The UK Information Commissioner has just issued a consultation on new, draft, guidance on dealing with subject access request. The call for comments closes at 17:00 Wednesday, 12th February 2020. We will be organising a round-table or webinar on the new guidance early in 2020, with a view to sending consolidated comments to the ICO. Further details on this will follow.
As with other recent guidance from the ICO, the draft is long (77 pages). However, it is accessible and repays reading. Much of the draft consolidates earlier guidance and it does not contain "surprises". However, there are some useful clarifications which practitioners will find of use.
There are also some omissions in the guidance:
- It concentrates on exemptions under the UK Data Protection Act 2018, but does not comment on the exemption set out at Article 15(4) which provides that the right to obtain a copy shall not adversely affect the rights and freedoms of others. It would have been useful to have commentary on how this may impact requests involving multiple data subjects' personal data – and requests involving commercially confidential information;
- There is now a large body of case law in the UK addressing important topics such as when a request may be considered disproportionate and how to treat requests were the main motive of the request is to obtain information for litigation. These are not addressed at all in the guidance, which focuses on the text of the GDPR and the 2018 Act. The cases are still relevant and this is a missed opportunity to make the guide even more useful to its target audience of data protection officers/ specialist privacy teams in organisations.
When are requests valid
ICO reiterates that there are no formalities for a request to be valid – this can include verbal [sic] requests and those made via social media sites. Therefore, there is an onus on organisations to ensure that channels of communication are monitored and that staff in public facing roles are trained to recognise requests.
Controllers should check that they are releasing data to the actual data subject – reasonable identity checks are appropriate, but controllers should not request more than is reasonable: asking for utility bill from an employee who makes the request in person would be excessive.
Requests can be made via a third party, provided they are authorised to make the request. ICO states that it is the responsibility of the third party to provide this authority – which could be a specific written authority or more general power of attorney. If there is no evidence of authority, then the controller is not obliged to respond.
Subject access request generator sites
The same rules apply to online access portals such as Tapmydata, We're David or Chommy etc – so the identity of the applicant should be confirmed, and the third party should make clear how it is authorised to make the request. Helpfully, ICO also notes that the controller is not obliged to take proactive steps to "discover" a SAR – so if the controller cannot access a SAR without paying a fee or signing up to a service, then it has not "received" the SAR and so the obligation to respond will not have started. Similarly, if the only way for the controller to respond is via payment of a fee or acceptance of the portals ts & cs, then the controller should provide information direct to individual instead.
ICO notes that it will be difficult to deal with SARs without information management systems which allow information to be retrieved and redacted. The guide repeats earlier comments that subject access has been a feature of data protection law since the 1980s – so organisations should already have such systems in place.
Timing to respond
Controllers usually have one month to respond. They can have longer if a request is "complex" or if they have received a number of requests from the individual – ICO gives the example of a controller which has received a SAR, erasure request and portability request simultaneously from the same individual. This is a fairly common situation so is helpful to note. The guide notes that a request will not be complex simply because the individual has requested a large amount of information or the controller is dependent on a processor in respond. Examples of "complex" requests would be:
- Technical difficulties in retrieving information – e.g. where data has been electronically archived;
- Applying an exemption that involves large volumes of particularly sensitive information;
- Specialist work involved in redacting information or communicating it in an intelligible form.
Claims management companies (and others) may submit bulk requests. Here ICO notes that each individual request within the one bulk request has the same status. However, ICO says it will have regard to the volume of requests received and steps taken by the controller to ensure requests are dealt with. It will also take into account the size and resources of the controller and - where reasonable – will exercise discretion in enforcement.
Tricky questions about searching for data
The guide notes that where an organisation has tried to permanently discard data and has no intent to access it again, then ICO will not seek to take enforcement action against an organisation that has failed to use extreme measures to recreate such data. However, data moved to a deleted email folder does NOT fall into this category.
The guide also notes that there is no need to instruct staff to search personal devices or private emails unless the controller has reason to believe they hold relevant data.
There is no obligation to comply if a request is manifestly unfounded. Here the guide repeats previous commentary from ICO that this will be the case if an individual clearly has no intention to exercise their right of access – e.g. where an individual makes a request but then offers to withdraw it in return for some form of benefit from the organisation. ICO also accepts that requests made with malicious intent do not have to be honoured – examples given are:
- requests made solely to try to cause disruption or harass
- if there is an explicit statement that applicant intends to do this
- if the applicant makes unsubstantiated accusations – for example, targeting a particular employee where there is a personal grudge
- if the applicant systematically sends different requests as part of a campaign with the intent of causing disruption – e.g. weekly access requests.
The guide also looks at the most commonly used exemptions – in particular what happens when one person's personal data also relates to another, living, individual. Here, the guide notes that if the information is held in confidence in relation to that other individual, then it will usually be reasonable to withhold it – however, this cannot just be a question of looking to see if documents are marked "confidential": the context and substance of the material must be assessed.
Guidance on special cases
There are detailed sections looking at the special UK rules for unstructured manual records held by public authorities; credit files and the rules for health data; educational data and social records.