What is this all about?
By way of reminder, under the EU General Data Protection Regulation (“GDPR”), and national data protection legislation, individuals have the right to access their personal data, more commonly called a Subject Access Request (“SAR”), key highlights of are which:
- Individuals can make a SAR verbally or in writing;
- There is one month within which to respond to a request; and,
- A fee cannot be charged to deal with a request, in most circumstances.
In the UK the Information Commissioner’s Office (“ICO”) is the regulator that deals with SARs and it recently issued its revised guidance on this area entitled “Right of access” (“the guidance”) which can be found here https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/. This is not to be confused with the ICO’s “Subject access code of practice”, which has yet to be updated in light of both GDPR and the UK’s Data Protection Act 2018.
These FAQs looks at key aspects of the guidance – it is not exhaustive.
What is the key change to note? Calculating the reply time-limit
The key change to note concerns calculating the time-limit within which to respond to a SAR. As a rule you need to respond to a SAR “without undue delay and in any event within one month of receipt of the request” – this can be extended by a further two months in certain circumstances. Under the revised ICO guidance you should calculate the time limit from the day you receive the request until the corresponding calendar date in the next month – this is the case whether or not the day you receive the request is a working day. If the next month is shorter and there is no corresponding calendar date in the following month, you have until the last day of the following month to respond. If the corresponding date in the following month falls on a weekend or a public holiday, you have until the next working day to respond.
The ICO has also provided two working examples as follows:
- Example 1 – You receive a SAR on 3 September. The time limit will start the same day, i.e. 3 September. You have until the corresponding date in the next month to respond to the request, i.e. 3 October. If 3 October falls on a weekend or public holiday, you have until the next working day to comply; and,
- Example 2 – You receive a SAR on 31 March. The time limit will start from the same day, i.e. 31 March. As there is no equivalent date in April, you have until 30 April to respond to the request. If 30 April falls on a weekend, or public holiday, you have until the end of the next working day to comply
By extension, although not covered by the ICO guidance, if you receive a data subject request on 31 January, your time limit will start to run on 31 January, but as there is no 31 February, you will only have until 28 February (or 29 February in a leap year) to respond
What else is of particular note? Manifestly unfounded requests & excessive requests
Under GDPR you can either refuse to comply with a SAR or charge a reasonable fee if it is: either, “manifestly unfounded”; or, “excessive”.
According to the ICO’s guidance “In order to decide if a request is manifestly unfounded or excessive you must consider each request on a case-by-case basis. You should not have a blanket policy. You must be able to demonstrate to the individual why you consider the request is manifestly unfounded or excessive and, if asked, explain your reasons to the [ICO]”.
According to the ICO’s guidance “A request may be ‘manifestly unfounded’ if:
- The individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or,
- The request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption. For example:
- The individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption;
- The request makes unsubstantiated accusations against you or specific employees;
- The individual is targeting a particular employee against whom they have some personal grudge; or,
- The individual systematically sends different requests to you as part of a campaign, e.g. once a week, with the intention of causing disruption”
The ICO guidance also states that:
- “This is not a simple tick [check] list exercise that automatically means a request is manifestly unfounded. You must consider a request in the context in which it is made, and you are responsible for demonstrating that it is manifestly unfounded.
- Also, you should not presume that a request is manifestly unfounded because the individual has previously submitted requests which have been manifestly unfounded or excessive or if it includes aggressive or abusive language.
- The inclusion of the word ‘manifestly’ means there must be an obvious or clear quality to it being unfounded. You should consider the specific situation and whether the individual genuinely wants to exercise their rights. If this is the case, it is unlikely that the request will be manifestly unfounded.”
The ICO has also provided a working example as follows:
- “An individual believes that information held about them is inaccurate. They repeatedly request its correction but you have previously investigated and told them you regard it as accurate. The individual continues to make requests along with unsubstantiated claims against you as the controller. You refuse the most recent request because it is manifestly unfounded and you notify the individual of this”.
According to the ICO’s guidance “A request may be excessive if:
- It repeats the substance of previous requests and a reasonable interval has not elapsed; or,
- It overlaps with other requests.
However, it depends on the particular circumstances. It will not necessarily be excessive just because the individual:
- Requested a large amount of information, even if you might find the request burdensome. Instead you should consider asking them for more information to help you locate what they want to receive;
- Wanted to receive a further copy of information they have requested previously. In this situation a [data] controller can charge a reasonable fee for the administrative costs of providing this information again and it is unlikely that this would be an excessive request;
- Made an overlapping request relating to a completely separate set of information; or,
- Previously submitted requests which have been manifestly unfounded or excessive”.
The ICO’s guidance also states that “When deciding whether a reasonable interval has elapsed you should consider:
- The nature of the data – this could include whether it is particularly sensitive;
- The purposes of the processing – these could include whether the processing is likely to cause detriment (harm) to the requester if disclosed; and,
- How often the data is altered – if information is unlikely to have changed between requests, you may decide you do not need to respond to the same request twice. However, if you have deleted information since the last request you should inform the individual of this.”
Is there anything else of particular note? Amending data
The ICO’s guidance includes the following FAQ: “We have received a request but need to amend the data before sending out the response. Should we send out the “old” version?”, which it replies to as follows:
- “It is our view that a subject access request relates to the data held at the time the request was received. However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it would be reasonable for you to supply information you hold when you send out a response, even if this is different to that held when you received the request.
- However, it is not acceptable to amend or delete the data if you would not otherwise have done so. Under the Data Protection Act 2018 (DPA 2018), it is an offence to make any amendment with the intention of preventing its disclosure”.
One issue that the ICO’s guidelines does not address concerns the exception under GDPR that allows for the possibility of not complying with a SAR “where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort” – presumably this will be addressed when the ICO revises its “Subject access code of practice”.
What are the takeaways?
The key action that businesses can do for now is to review their SAR compliance policies and processes in light of the guidance.
For more of our reporting about data protection issues see here http://www.corderycompliance.com/category/data-protection-privacy/.
Data breaches are also a key issue for organisations who need to make sure that they do all that they can to stop data breaches including ensuring they can react to data breaches quickly when they happen. Cordery’s Breach Navigator can help organisations respond to a breach. There are more details here https://www.corderycompliance.com/solutions/breach-navigator/.
For more information about GDPR please see details of Cordery GDPR Navigator here www.bit.ly/gdprnav.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1785
Office: +44 (0)207 075 1784