Publications

Right of Access Under GDPR: Draft Guidance from the UK ICO

December 27, 2019Alerts

The United Kingdom's Information Commissioner's Office has issued, for public consultation, draft guidance on the right of access under the General Data Protection Regulation (GDPR).

Key takeaways:

To Prepare for a Data Subject Access Request:

  • Make information available about how individuals can make a Subject Access Request (SAR), for example, on your website, in leaflets and in your privacy notice.
  • Provide general training to all staff on how to recognize an SAR.
  • Provide more detailed training on handling SARs to relevant staff, dependent on job role.
  • Create a dedicated data protection page for staff on your intranet with links to SAR policies and procedures.
  • Appoint a specific person or central team that is responsible for responding to requests. Ensure that more than one member of staff knows how to process an SAR so there is resilience against absence.
  • Maintain information asset registers which state where and how personal data is stored.
  • Produce a standard checklist that staff can use to ensure a consistent approach is taken to SARs.
  • Maintain a log of SARs you have received and update it to monitor progress. The log may include copies of information supplied in response to an SAR, together with copies of any material withheld and why.
  • Have documented retention and deletion policies for the personal data you process.
  • Have measures in place to securely send information.
  • In your information management system, take a "data protection by design and default" approach and have effective records management policies. For example:
    • a well-structured file plan
    • standard file-naming conventions for electronic documents
    • a clear retention policy about when to keep and delete documents

How to Make a Request

  • The GDPR does not set out formal requirements for a valid request.
  • An individual can make an SAR verbally or in writing.
  • It can also be made to any part of your organization (including by social media) and does not have to be directed to a specific person or contact point.
  • It can cite other legislation.
  • It is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person.
  • It is good practice to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted it.
  • Individuals do not have to tell you their reason for making the request or what they intend to do with the information.
  • You should therefore consider designing a subject access form that individuals can complete and submit to you electronically. However, you should note that an SAR is equally valid whether it is submitted to you by letter, email or verbally. You must therefore make it clear that it is not compulsory to use the form and simply invite individuals to do so.
  • You should recognize the potential for individuals to make SARs via your social media channels and ensure that you take reasonable and proportionate steps to respond effectively to these requests. In most circumstances it will not be appropriate to use social media to supply information in response to an SAR for information security reasons. Instead you should ask for an alternative delivery address for the response.
  • You are not obliged to take proactive steps to discover that an SAR has been made.
  • Therefore, if you cannot view an SAR without paying a fee or signing up to a service, you have not "received" the SAR and are not obliged to respond.

Authorized Agent

  • An individual may prefer a third party (e.g. a relative, friend or solicitor) to make an SAR on their behalf.
  • You need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this. This might be a written authority to make the request or a more general power of attorney. Mere reference to the terms and conditions of its service are unlikely to be sufficient for this purpose
  • If there is no evidence that a third party is authorized to act on behalf of an individual, you are not required to respond to the SAR. However, if you are able to contact the individual, you should respond to them directly to confirm whether they wish to make an SAR.
  • In most cases, provided you are satisfied that the third party has the appropriate authority, you should respond directly to that third party.
  • However, if you think an individual may not understand what information would be disclosed, and in particular you are concerned about disclosing excessive information, you should contact the individual first to make them aware of your concerns.

Timing for Response

To make sure you respond on time, aim to respond within 28 days of receipt of: (1) the request, (2) any information requested to confirm the requester’s identity; or (3) a fee (only in certain circumstances).

Verifying identity

  • To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, you need to be satisfied that you know the identity of the requester.
  • You also need to be satisfied that the data you hold relates to the individual in question (e.g. when an individual has similar identifying details to another person).
  • You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about.
  • The key point is that you must be reasonable about what you ask for.
  • You should not request more information if the identity of the requester is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.
  • The level of checks you make may depend on the possible harm and distress that inappropriate disclosure of the information could cause to the individual concerned.
  • Example: An online retailer receives an SAR by email from a customer. The customer has not used the site for some time and although the email address matches the company’s records, the postal address given by the customer does not. In this situation, before responding to the request it is reasonable to gather further information, which could simply be to ask the customer to confirm other account details such as a customer reference number.
  • Example: A GP practice receives an SAR from someone claiming to be a former patient. The name on the request matches a record held by the practice, but there is nothing else in the request to enable the practice to be confident that the requester is the right patient. In this situation, it is reasonable for the practice to ask for more information such as a document providing evidence of their date of birth.
  • You should request ID documents promptly.
  • If the requested information is not sufficient and you need to take further steps to verify the individual’s identity, the timescale for responding begins once you have completed the verification. However, this only applies in exceptional circumstances and generally the timescale for responding to an SAR begins upon receipt of the requested information.

