15
Mar 2019
Rights of Data Subjects 1: The right to copies of data
One of the fundamental rights of any individual is to access their personal data.
Under the old Data Protection Act, this was known as a subject access request and is still commonly referred to as such. Under that old legislation, it was permissible for organisations to charge a £10 fee to process the request and in addition the request had to be made in writing. Both of these no longer apply.*
The new Data Protection Act 2018, which incorporates the provisions of the GDPR, does not specify how a request must be made. It can be oral or in writing and does not have to say, specifically or at all, that its is an access request. It is important therefore to ensure that your staff are all aware of this, can recognise when a request has been made, and how to action it. Ideally, businesses should have in place a documented procedure to be followed, to record the request made, who takes control and determines how it is to be dealt with. You only have 28 days** in which to acknowledge and deal with a request and therefore time is of the essence. All staff should be aware that this is the case, as a delay could put you under pressure or, worse, miss complying in time and face a complaint being made to the Information Commissioner.
If you are uncertain about the identity of the individual, you can ask for information to confirm their identity but you should do this straight away. The 28 day period runs then from the date that the information is provided, but it is important to be aware that it is not permissible to delay such a request and to use the same as an excuse or reason to extend the 28 day time for compliance.
If your organisation should be processing large amounts of personal data about the individual you can seek more detailed information from them about what specific data they require. They do not have to do so however, and if they do not, you must do your best to comply, search for and provide as much of the data that you can that relates to the request. As with confirmation of identity, the 28 day period runs from the date they provide their response and, again, you should ask as soon as possible and cannot use this as a reason to extend the 28 day period.
You should consider whether by complying with a request this will mean disclosing personal data about others. If it does so, then you will need to either obtain their consent or look at ways in which the data can be redacted or limited to as not to impact upon their own rights. This can be a tricky and somewhat difficult balancing act and you may need to seek advice and guidance. It is permissible to refuse a request on this basis if it is not proportionately possible to comply without infringing the rights of others but you should properly document what steps you have taken to address and balance the rights of those concerned and why you have made that decision. You can also refuse a request if it is “manifestly unfounded or excessive” but in both of these instances you must be able, and ready, to explain and justify your decision and inform the individual not only of the reason why but also that if they do not accept your decision that they have a right of recourse to the Information Commissioner or through the courts.
Nick Worsnop
nicholasworsnop@chadlaw.co.uk
*It is permissible to charge a fee to cover the administration costs where the request made is “manifestly unfounded”, “excessive” or duplicated but you will need to explain this beforehand and be ready, and able, to justify it.
** This may change, perversely, if the following month is shorter. The time period runs from the day after the date the request is received. So, for example, if you receive a request on 31st January the period expires on the last day of the following month (28th February) and not, as you would expect, 1st March. The time limit can be extended for a period of up to two months if the request is complicated but you must ensure that you let the person know within the 28 day period that this is the case and provide an explanation.
Please note that this article provides a basic overview for information purposes only. There are other issues and areas relating to this right of data subjects which are not covered within it.
- Like this ? Share with friends