We have written before about the issues with subject access requests (SARs) under GDPR. We are seeing a real rise in requests at the moment in part due to the current pandemic as employees in particular are making requests about the data that an employer or ex-employer might hold on them. There is a little bit more about data protection issues during the pandemic here www.bit.ly/cvrtw
Yesterday the UK Data Protection Authority, the Information Commissioner’s Office, issued new guidance on handling SARs. Strictly speaking, the guidance applies only to the UK and it is not binding in a court – indeed in previous cases, earlier versions of the ICO’s guidance were not followed by courts considering the same issue. The guidance follows responses from organisation of all shapes and sizes however and is clearly an indication of what the ICO is thinking. Cordery also took part in the consultation process for this new guidance.
Some technical terms are used in the note which are explained at www.bit.ly/gdprwords.
What is the Status of the Guidance?
Previously the ICO had a formal Code of Practice dealing with SARs. The Code of Practice had not been updated since GDPR and the Data Protection Act 2018 came into force. The new guidance is called a “Guide” rather than a “Code of Practice”. Some commentators have said that that is an indication that the ICO intends to be less definite in its advice. As we’ve said it is guidance and only the courts can definitively rule on disputes over SARs.
Last year the ICO has issued draft guidance on handling SARs under GDPR. The new guidance builds on the draft guidance but with some important changes. It is a long document – 81 pages long in its pdf form – so this note will concentrate on just some aspects.
Stopping the clock
In our view a number of aspects of the draft guidance were unsatisfactory including guidance that the time for dealing with a SAR as set by GDPR Art.12(3) (without undue delay and in any event within one month of receipt of the request) would not stop running when the requestor had failed to provide details that the organisation reasonably required. This was a proposed change from prior guidance and we made representations to the ICO that in many cases not stopping the clock would be unfair. We are happy to say that the ICO listened to the submissions that we made.
Manifestly excessive requests
The new ICO guidance also has some other interesting aspects, for example on what is a manifestly excessive request. Many organisations struggle with manifestly excessive requests, often brought by third parties trying to work up group actions or by disaffected employees or customers who are more interested in tying up the resources of the company than in the reply that they receive. The ICO has provided new guidance on this.
Third Party portals
A number of our clients are having difficulties with requests made by third party portals. The motivation and business model for some of these third party portals seems unclear and some of them are poor at communicating the request that they seek to make and in confirming who they are making a request for. There is specific guidance here from the ICO. Data controllers should consider:
- if they can verify the identity of the individual;
- if they are satisfied that the third party portal is acting with the authority of and on behalf of the individual; and,
- if they are able to view the SAR without having to take proactive steps (such as paying a fee or signing up to a service).
The ICO guidance is a reminder that data controllers are not obliged to take proactive steps to discover if a SAR has been made and so if you cannot view a SAR without paying a fee or signing up to a service, in GDPR terms you have not received the SAR and so you are not obliged to deal with it.
The ICO also agrees with the position that we have maintained when dealing with these portals, that it is the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. Simply referring to the terms and conditions of its service is unlikely to be sufficient for this purpose. The ICO says that the portal should provide this evidence when it makes the request. The ICO also confirms that when responding to a SAR from a portal the data controller is not obliged to pay a fee or sign up to a third party service to do so. It also confirms that a data controller can contact the individual direct before it responds to the portal where it has their contact information.
In other cases a data controller could contact the third party portal to advise them that they will not respond to their request until it is satisfied that the request has been validly made. The ICO has also confirmed that when dealing with portals the time for dealing with a request does not start until the necessary information has been received.
Failure to answer clarification requests
As we have said, the ICO has now confirmed that some clarification requests can stop the clock. It also suggests that an SAR can be considered closed where clarification requests are not answered:
“Where you seek clarification, but do not receive a response, you should wait for a reasonable period of time before considering the request ‘closed’. While one month is generally reasonable, you should adopt a proportionate and reasoned approach.”
The ICO guidance reminds data controllers that just because they are engaged in “big data” does not mean that data subject rights do not apply. It is a reminder that derived behaviour (such as insights assumed from a user’s web-browsing or observed behaviours using AI connected with cameras) is still personal data where an individual is identified or identifiable and as a result, data subject rights will still apply. As a result it is even more important in our view that any organisation looking at big data has a robust DPIA process to make sure that data subject rights are factored into the planning phase. The ICO says:
“In these situations, it is even more important that you practice good data management, not just for facilitating the right of access but also because of the GDPR’s legal requirements on accountability and documentation. You need to have:
- adequate metadata;
- the ability to query your data to find all the information you have on an individual; and
- knowledge of whether the data you process has been truly anonymised, or whether it can still be linked to an individual.”
In our view, mistakes are often made here due to confusion between anonymised and pseudonymised data. You can see the difference in our glossary here www.bit.ly/gdprwords
Despite the new guidance we can still expect more litigation over data subject rights. We’ve written about some recent litigation including two recent cases in England and Scotland here – https://www.corderycompliance.com/limits-on-sars-uk-court-rulings/
We can expect this trend for litigation to continue particularly as employees and ex-employees make more requests and for different types of data. Lockdown has also brought new challenges and sometimes new categories of data – for example we understand that requests for recordings of Zoom or Microsoft Teams meetings are on the rise despite that being a class of data that was rarely considered last year.
The new guidance is useful in helping organisations ensure they respond to SARs properly. Organisations need a proper plan to deal with requests. That might include:
- Checking your existing SARs policy and procedure to make sure that they are up to the job. This includes making sure that it is clear what information has to be provided, and whether the exemptions are covered (including legal professional privilege) – update them as need be;
- Ensure that you have systems in place that can locate personal data when a SAR is made, especially from an IT perspective. Remember that most hard copy data will also be included too;
- Look at document creation and retention – do you need all of the data you keep? The appropriateness of large amounts of HR data should be reviewed particularly in light of the large recent fine for H&M (see https://bit.ly/hamburgfine);
- Train staff on spotting and handling SARs; and,
- Set up and undertake regular compliance audits or reviews in order to identify and rectify SARs issues.
Cordery GDPR Navigator has further guidance on handling SARs including a template policy, guidance notes and films to use in training. You can find out more about Cordery GDPR Navigator at www.bit.ly/gdprnav
For more of our reporting about data protection issues see here http://www.corderycompliance.com/category/data-protection-privacy/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|
Image courtesy of BA