The right of an individual to be told whether an organisation is processing their personal data and be given access to that data (“subject access”) is a significant one in data protection law, and was the most common type of concern reported to the ICO in 2016/17.
Following the resolution of the legal cases dealing with subject access earlier this year (Dawson-Damer v. Taylor Wessing LLP, and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd/Deer vs University of Oxford), the ICO has updated its Subject Access Code of Practice to reflect the legal precedents that have been set.
What are the significant changes?
1. Disproportionate effort
Previously, the SAR Code of Practice indicated that it would always be reasonable and proportionate to search all records for the requested information. The judgements in the cases mentioned above found that searching of records will be necessary, however it cannot be expected that no stone will be left unturned. Where an organisation is relying on a defence of “disproportionate effort” to justify not conducting exhaustive searches of data that they hold; the organisation must be able to demonstrate that a reasonable degree of searching has been carried out. If it can be demonstrated that further searching is unlikely to reveal the personal data of the data subject or that the difficulties in identifying and locating personal data are not caused by failure to keep good records then a claim of disproportionate effort may be valid.
The Code of Practice has now been amended to state
“The DPA places a high expectation on you to provide information in response to a SAR…..you should ensure that your information management systems are well-designed and maintained so that you can efficiently locate and extract information requested by the data subjects…”
(Chapter 6: Finding and retrieving the relevant information)
- Review your data storage and record-keeping systems to identify where personal data can be easily located and retrieved; or the levels of effort that would be required to find and retrieve personal data.
- Make sure that the process for complying with subject access requests includes a step to identify data locations and sources.
2. Reason for the request
Very few people make subject access requests purely for the joy of measuring how well their privacy rights are being upheld. Most subject access requests are made in the course of a dispute, a complaint, an investigation or a grievance. Previously, courts have declared that making a subject access request to assist with litigation is an “abuse of process”, however the recent judgements have taken a different view; in which the purpose of making a SAR is irrelevant and the right of an individual to require transparency as to how their personal data has been used must take priority. Courts can order an organisation to comply with a SAR and unless there is a specific, valid exemption to rely on; organisations will always have a legal duty to provide the requested information, regardless of the motivation for making the request.
The code now states:
“Whether or not the applicant has a ‘collateral purpose’ (i.e. other than seeking to check or correct their personal data) for making the SAR is not relevant. However the court does have a wide discretion as to whether or not to order compliance with a SAR…”
(Chapter 9: Exemptions)
- Provide training to staff who will be handling SARs on the valid exemptions that can be applied to information that needs to be withheld from a SAR.
- Have clear processes on when to handle a request for information as a standard business-as-usual query, and when subject access procedures should be initiated
- Make staff aware that any data they generate might be disclosable and therefore all of their communications must be courteous, professional and as accurate as possible.
3. Legal professional privilege
The Dawson-Damer case dealt with a SAR made in connection with business dealings outside the UK, where different confidentiality and legal privilege rules apply. The judgement clarified that the exemption from disclosing information which is legally privileged in response to a SAR only applies to the legal professional privilege that exists in the UK. Additionally, it is not enough to declare certain categories or sets of data “legally privileged” just because they were written by a lawyer or in connection with legal proceedings – the privilege only extends to advice given by a lawyer to their client (“legal professional privilege”) or communications between a lawyer, client and third party in relation to litigation (“litigation privilege”).
The words “in the UK” have been added to the Code of Practice’s explanation of exemption for legal privilege (Chapter 9: Exemptions).
- Seek expert advice before refusing all or part of a SAR on the basis that the information is legally privileged
- Ask your legal advisors to clearly mark any communications that are covered by legal privilege, so that they can be identified and considered for exclusion in the event of a SAR.
GDPR and subject access
The right of subject access is very similar under GDPR, with the major differences being the abolition of a £10 administration fee (although “reasonable” fees can be charged for repeat requests) and the shortening of the timescale for providing the information, which is now 30 calendar days rather than 40.
Failure to uphold the right of subject access is associated with the higher tier of penalties (the maximum for which is the often-quoted ‘4% of global turnover/20 million euros’), however there is also the potential for individuals to pursue their data protection rights in court, rather than waiting for the ICO to intervene. The resulting disruption, costs of litigation and reputational damage could be just as significant – or more – as regulatory penalties.