Interesting Articles

Dealing with Subject Access Requests

Under Article 15 of the EU General Data Protection Regulation, individuals have a right of access which allows them to request the personal information an organisation might hold about them. In addition, under Article 20 they also have a right of data portability, which means that they can request electronic information in a format that allows them to easily transfer this information to another organisation e.g. in a structured, commonly used and machine-readable format. These rights are part of a broader range of rights that individuals are provided under the EU GDPR and the UK Data Protection Act 2018.

Although this right of access was available under the old Data Protection Act (commonly known as subject access requests) there have been changes to this right, which means that in the majority of cases you can no longer charge for these requests (unless to provide further copies or where the request is manifestly unfounded of excessive); in most cases you will need to respond within one month (rather than the original 40 days) and these requests no longer have to be in writing. In addition, there have been some changes to the exemptions that apply around the release of certain types of information (although many are still the same).

For businesses and organisations, this change will require a new way of implementing or updating standard procedures around how these requests will be dealt with. It will be key to ensure that everyone within your organisation can recognise and respond to data access requests upon arrival to guarantee that they are dealt with effectively and to timescale.

What are organisations required to deliver to the individual?

If the organisation is in fact processing the individual’s data, then the organisation must communicate that to them, in addition, the organisation must supply the following:

  • The purposes that you are using their data for
  • The categories of personal data being used
  • How long their personal data will be stored
  • Details of third parties to whom the data will be disclosed (documenting if any of these are outside of the EU and appropriate safeguards around this sharing)
  • Details of their rights in relation to this personal data (including the right to complain to the ICO)
  • Where this personal data was obtained from, if not received from the data subject
  • Confirmation as to whether the data is being used for “automated decision making” including profiling, the logic involved in this, and the consequences on the individual

How should organisations handle Access Requests?

It will be essential that organisations have clear procedures in place so that all staff know how to recognise an access request and to pass it on quickly to the relevant lead in the organisation. This will provide assurance that the request is handled expertly and to timescale. If there is a failure to comply, your organisation can be left open to complaints, potentially to the Information Commissioners Office and a potential fine of up to 20 million euros or up to 4% of the total worldwide turnover. It is also worth noting that it is now an offence to alter an individual’s information in response to an access request.

When do organisations have the right to withhold personal data under the GDPR and the Data Protection Act?

When dealing with access requests there may be a number of restrictions on the type of information that can be released. One of the restrictions would be where releasing this information could affect the confidentiality of another individual, e.g. if the documents included information on another person. The UK Data Protection Act 2018 (Schedules 2,3 and 4) lists several other areas where information may be exempt from release.

Staying prepared within your organisation

The best step that any organisation can take to establish that all access requests are dealt with in a timely and productive manner is to know exactly where personal data is held. This is inclusive of all hard copies of any documents you may hold, as well as all electronically stored information.

Staff should be trained to identify access requests and how to respond to them within an appropriate timeframe.

In addition, establishing that personal information is only kept for as long as is needed by your organisation will make identifying, accessing and reviewing the information needed more straightforward.

As documented above, all organisations should have a process in place for handling requests, and how to identify what embodies personal data. Staff should be able to distinguish/identify personal data, as well as what obligations the organisation must fulfil to maintain compliance.

Finally, if there are any questions or worries that the organisation has surrounding access requests, don’t be afraid to reach out to professionals and ask questions. There is also a myriad of helpful information available online on the ICO website.

Evolve North is always happy to answer any queries that you may have to better assist you to develop your procedures in this area, or to provide support in managing specific requests. You can contact us here.