The right for individuals to access their personal data, commonly known as a Subject Access Request (“SAR”) is not new. The right was introduced back in 1984 with the implementation of the Data Protection Act 1984 and it has developed a great deal since then. In this three-part series on understanding subject access requests (SARs), we look at how to comply with present-day requirements.
To help you understand the terms used in this blog series, you may find it useful to visit our Data Protection Glossary.
Part 1 – Complying with subject access requests – the fundamentals
The right to access can be found within Article 15 of the UK GDPR. However, this needs to be read in conjunction with Article 12 of the UK GDPR, as the latter sets out additional requirements which must be complied with when processing SARs. It’s also worth noting that the Data Protection Act 2018 (“DPA 2018”) makes further provisions applicable to this right, such as when a SAR can be refused and when personal data is processed for the purposes of law enforcement or intelligence services. This series does not cover the latter but see part 2 in this series on SARs for more detail on exemptions and refusing to comply.
You may also be interested in:
The basic right
The basic right is that an individual is entitled to have access to their personal data and be provided with a copy of it, together with ‘supplementary information’, without undue delay and, in any event within one month (unless circumstances allow for an extension of time). We look at each of these aspects below.
Controllers and processors
At this stage, it is worth highlighting that it is the responsibility of the controller of the personal data, to respond to the request, not the processor. However, individuals may not realise this and may submit their applications to the processor. Therefore, controllers should ensure that they have appropriate arrangements in place with their processors to ensure that they are notified promptly should this situation arise. In the same vein, processors must ensure they have appropriate controls in place to identify requests and assist controllers with the handling of SARs, without delay. The Information Commissioner’s Office (“ICO”) has issued guidance on controllers and processors.
Individuals making a SAR are entitled to their own ‘personal data’. This is any information from which they can be identified, either directly or indirectly.
In terms of whether an individual can be identified directly from the information in question, this is often quite straightforward. For example, a name is often sufficient to identify someone. That said, just because a document contains someone’s name does not automatically mean that the document will contain that person’s personal data. (See the Court of Appeal Judgment in Ittihadieh).
However, a name may not always be necessary and other information such as an online identifier could be enough. For instance, there will likely only be one CEO or MD in a business so if a role title such as this is referenced throughout a document (without any name present), it may be construed as personal data depending on the other content within the document and therefore could have to be included in response to a SAR. In assessing whether or not information constitutes personal data, the key questions are:
- Can the individual be distinguished from others?
- Does the information relate to them?
- Is the information obviously about them?
In terms of identifying someone indirectly, the key question is:
- Can the individual be identified from the information in question when put together with other information you already have or could reasonably obtain, assuming you are interested and sufficiently determined?
In most cases, it will be easy to decide whether information constitutes personal data. However, in some cases, the decision may be more complicated. The ICO has issued guidance on personal data or you can read our blog on personal data.
When processing SARs, it’s important to remember that pseudonymised data is still regarded as personal data for the purposes of the UK GDPR. Therefore, if you have substituted names with numbers, this will still be regarded as personal data. However, if the information is truly anonymised such that it cannot ever be traced back to the individual, it will not be classed as personal data and will not have the protection of the UK GDPR.
Access to or copy of the personal data
Individuals can make their SAR verbally or in writing and through various channels, even via social media. They do not have to quote the relevant law and, indeed, individuals often refer to the Freedom of Information Act (“FOIA”) by mistake. However, as controllers have an obligation under Article 12 of the UK GDPR to ‘facilitate’ SARs, if it is clear that an individual is making a request for access, despite quoting incorrect legislation, controllers should still process the request accordingly.
Before responding to the SAR, the controller needs to ensure that it is certain of the identity of the individual to avoid inadvertently releasing personal data to the wrong person. If the controller has reasonable doubts in this regard, it may ask the individual to produce information to prove their identity. However, the controller should not routinely ask requestors to provide identification documents as part of a SAR process – it should only do so if there are doubts about the requestor’s identity. For example, if a SAR is received via an email address that the requestor has used to correspond with the controller on numerous occasions in the past and the controller has this email address logged on its system as a way to contact the requestor, the controller should not need to ask the requestor to verify his/her identity as they should be confident they are dealing with the requestor (see XX v Groupon International Limited).
Once the individual’s identity has been confirmed, the controller should start searching for the information requested immediately, bearing in mind the strict time limit for responding (see below). If the request appears to be very wide, for example, the individual asks for “all my personal data”, the controller may ask the individual to be more specific about the information they want or the period of time they are interested in. The individual may provide precise details in response, which will help to narrow the search but they are under no obligation to do so and a controller cannot force an individual to do so. For instance, by saying they won’t comply with a SAR unless the requestor narrows the request.
