Subject Access Rights

An individual’s right to know where and how his/her personal data is being used has always been an important part of data protection laws, and this doesn’t change under the GDPR. An individual still has the same right to make ‘subject access requests’, and businesses have an obligation to respond. But the process is about to become rather more complex than it has ever been before.

Under the DPA:

An individual is entitled to:

  • be informed whether the data controller is processing any of his/her personal data
  • receive a description of the personal data being processed, why it is being processed, and to whom the personal data has been or may be disclosed
  • receive a copy of that personal data

What does the DPA definition really mean?

A person has the right to be told whether a business is processing any of his/her personal data and, if so, to receive a copy of that data and information about why and how it is being processed.

Under the GDPR:

An individual is entitled to:

  • be informed whether the data controller is processing any of his/her personal data
  • receive a description of the personal data being processed, why it is being processed, and to whom the personal data has been or may be disclosed
  • to be informed where the personal data was originally collected from (if not from the individual directly)
  • to be informed how long the personal data will be processed
  • be notified of his/her right to complain to the Information Commissioner
  • be notified that he/she has certain rights under the GDPR (including the right to be forgotten and the right to have inaccurate data rectified)
  • be informed whether his/her personal data is used in any automated decision-making process
  • be informed of any appropriate safeguards in place where his/her personal data is transferred out of the UK
  • receive a copy of that personal data in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’

What does the GDPR definition really mean?

The underlying principle is no different under the GDPR – it’s simply that the amount of information that must be disclosed to the individual is now substantially longer.

What are the significant differences between the DPA and the GDPR?

The DPA allows the data controller to charge £10 for dealing with each request in most cases – but under the GDPR, all requests must be dealt with free-of-charge unless the request is ‘manifestly unfounded or excessive’.

The timescale has also decreased. The DPA allowed 40 days to respond to a request, with the clock only starting once the £10 had been paid, the individual had confirmed his identity and provided any further information the data controller requested. Under the GDPR, the response must not be given ‘without undue delay’, but within 1 month of the request. That period can be extended to 2 months in particularly complex situations.

Under the DPA, a data controller could refuse a request where disclosure of any personal data would also disclose information relating to another person, unless that other person had given their consent. The GDPR allows the data controller to refuse a request only where it cannot reasonably identify the individual making the request.

Where a request is made electronically, the GDPR states that the response must also be made electronically. In all other cases, the response must be given in writing unless the individual requests otherwise.

What effect will this have on UK businesses?

In order to respond fully to subject access requests, businesses are going to need to ensure their record-keeping is comprehensive and up-to-date – how else is a business going to be able to tell an individual where their personal data was originally collected from?

We are likely to see an increase in the number of subject access requests being made by individuals, particularly where an individual is in dispute with the business, based on the increased time/effort needed to respond. Businesses may be more inclined to settle disputes than deal with requests.

And a business’s process for receiving, identifying and dealing with subject access requests will need to be more formal, as the maximum fine for non-compliance is up to €20 million (or 4% of annual global turnover).

What will my business need to do?

Revise your business’s data protection policy to include a process for identifying and dealing with subject access requests to ensure each and every one is recorded and responded to fully. Ensure the policy identify one or more members of staff who are primarily responsible for responding to requests to ensure each and every one is dealt with in accordance with the GDPR.

Ensure that, wherever personal data is processed within your business, that you had comprehensive and up-to-date records including (as an absolute minimum) the information that you would be required to disclose if you were ever to receive a subject access request in relation to that data.

Q&As

So if I receive a request from somebody, I will have a month to reply?

No. You must respond ‘without undue delay’, and hence if it was reasonable for you to gather the information and respond more quickly, you must do so. The one-month period is the absolute deadline. However, if the request is complex, then you can (within that one-month period) explain to the individual why you need more time, and you then have an additional month in which to respond.

And I can no longer charge £10 for responding?

No, definitely not. Where the request is ‘manifestly unfounded or excessive’, perhaps because of a number of repetitive requests, then you are entitled to either refuse to respond or, if you do respond, charge a reasonable fee to cover your administrative costs. But otherwise, you must deal with all requests free-of-charge.

What if I’m not convinced the individual making the request is who he says he is?

If you are not in a position to identify the individual making the request, then you do not have to respond to the request. However, the onus is on you to prove that the individual’s identity is in doubt, and you will be expected to ask the individual to confirm his identity before refusing to respond.

But I have absolutely no idea where the data I’m processing came from originally because it’s so old – what can I do?

If you receive a subject access request in relation to that data, and it is classed as personal data, then you are required to inform the individual of any available information as to its original source. If you genuinely don’t know, and cannot reasonably find out, then you are entitled to explain that to the individual.

I’ve really got to tell the individual that he has a right to complain about my business?

Yes. If you receive a subject access request, you must inform him that he has a right to complain to the Information Commissioner about your business if he believes you have failed to comply with the GDPR.

What about subject access requests received from my current employees?

At the moment, they are treated no differently, and you would be required to respond in precisely the same way. However, the GDPR does say that the UK Government can introduce additional data-related regulations dealing with employees, and it is possible that these regulations may include additional or alternative terms.

 

Glossary

  • Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
  • DPA means the Data Protection Act 1998, the statute that previously governed the processing of personal data in the UK.
  • GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
  • Information Commissioner means the regulatory authority that is tasked with policing the use, storage, transmission and processing of personal data in the UK, including preparing UK businesses for the introduction of the GDPR.
  • Personal data means any data from which a living person can be identified.
  • Process means to do just about anything with personal data, eg. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.

 

Notes

This briefing is based on the law as it stands in April 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.