In December 2019 the Information Commissioner’s Office (ICO) published draft guidance on the right of access. The right of access (known as subject access) is a fundamental right of the General Data Protection Regulation (GDPR) which allows individuals to find out what data an organisation holds about them and to obtain a copy of that data.
In response to a subject access request (SAR) made to a data controller, an individual is entitled to (1) confirmation that the data controller is processing their personal data; (2) a copy of this personal data; and (3) other supplementary information (including the controller’s purpose for processing).
In this article we provide a brief overview of the key points within the ICO’s guidance on the right of access, and on its website the ICO provides more extensive guidance on each of the points raised which should be considered prior to submitting any response. Although the guidance is currently in draft form, we consider it will be of interest to data protection officers and those with specific data protection responsibilities in organisations.
Finding and retrieving the relevant information
The key points within the guidance in relation to the finding and retrieval of data are as follows:
Clarification - a controller may ask the individual to clarify their request, or to provide further details to assist in locating the data. If this information is not forthcoming, the controller must still comply with the request and, unless it is genuinely unclear whether a SAR is being made, the time limit is unaffected.
Archived information – the ICO recognises that search systems for this type of data might not be as sophisticated as for ‘live’ data. Despite this, a controller should use the same effort to find information to respond to a SAR as it would to find archived or backed up data for its own purposes.
Deleted information - information is deleted when a user tries to permanently discard it and has no intention of ever trying to access it again (e.g. not just because an email is moved to ‘deleted items’). The fact that extensive technical expertise might enable deleted electronic data to be recreated does not necessarily mean that controllers must go to such lengths to retrieve the personal data.
Data stored on personal computer equipment - if a controller permits staff to hold personal data on their own devices, they may be processing that data on the controller’s behalf in which case the data would fall within the scope of a SAR. A controller is not expected to instruct staff to search their private emails / personal devices unless it has good reason to believe they are holding personal data; it is therefore good practice to restrict the circumstances in which they may do so.
Non-electronic records - controllers should carefully consider whether this data falls within the scope of the SAR; the GDPR does not cover data which is not in, or intended to be in, a ‘filing system’ (a structured set of personal data which is accessible according to specific criteria).
Amending / deleting data after receipt of SAR – although ICO’s view is that a SAR relates to data held at the time the request was received, it recognises that routine use of the data may result in it being amended / deleted while the SAR is being dealt with. It makes clear that it is not acceptable to amend or delete the data if the controller would not otherwise have done so in accordance with its routine data processing procedures (i.e. if the SAR had not been received).
Time limit for complying with the request
The guidance clarifies that the “one calendar month” time limit for responding to a request starts from the date of receipt of the request. A calendar month starts on the day the organisation receives the request, even if that day is a weekend or public holiday. It ends on the corresponding calendar date of the next month. However, if the end date falls on a Saturday, Sunday or bank holiday, the calendar month ends on the next working day.
A two-month extension is possible if a SAR is complex (although controllers should note a request is not necessarily complex simply due to the SAR involving a large amount of personal data). Multiple requests submitted at the same time as the SAR may also result in a controller extending the time for response.
Format of the information to be provided
The guidance provides that if the SAR has been submitted electronically, the response must be provided in a commonly used electronic format. If the SAR is submitted by other means, the response can be provided in any commonly used format (unless the requester reasonably requests it is provided in another commonly used format). In some circumstances it may be appropriate to provide a response verbally, a detailed record should be kept of this.
Importantly, controllers should not require individuals to take any specific action in order to access the data provided to it as part of the controller’s response. For example, the individual should not be required to download software in order to access files.
Finally, the information which a data subject is entitled to must be provided in a concise, transparent and intelligible form, using clear and plain language. The controller is expected to give the individual additional information to aid understanding if the data is not in a form they can easily understand, however it is not expected to translate information or decipher unintelligible written notes.
Manifestly unfounded or excessive requests
A controller can refuse to comply with a SAR if it is manifestly unfounded or excessive. The guidance states that a request may be manifestly unfounded or excessive if:
- the individual clearly has no intention to exercise their right of access (e.g. offers to withdraw request in return for some benefit);
- the request is malicious in intent / has no real purpose other than to cause disruption;
- it repeats the substance of previous requests and a reasonable interval has not elapsed; or
- it overlaps with other requests.
Controllers should consider each request on a case-by-case basis rather than applying a blanket policy, and must be able to demonstrate why it considers that the request is manifestly unfounded or excessive.
When responding to a SAR, controllers should consider whether they can apply any of the exemptions contained within the Data Protection Act 2018 (DPA 2018). If an exemption applies, a controller can refuse to comply (wholly or partly) with a SAR, i.e. it may withhold certain personal data that would otherwise be disclosable.
Controllers should justify and document the reasons for relying on an exemption, and when refusing to comply with a request (whether because it is manifestly unfounded or excessive, or because an exemption applies), a controller must inform the individual of:
- the reason why the request is being refused;
- their right to complain to ICO; and
- their ability to seek to enforce this right through judicial remedy.
There is an exemption in the DPA 2018 that says a controller does not have to comply with a SAR if to do so would mean disclosing information about another individual who can be identified from that information, except where:
- the other individual has consented to the disclosure; or
- it is reasonable to comply with the request without that individual’s consent.
When considering whether it is reasonable to comply with a SAR without the other individual’s consent, controllers are required to balance the data subject’s right of access against the other individual’s rights in respect of their own data.
A response should be provided whether or not it is decided to disclose information about a third party. If the controller has not obtained the consent of the third-party and does not consider it reasonable to disclose the third-party information, the information should be withheld. Depending on the circumstances, it may be possible to provide some information, having edited or redacted the third-party information.