The controller needs to conduct a reasonable search for the information but is not required to carry out a search that is unreasonable or disproportionate to the importance of the information requested. The search needs to cover all electronic records and all hard copy records that are within a structured filing system. The latter means that papers that are not in a filing system and do not intend to be, fall outside the scope of a SAR. The only exception to this is if the SAR is made to a public authority.
Having found all the relevant information, the controller will need to review it and redact/remove any information that should not be disclosed, such as information about others. Controllers should keep in mind that an individual is not entitled to a document in its entirety just because their name is mentioned in it. The right of access is a right to information, not a right to documents. As such, an individual will only be entitled to receive access to or a copy of such parts of the documents that relate to them. For example, often employees make SARs to their employer and query why certain emails have not been provided to them when the employee knows they were copied into a specific email chain. The reason they have not received the emails in response to their SAR is likely because the content of the email does not relate to them and you are not able to identify them from the body of the email.
If redactions are required, this must be carried out very carefully to ensure it is effective and permanent. For example, when applying redactions to paper copies, controllers should not simply use a black marker pen that becomes almost transparent when the document is held up to the light and, when applying electronic redactions, controllers should ensure that reliable software is used such that the redactions cannot be ‘undone’ to reveal the information intended to be withheld. Controllers should also be sure to retain the originals and keep a copy of the redacted version, in case a dispute arises or a subsequent SAR is made.
Article 12 of the UK GDPR requires controllers to respond to a SAR without undue delay and, in any event within one month. This means that the clock starts ticking on the day the request is received and ends on a corresponding day the following month. That said, the clock will only start once the controller is in receipt of ID (if this is required).
In terms of the end date, if the following month does not have a corresponding day because that month has fewer days, the end date is the last day of the month. For example, if a request is received on 30th January, the response would need to be provided by 28th February. In view of this, some organisations prefer to apply a 28-day response time for operational purposes.
No extra time is allowed if the request arrives on a weekend or bank holiday although, if the end date falls on a weekend or bank holiday, the response would not be required until the next working day.
Whilst the deadline is strict, it can be extended in some circumstances. In particular, if the controller considers that the request is complex or if the individual has made numerous data subject requests, the period can be extended by an additional two months. However, the controller must notify the individual within the first month that extra time is needed, together with the reasons. It is also worth noting that the clock will be paused when the controller asks the individual to clarify what information they want and it will start again when a response has been received.
As mentioned above, an individual is also entitled to receive ‘supplementary information’ with the response to a SAR, including:
- whether or not an organisation is processing their personal data and if so
- what categories of personal data they are processing
- for what purpose
- who the personal data will be shared with
- how long it will be retained
- the source of the personal data if it was not from the individual directly
- whether automated decision-making is being used
- whether their personal data is being transferred to a third country and if so, what safeguards are in place to protect their personal data
- what their rights are, including their right to lodge a complaint with the Information Commissioner’s Office (“ICO”)
All of the above is usually found in a privacy notice and, as such, the controller may simply wish to attach a copy of its privacy notice.
Sharing the disclosure
Having gathered all the relevant information and redacted anything the individual is not entitled to see, arrangements will need to be made to share the data. If the individual has submitted the request electronically, the response should be made using a commonly used electronic format (e.g. encrypted email or secure portal). If the request has been made verbally or by letter, the response can be in any commonly used format, electronic or hard copy. It is best practice to ask the individual, at an early stage, how they would like to receive the material.
Whatever method is used, the controller must ensure that the disclosure is secure. For example, controllers may wish to share electronic disclosures via a secure portal with the data being encrypted and send hard copies by recorded delivery.
On occasions, individuals ask for more than one copy of the data. However, the controller is only obliged to provide ONE copy free of charge and can, therefore, either refuse to provide additional copies or charge a reasonable fee based on administrative costs.
The covering letter/email should explain any terms/codes etc used within the material disclosed that may not be clear or obvious to the individual, together with details of any exemptions and reasons for redactions, where appropriate.
The above covers the fundamentals of SARs. In the next part of this series, “Part 2 – Refusing to Comply”, we look at exemptions that can be relied upon when a controller needs to withhold information under a SAR.
As a specialist data protection consultancy, Evalian® is well-placed to assist you with any queries you might have on SARs and how to respond to them.
If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.
"*" indicates required fields
Download your free Guide to GDPR Accountability here.