Locating the Right Information

  • While it may be challenging, you should make extensive efforts to find and retrieve the requested information.
  • You should ensure that your information management systems are well-designed and maintained, so you can efficiently locate and extract information requested by the data subjects whose personal data you process and redact third party data where it is deemed necessary.
  • If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding: you must still respond to their request within one month.
  • You cannot ask the requester to narrow the scope of their request, but you can ask them to provide additional details that will help you locate the requested information, such as the context in which their information may have been processed and the likely dates when processing occurred.
  • If an individual refuses to provide any additional information or does not respond to you, you must still comply with their request by making reasonable searches for the information covered by the request.

Archived Information and Backup Records

  • There is no "technology exemption" from the right of access. You should have procedures in place to find and retrieve personal data that has been electronically archived or backed up.
  • You should use the same effort to find information to respond to an SAR as you would to find archived or backed-up data for your own purposes.

Deleted Information

  • The ICO’s view is that if you delete personal data held in electronic form by removing it (as far as possible) from your computer systems, the fact that expensive technical expertise might enable it to be recreated does not mean you must go to such efforts to respond to an SAR.
  • The ICO will not seek to take enforcement action against an organization that has failed to use extreme measures to recreate previously "deleted" personal data held in electronic form. It will not require organizations to use time and effort reconstituting information that they have deleted as part of their general records management.

Information Stored in Other Locations

  • The contents of emails stored on your computer systems are a form of electronic record to which the general principles above apply. For the avoidance of doubt, you should not regard the contents of an email as deleted merely because it has been moved to a user’s "Deleted items" folder.
  • The right of access applies irrespective of whether the personal data you process is stored in one location or in many different locations.
  • It is good practice to have a policy restricting the circumstances in which staff may hold information about customers, contacts or other employees on their own devices or in private email accounts. Nevertheless, if you do permit staff to hold personal data on their own devices, they may be processing that data on your behalf, in which case it is within the scope of an SAR you receive.
  • The ICO does not expect you to instruct staff to search their private emails or personal devices in response to an SAR unless you have a good reason to believe they are holding relevant personal data.
  • Whether the information in hard copy records is personal data accessible via the right of access depends primarily on whether the non-electronic records are held in a "filing system."
  • The volume and variety of big data, coupled with the complexity of data analytics, could make it more difficult for you to meet your obligations under the right of access. However, these are not classed as exemptions and are not excuses for you to disregard those obligations.
  • You need to have:
    • adequate metadata
    • the ability to query your data to find all the information you have on an individual
    • knowledge of whether the data you process has been truly anonymized, or whether it can still be linked to an individual

How to Provide the Information

  • If the SAR is submitted electronically (e.g. by email or via social media) you must provide a copy in a commonly used electronic format. You may choose the format, unless the requester makes a reasonable request for you to provide it in another commonly used format (electronic or otherwise).
  • If the SAR is submitted by other means (e.g. by letter or verbally) you can provide a copy in any commonly used format (electronic or otherwise), unless the requester makes a reasonable request for you to provide it in another commonly used format.
  • You may therefore provide the information in the form of transcripts of relevant documents (or of sections of documents that contain the personal data), or by providing a printout of the relevant information from your computer systems.
  • When determining what format to use, you should consider both the circumstances of the particular request and whether the individual has the ability to access the data you provide in that format. You should not expect them to download software to this end.
  • It is good practice to establish the preferred format with the individual prior to fulfilling their request.
  • Alternatives can also include allowing the individual to access their data remotely, and download a copy in an appropriate format.
  • The GDPR encourages controllers to provide individuals with remote access to their personal data via a secure system.
  • If an individual can download a copy of their personal data in a commonly used electronic format, then this satisfies the requirement to provide a copy, as long as the individual does not object to the format.
  • If an individual asks, you can provide the response to their SAR verbally, provided that you have confirmed their identity by other means. You should keep a record of the date you responded and what information you provided. This is most likely to be appropriate if they have requested a small amount of information. You are not obliged to provide information in this way. However, you should take a reasonable approach when considering such requests.

