We have seen a market rise in the use of subject access requests in recent months. Cains provides both general and detailed advice on data protection law, and can assist with guiding organisations through the process to make sure that organisations respond to subject access requests correctly.
What is a Subject Access Request?
Any individual can make a request of any organisation to determine whether that organisation holds or otherwise processes the individual’s personal data and what data are processed. This is permitted under Article 15 of the Applied EU General Data Protection Regulation 2016/679 which is applied in the Isle of Man by virtue of the Data Protection (Application of GDPR) Order 2018.
The exercise of this right is commonly known as making a “data subject access request” or “subject access request”, and is usually the first step taken when exercising an individual’s rights to information. The reason behind the request does not matter – the organisation will still have to comply with the request.
As subject access requests are becoming more commonly used as a tactical strategy in employment claims and indeed in litigation more generally, it is therefore imperative that organisations give careful consideration as to the way information is being recorded and otherwise processed within their company and, more crucially, what information is being processed and why.
A subject access request may be made by an individual or via an authorised third party either in writing (including by way of email) or verbally. Organisations should record the date and content of the request and work out what steps need to be taken next in order to comply with the request.
What to do next
Once a subject access request has been received, the organisation:
- should consult their data protection officer or data protection representative and should adhere to the terms of the organisation’s data subject access request policies and procedures;
- should provide written confirmation of receipt of any subject access request to the requestor, so that there is no ambiguity on the part of either party as to when it was received;
- may wish to request that the requestor provide some form of identification and further information (such as date of birth, address or national insurance number), particularly where the requestor is not known to the organisation, or where there are employees with the same name;
- must respond to this request without charge* or any undue delay and in any event, generally within one month from the date of the receipt of the request (while this deadline may be extended under exceptional circumstances by a maximum of a further two months, the requestor must be informed of the delay and the reasons for it before the end of the initial first month – good practice is to do this as soon as is possible); and
- if guidance is required or any difficult issues arise, (such as disclosure of third-party personal data), consideration should be given as to whether legal advice should be obtained.
* In most cases, an organisation can no longer charge a fee for an individual making a subject access request, or for providing a copy of the personal data requested to the individual. However, a reasonable administrative fee may be charged if further copies are requested or the request is manifestly unfounded or excessive.
Can an organisation refuse to act or give information?
An organisation may refuse to act if:
- it does not process the individual’s personal data;
- it can demonstrate that it is not in a position to identify the individual;
- the request is manifestly unfounded or excessive;
- the information requested relates to another individual (unless consent has been obtained or it is reasonable to provide the requested information without the other’s consent. An organisation must balance an individual’s right to access data against another individual’s rights in respect of their own information); or
- an exemption applies.
If an organisation refuses to comply with a request it must provide the individual with certain further information.
We would recommend that legal advice be considered if there is any doubt as to whether the above applies. The implications for non-compliance with Article 15 or for incorrectly responding to a subject access request can be severe.
Has COVID-19 effected an individual’s right to make a subject access request?
Despite the COVID-19 crisis, the ability for individuals to exercise any of their data protection rights currently remains unchanged. The Information Commissioner anticipates that individuals will understand the effect the crisis is having on organisations’ staffing levels and ability to offer full services and therefore has sought the co-operation of the public in exercising their data protection rights proportionately, responsibly and appropriately during this period and to anticipate that there may be delays in full responses.
Organisations experiencing difficulty in complying with requests within the statutory time should communicate clearly with individuals concerned about the handling of their request. For example, organisations may wish to explore the possibility of providing a staged response to a request.
Whilst statutory obligations cannot be waived, the Information Commissioner has stated that it will take a pragmatic and realistic approach in assessing complaints about compliance with a request made during the coronavirus pandemic.
How can we help?
Cains has a dedicated Employment and Data Protection team that specialises in giving prompt and practical advice, with a wealth of experience advising and representing businesses across a wide range of industry sectors. From guiding our clients on next steps, to drafting key correspondence, we are experts in the fields of employment and data protection.
Cains also provides a wide range of training to our clients on employment, governance and data protection matters, and would be pleased to organise a seminar or training for your organisation upon request.
The guidance in this note is for information purposes only and is not intended to be exhaustive. It is not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. Cains accepts no responsibility for any errors, omissions or misleading statements or for any loss which may arise from reliance on the information in this note.