Subject Access Request Guidance
The UK’s Information Commissioner’s Office (ICO) has produced new draft guidance on Subject Access Requests, which can be found here: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-the-draft-right-of-access-guidance/
As you are no doubt aware, the Subject Access right allows individuals to find out what personal data is held about them and to obtain a copy of that data. This is a widely-used right and GDPR introduced some changes to it.
The ICO’s draft detailed guidance covers the following areas:
- What is the right of access?
- How should we prepare?
- How do we recognise a subject access request (SAR)?
- What should we consider when responding to a request?
- How do we find and retrieve the relevant information?
- How should we supply information to the requester?
- When can we refuse to comply with a request?
- What should we do if the request involves information about other individuals?
- What other exemptions are there?
- Are there any special cases?
- Health data, Education data & Social work data; and,
- Can the right of access be enforced?
Much of the guidance is similar to the previous guidance but there are some new elements. One suggested apparent change in policy that we wish to draw your attention to in particular is the underlined statement below (found on pages 23-24 of the section entitled ‘How do we find and retrieve the relevant information?’):
“You cannot ask the requester to narrow the scope of their request, but you can ask them to provide additional details that will help you locate the requested information, such as the context in which their information may have been processed and the likely dates when processing occurred. However, a requester is entitled to ask for ‘all the information you hold’ about them. If an individual refuses to provide any additional information or does not respond to you, you must still comply with their request by making reasonable searches for the information covered by the request. The time limit is not paused whilst you wait for a response, so you should begin searching for information as soon as possible. You should ensure you have appropriate records management procedures in place to handle large requests and locate information efficiently.”
The consultation closes on 12 February 2020. We encourage you to have your say on the draft guidance.
Criminal Data Processing Survey
The ICO is undertaking a survey concerning the processing of personal data relating to criminal convictions and offences, or related security measures, which can be found here: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-call-for-views-on-the-processing-of-personal-data-relating-to-criminal-convictions/
An organisation might process criminal data for several reasons – most typically this will be to assess people’s suitability for employment, but this may be for other reasons too. This processing is governed by a complex legislative framework – under the UK Data Protection Act 2018 extra compliance measures may be required (see Schedule 1 of the UK Data Protection Act 2018 here [especially Part 4]: http://www.legislation.gov.uk/ukpga/2018/12/schedule/1/enacted).
The ICO is conducting this survey to find out if gaps exist in controllers’ awareness and understanding of the data protection requirements of this type of processing. The survey should only take 15 minutes to complete – it closes on Friday 28 February 2020.
The fact that the ICO is undertaking this survey is a sign that there is either ignorance and/or a lack of understanding of what criminal data processing is all about – this could even be a prelude to enforcement. We therefore encourage organisations to engage with this survey in order to get a better idea of what their compliance obligations might be in this area.
Further information & contact
For other articles that we have written about data protection issues please see here: https://www.corderycompliance.com/category/data-protection-privacy/
For details about Cordery’s GDPR Navigator subscription service, which includes short films, straightforward guidance, checklists and regular conference calls to help you comply, please see here: www.bit.ly/gdprnav.
For details of Cordery Breach Navigator please see here: https://www.corderycompliance.com/solutions/breach-navigator/.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com