Explaining the Information Supplied

  • You may need to explain some of the information you provide when you respond to an SAR. However, this depends on the type of information and the reason it cannot be understood.
  • When providing a copy of the personal data requested, you are expected to give the individual additional information to aid understanding if the data is not in a form that they can easily understand. However, this is not meant to be onerous, and you are not expected to translate information or decipher unintelligible written notes.

Refusing an Access Request

  • You may refuse a request if it is manifestly unfounded or excessive.
  • You should consider each request on a case-by-case basis in order to decide if it is manifestly unfounded or excessive. You should not have a blanket policy.
  • Manifestly unfounded — A request may be manifestly unfounded if:
    1. the individual clearly has no intention to exercise their right of access
    2. the request is malicious in intent and is being used to harass an organization with no real purposes other than to cause disruption.
  • Excessive — A request may be excessive if it:
    1. repeats the substance of previous requests and a reasonable interval has not elapsed; or
    2. overlaps with other requests.

However, it depends on the particular circumstances.

  • If you refuse to comply with a request you must inform the individual of:
    1. the reasons why
    2. their right to make a complaint to the ICO or another supervisory authority
    3. their ability to seek to enforce this right through a judicial remedy.

When Other People's information Is Included

  • Consider whether it is possible to comply with the request without revealing information that relates to and identifies another individual. You may delete names or edit documents if the third-party information does not form part of the requested information.

If not possible to redact:

  • You do not have to comply with an SAR if to do so would mean disclosing information about another individual who can be identified from that information, except where:
  • The other individual has consented to the disclosure; or
  • It is reasonable to comply with the request without that individual’s consent.
  • You must be able to justify your decision to disclose or withhold information about a third party, so you should keep a record of what you decide and why. For example, it would be sensible to note why you chose not to seek consent or why it was inappropriate to do so in the circumstances.

Exceptions:

The UK Data Protection Act sets forth a number of exceptions to the right of access, many of which deal with legal and public authority.

Additional exceptions to note:

  • Personal data that is processed for management forecasting or management planning in relation to a business or other activity. Such data is exempt from the right of access to the extent that complying with an SAR would be likely to prejudice the conduct of the business or activity.
  • Records of your intentions in negotiations with an individual are exempt from the right of access, to the extent that complying with an SAR would be likely to prejudice the negotiations.
  • Personal data included in a confidential reference is exempt from the right of access for the purpose of prospective or actual:
    1. education, training or employment of an individual
    2. placement of an individual as a volunteer
    3. appointment of an individual to office; or
    4. provision of any service by an individual

The exemption applies regardless of whether you have given or received the reference.

  • Information about the outcome of academic, professional or other examinations but it only applies to the information recorded by candidates.
  • The information recorded by the person marking the exam is not exempt.
  • Unless otherwise specified, an SAR to a credit reference agency only applies to information relating to the individual’s financial standing.

Remedies

  • Anyone has the right to make a complaint to the ICO about an infringement of the data protection legislation in relation to their personal data, for example if a controller fails to comply with an SAR.
  • In appropriate cases, the ICO may take action against a controller or processor if they have failed to comply with data protection legislation. For example, the ICO could issue a controller or processor a warning, a reprimand, an enforcement notice or penalty notice.
  • If you fail to comply with an SAR, the requester may apply for a court order requiring you to comply. It is a matter for the court to decide, in each particular case, whether to make such an order.
  • If an individual suffers damage or distress because you have infringed their rights under the data protection legislation – including, of course, by failing to comply with an SAR – they are entitled to claim compensation from you. This right can only be enforced through the courts. You will not be liable if you can prove that you are not in any way responsible for the event giving rise to the damage.

Odia Kagan is a partner at Fox Rothschild and chair of the firm’s GDPR Compliance & International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at [email protected] or 215.444.7313.

Additional Information