The ICO’s New Subject Access Guidance

markus-winkler-afW1hht0NSs-unsplash

GDPR has introduced some new Data Subject rights including the right to erasure and data portability. The familiar right of Subject Access though still remains albeit with some additional obligations. Last week the Information Commissioner’s Office (ICO) published its long awaited right of access detailed guidance following a consultation exercise in December. The guidance provides some much needed clarification on key subject access issues Data Controllers have been grappling with since May 2018. 

Reasonable Searches 

Sometimes Data Subjects make subject access requests with the aim of creating maximum work for the recipient. “I want to see all the documents you hold which have my name in them, including e mails” is a common one. How much effort has to be made when searching for such information? The new guidance states that Controllers should make reasonable efforts to find and retrieve the requested information. However, they are “not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.” Factors to consider when determining whether searches may be unreasonable or disproportionate are:

  • the circumstances of the request; 
  • any difficulties involved in finding the information; and 
  • the fundamental nature of the right of access. 

Thus there is no obligation to make every possible effort to find all instances of personal data on the Data Controller’s systems. However, the burden of proof is on Controllers to be able to justify why a search is unreasonable or disproportionate. 

Stopping the Clock 

Data Controllers have one month to respond to a subject access request. Normally this period starts from the day the request is received. Previously the ICO guidance stated that the day after receipt counted as ‘day one’. They revised their position last year following a Court of Justice (CJEU) ruling

Data Controllers can ask the Data Subject to clarify their request, if it is unclear what they want, but this often leaves little time to meet the one month deadline. Having considered consultation responses, the ICO’s position now is that where a request requires clarification, in certain circumstances, the clock can be stopped whilst Controllers are waiting for clarification. 

Manifestly Unfounded and Excessive 

Article 12(5) of GDPR allows Data Controllers to refuse a Data Subject request or charge a fee where it is “manifestly unfounded or excessive.” The burden of proving this is on the Controllers whose staff often struggle with these concepts. The ICO has now provided additional guidance on these terms. 

A request may be manifestly unfounded if: 

  • The individual clearly has no intention to exercise their right of access; or 
  • The request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual: 
  • explicitly states, in the request itself or in other communications, that they intend to cause disruption; 
  • makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice; 
  • targets a particular employee against whom they have some personal grudge; or 
  • systematically sends different requests to the Controller as part of a campaign, e.g. once a week, with the intention of causing disruption. 

To determine whether a request is manifestly excessive Data Controllers need to consider whether it is clearly or obviously unreasonable. They should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. This will mean taking into account all the circumstances of the request, including: 

  • the nature of the requested information; 
  • the context of the request, and the relationship between the Controller and the individual; 
  • whether a refusal to provide the information or even acknowledge if the Controller holds it may cause substantive damage to the individual; 
  • the Controller’s available resources; 
  • whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or 
  • whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive).  

The Fee 

What can be included when charging a fee for manifestly unfounded or excessive requests? The new guidance says Data Controllers can take into account the administrative costs of: 

  • assessing whether or not they are processing the information; 
  • locating, retrieving and extracting the information; 
  • providing a copy of the information; and 
  • communicating the response to the individual 

A reasonable fee may include the costs of: 

  • photocopying, printing, postage and any other costs involved in transferring the information to the individual; 
  • equipment and supplies (e.g. discs, envelopes or USB devices) 

Staff time can also be included in the above based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate. In the absence of relevant regulations under the Data Protection Act 2018, the ICO encourages Data Controllers to publish their criteria for charging a  fee and how they calculate it.  

Finally, the new ICO guidance emphasises the importance of preparation particularity the need to have: 

  • Training for employees to enable them to recognise subject access requests;  
  • Specific people appointed to deal with requests; 
  • Policies and procedures; and  
  • Technical systems in place to assist with the retrieval of requested information. 

Our Handling Subject Access Requests workshop is now available online. It covers all aspects of dealing with SARs including identifying and applying exemptionsLooking for a GDPR Qualification? Final places left on our online GDPR Practitioner Certificate

A Matter of Priorities: FOI and DP Deadlines in a Pandemic

Photo by Oladimeji Ajegbile on Pexels.com

Responding to the Covid-19 pandemic is stretching our public services. Most obviously the NHS is diverting all the resources it can to meeting critical health needs. But local authorities are also struggling to maintain vital services in the face of unprecedented demands and staff who, if not already ill and self-isolating, are obliged to comply with social distancing measures. Other public authorities are facing logistical challenges in maintaining services and some are even having to put some staff on HMRC-funded furlough.

