Subject Access Requests: What are they and how do they work?
A Subject Access Request is the right of access, commonly referred to as subject access, and anyone for whom we hold data has the right to obtain a copy of their personal data as well as other supplementary information. It is there to help those whose data we handle understand how we are using their data, and check we are doing it lawfully.
What data is a person entitled to?
The right to obtain the following:
- confirmation that you are processing their personal data and a copy of that data
- other supplementary information – this largely corresponds to the information that you should provide in a privacy notice
Personal data of the individual
An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone).
In addition to a copy of their personal data, you also have to provide individuals with the following information:
- the purposes of your processing
- the categories of personal data concerned
- the recipients or categories of recipient you disclose the personal data to
- your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it
- the existence of their right to request rectification, erasure or restriction or to object to such processing
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual
- the existence of automated decision-making (including profiling); and
- the safeguards you provide if you transfer personal data to a third country or international organisation or confirmation that this does not happen.
You may be providing much of this information already in your privacy notice. If you are not, then you need to provide this as part of the response to the request.
What is a Subject Access Request?
The GDPR does not specify how to make a valid request so subject access requests can be verbal or in writing to any part of your organisation and delivered in any way including by social media and do not have to be to a specific person or contact point.
A request simply has to make clear that the individual is asking for their own personal data. This is a challenge as any employees could receive a valid request, but you have a legal responsibility to identify that an individual has made a request and act on it.
The firm needs to consider training for all staff that interact with individuals to identify requests.
It is good practice to have a policy for recording details of requests received, particularly those made verbally. Request logs need to include when the request was received, who received it, who made it and what action was taken on receipt and finally when it was fulfilled and how.
It is probably good practice to provide a form that can be sent to an individual that wants to make a subject access request to make it easier for individuals to complete and submit electronically.
How should the data be provided to individuals?
If an individual makes a request electronically, the information should be provided in a commonly used electronic format, unless the individual requests otherwise.
GDPR best practice recommendation is that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This is where the SafeBox or MLS (My Legal Space portal) from DPS work very well and do not adversely affect the rights and freedoms of others – including trade secrets or intellectual property.
What is the data?
If when a request is received the data being requested is ‘live’ so in the process of change, a case file for instance might be being updated and you need to update. Then should you send the ‘old’ version or the amended version.
The ICO view is that a subject access request relates to the data held at the time the request was received. Despite this is reasonable to provide data at the time the request is being fulfilled. However, under the Data Protection Act 2018 (DPA 2018), it is an offence to make any amendment with the intention of preventing its disclosure.
Whilst you have no duty to explain the contents of the information sent you do need to ensure the information provided is in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This is all relative in that when providing legal case files, it is understood that there is information that is specialist.
Can you charge a fee for a Subject Access Request?
You cannot charge fees to comply with subject access request unless
- it is manifestly unfounded or excessive;
- in which case you can refuse to comply with the request
- an individual requests further copies of their data following a request.
- When you should promptly contact the individual and inform them that you do not need to comply with the request until you have received the fee (which must be a reasonable fee for the admin work in complying).
How long do we have to comply with a Subject Access Request?
You must act on the subject access request without undue delay and at the latest within one month of receipt. The time limit for a request received on the 4th of Jan starts on the next day, the 5th of January (does not have to be a working day) and ends on the 5th of February, the same day on the following month. If this is not a working day, then the deadline is the next working day.
If there is no corresponding day, say the request was made on the 29th of January then deadline starts on the 30th of January. In this case there is no 30th of February the deadline ends on the last day of the following month. In this case the 28th of February or the next working day.
It is best to respond to subject access requests with a formal acceptance or rejection along with the calculated deadline dates.
If you have doubts about the identity of the individual, then you need to let them know immediately and the deadline starts from when the individual provides such identity information.
Any person can make a request on another’s behalf. This might be a solicitor acting on behalf of a client or where an individual feels comfortable allowing someone else to act for them.
In all such cases it is the third party’s responsibility to provide evidence of their entitlement to make the request.
What if the data requested includes information about other people?
The DPA 2018 says that you do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information, except if:
- the other individual has consented to the disclosure; or
- it is reasonable to comply with the request without that individual’s consent.
- In determining whether it is reasonable to disclose the information, you must take into account all of the relevant circumstances, including:
- the type of information that you would disclose;
- any duty of confidentiality you owe to the other individual;
- any steps you have taken to seek consent from the other individual;
- whether the other individual is capable of giving consent; and
- any express refusal of consent by the other individual.
You cannot refuse to provide access to personal data about an individual simply because you obtained that data from a third party.
You are the controller and not the processor
DPS hosted clients are the data controller and DPS is the data processor. Irrespective of this the responsibility for complying with a subject access request lies with the controller.
DPS hosted contracts ensure that DPS guarantee to deal with subject access requests properly and will inform you immediately of any requests made to them regarding data you control.
You are not able to extend the time limit on the basis that you have to rely on a processor to provide the information that you need to respond.
When can we refuse to comply with a Subject Access Request?
You can refuse to comply with a subject access request if it is manifestly unfounded or excessive.
“manifestly” means there must be an obvious or clear quality to it being unfounded and a request may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access. For example, an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption. For example:
- the individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption;
- the request makes unsubstantiated accusations against you or specific employees;
- the individual is targeting a particular employee against whom they have some personal grudge; or
- the individual systematically sends different requests to you as part of a campaign, e.g. once a week, with the intention of causing disruption.
A request may be excessive if it repeats the substance of previous requests and a reasonable interval has not elapsed.
You cannot have a blanket policy for this decision as each request needs to be considered on a case-by-case basis. You must be able to demonstrate to the individual why you consider the request is manifestly unfounded or excessive and, if asked, explain your reasons to the Information Commissioner
If you do decide not to comply then you need to inform the individual without undue delay and within one month of receipt of the request giving them
- the reasons you are not taking action;
- explaining their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through a judicial remedy.