly and easily, there is nothing to prevent it in principle.”
“Recent statistics from the ICO warn that the biggest proportion of data protection concerns raised by the public (42% of respondents) relate to individuals’ rights to access their personal data held by organisations. It is, therefore, more important than ever before to ensure that you have sufficient SAR procedures in place”
To ensure you keep ahead of the changes, here are three key questions to ask:
What is classed as personal data?
According to the ICO’s revised code of practice, personal data must relate to a living individual and allow that individual to be identified from it (either on its own or along with other information likely to come into the organisation’s possession).
Does personal data differ from sensitive personal data?
Under the new GDPR, whilst personal data is any information relating to an identifiable, living individual, sensitive data is data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a living individual's sexual life or orientation. Personal data and sensitive personal data should be treated under different conditions.
What is a reasonable request?
It may be difficult to determine what constitutes as a reasonable SAR request, particularly given the number of mediums in which data may be stored and shared. If you find yourself asking this question, it is best to begin by clarifying with the requester what they are specifically looking for, before agreeing the scope of the exercise.
It is also worth noting that under the new GDPR, employers cannot charge for a SAR unless it becomes manifestly unfounded or excessive, and particularly if it is repetitive. The ICO’s website highlights that you may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests, and the fee must be based on the administrative cost of providing the information.