In such challenging circumstances, where does dealing with information requests under Freedom of Information and DataProtection laws sit in the scheme of priorities? Many authorities who are fortunate enough to have staff dedicated to handling FOI requests or data subject access requests will have re-tasked them to undertake more business-critical roles. Where staff have information request handling as only part of their role, other more pressing duties are likely to trump FOI and DP timescales. And where staff are working from home and access to premises either discouraged or forbidden, manual records may remain inaccessible for weeks or months to come.  Where requests are made by post, they may be delivered to offices which will not be staffed for some time.

The response of the Scottish Government has been robust. On 1 April 2020, the Scottish Parliament passed the Coronavirus (Scotland) Bill which, while retaining the statutory requirement to “respond promptly”, extends the timescale for responding to requests under the Freedom of Information (Scotland) Act 2002 from twenty to sixty working days. Moreover, Part 2 of Schedule 6 provides a mechanism for the Scottish Ministers to allow Scottish public authorities to extend the timescale, subject to providing written notice to the applicant, by a further forty working days, where the authority “determines that it is not reasonably practicable to respond to the request within the relevant period because of…  (a) the volume and complexity of the information requested, or (b) the overall number of requests being dealt with by the authority at the time that the request is made.”

The emergency legislation also allows the Scottish Information Commissioner to find that a public authority has not failed in their duties under FOISA if he is satisfied that the failure to respond within timescales was due to the impact of coronavirus and reasonable in the circumstances. The Scottish Information Commissioner for his part is keen to remind public authorities that their duty to respond promptly remains, that the measures are temporary, and that they do not extend to the Environmental Information (Scotland) Regulations 2004 (EISR).

Of course, the Scottish Parliament cannot legislate with regard to data protection (where EU and UK legislation applies) nor can it amend the timescales for requests under the EISR as they implement the obligations of the Aarhus Convention. But as far as they can do so, the Scottish Government and Parliament have sought to relax the demands of information requests in the face of the pandemic.

For data subject access requests under GDPR (or s 45 of the Data Protection Act 2018 where they relate to law enforcement processing) and requests under the Freedom of Information Act 2000, there is no relaxation of the law. This was despite the call to do so from some quarters, including the Local Government Association who called on Parliament to include measures “temporarily relaxing the requirements on councils in regard to GDPR and FOI”. We rely instead on flexibility from the Information Commissioner as regulator.

While the UK Government did not take the opportunity of the Coronavirus Act to take extend time limits(and would be unable to do so in any case with regard to GDPR as we are still in the transition period), the ICO has made clear they will not penalise organisations who have made understandable decisions to prioritise other tasks. As they state on their website, “We are a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with information rights work when assessing a complaint brought to us during this period, we will take into account the compelling public interest in the current health emergency.”

Organisations should therefore be reassured that they are unlikely to face official censure or significant public criticism if they make reasonable decisions to prioritise other tasks to protect and serve the public ahead of normal levels of service for FOI requests and subject access requests. If your organisation, almost inevitably, is finding it difficult to meet the timescales at this difficult time, we would suggest you take a common-sense and measured approach:

  • Make a record of your decisions to re-allocate resources from handling information rights requests to other service-delivery priorities;
  • Document the practical challenges (such as inaccessibility of manual records or post, and unavailability of key colleagues) which mean that it is “reasonable in all the circumstances” that the organisation is not able to meet normal levels of performance;
  • Manage the expectations of applicants through your website and in your acknowledgements of requests and your automated email responses, and continue to communicate with applicants as far as you are able to do so;
  • At the point at which your organisation, and the rest of humanity, is beginning to recover from the Covid-19 emergency, develop and document an action plan for addressing any backlog of requests which has built up.

At Act Now, we are passionate about the importance of information rights: They are at the heart of our democracy and our human rights. But the right to life must take priority over others, and we would be the first to recognise that organisations and individuals must make decisions which put people first, particularly at a time of global emergency.

Be kind and stay safe.

More on this and other developments in our FREE GDPR update webinar. Looking for a GDPR qualification from the comfort of your home office? Our GDPR Practitioner Certificate is now available as an online option.

GDPR Subject Access Time Limits Reconsidered

Just like its predecessor (DPA 2018), the General Data Protection Regulation (GDPR) gives Data Subjects a right to make a Subject Access Request (SAR) to a Data Controller. This means that they can obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information

The supplementary information mentioned above is the same as under section 7 of the DPA (e.g. information about the source and recipients of the data) but now also includes, amongst other things, details of international transfers, other Data Subject rights, the right to lodge a complaint with the ICO and the envisaged retention period for the data.

Time Limit

The DPA allowed Data Controllers 40 calendar days to respond to a SAR. Under GDPR Article 12, the requested information must be provided “without undue delay and in any event within one month of receipt of the request”. This can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, the Data Subject must be contacted within one month of the receipt of the request with an explanation of why the extension is necessary.

When does the one month to respond start from?

Previously the ICO guidance stated that the day after receipt counted as ‘day one’. This has now been revised following a Court of Justice of the European Union (CJEU) ruling.
It says that Data Controllers should calculate the time limit from the day they receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. For example, a Data Controller receives a request on 3rd September. The time limit will start from the same day. This gives the Data Controller until 3rd October to comply with the request.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, Data Controllers have until the next working day to respond.

This means that the exact number of days Data Controllers have to comply with a request varies, depending on the month in which the request was made. For example, an organisation receives a request on 31st March. The time limit starts from the same day.
As there is no equivalent date in April, the Data Controller has until 30th April to comply with the request. If 30th April falls on a weekend, or is a public holiday, the Data Controller has until the end of the next working day to comply.

The ICO says that, for practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

Data Controllers need to consider the implications of the revised ICO guidance on their SAR procedures and standard response letters.

You may also be interested in Susan’s Wolf’s blog on the latest case on subject access for paper records.

 

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

Subject Access Requests for Paper Records

The old Data Protection Act 1998 not only gave Data Subjects a right to see their personal data held on computer but also that which was held on paper records which were held in a “relevant filing system”. A recent case, albeit under the DPA 1998,  has an impact on the way Data Controllers deal with subject access requests under the GDPR.

The question of what constitutes a “relevant filing system” under the DPA 1998 has always been a vexed one, particularly since the 2003 Court of Appeal ruling in Durant v Financial Services Authority [2003].  The Court of Appeal’s interpretation of this term has been criticised in various quarters for being too restrictive and particularly for focussing on the burdens and costs imposed on Data Controllers rather than the rights of the data subjects.  Therefore the recent decision by the High Court in in Dawson-Damer v Taylor Wessing LLP [2019]. May be welcomed by those who believe a more ‘rights- based’ approach is appropriate.

The case involved subject access requests made by Mrs Dawson-Damer and her two children to Taylor Wessing LLP (an English law firm). In short, the firm did not act for the Data Subjects, but it did hold personal data about them in a series of trust files in which they were potential beneficiaries. Taylor Wessing refused to provide their personal data, and this resulted in protracted litigation. One of the key questions that the High Court had to address was whether the Trust files constituted a “relevant filing system” for the purposes of the DPA 1998.  The Court also considered whether the law firm could rely on S. 8 of the DPA 1998 which removes the obligation on a  Data Controller to provide a copy of the personal data where it would involve disproportionate effort.

For further details of the Dawson-Damer request and the litigation that followed see our more detailed case note.

 The definition of relevant filing system under DPA 1998

Readers familiar with the DPA 1998 will recall that it defined:

  • Data as data processed or intended to be processed by equipment operating automatically and ‘manual’ data recorded as part of a ‘relevant filing system.
  • Personal as ‘data’ which relate to a living individual who can be identified from those data, or from that data and other information, which is in the possession of, or is likely to come into the possession of, the Data Controller.

In Durant, the Court of Appeal interpreted the concept of a ‘relevant filing system’ as a system of files in which the files forming part of it are:

  • Structured or referenced in such a way as clearly to indicate at the outset of a search whether the personal information of a person requesting the information is held within the system, and if so in which file or files it is held.
  • The structuring or referencing mechanism of the filing system had to be sufficiently sophisticated and detailed to indicate whether and where the requestors information could be located.

The key feature of this interpretation is the focus on the way in which the system is structured by reference to individuals and the ease with which specific information could be accessed. Personal data held in an unstructured manual filing system did not fall within the scope of the DPA 2018 (although there was an amendment for such data held by public authorities subject to FOI).

The Trust Files: Do they form part of a relevant filing system?

The case concerned a series of paper files that were held by Taylor Wessing prior to 2005, when it moved over to an electronic filing system. The manual files  were labelled by reference to the law firm’s clients or the respective Trusts and they contained correspondence and advice that was arranged chronologically. Taylor Wessing argued that the only way it could determine if the files contained the personal data of the requestors was to go through each file page by page and therefore the any personal data was not easily accessible. On this basis the law firm argued that the files did not form part of a “relevant filing system” as interpreted by the Court of Appeal in Durant.  The requestors argued that the files did form part of  relevant filing system and that the law firm had failed to carry out a reasonable and proportionate search of them.

The 2019 High Court decision

The High Court decided that in the light of recent domestic and European case law the decision in Durant was too restrictive and the requirements of a relevant filing system are that:

  1. The data must be structured by reference to specific criteria; and
  2. The criteria must be “related to individuals”; and
  3. The specific criteria must enable the data to be easily retrieved.

The Court decided that some 35 Trust files formed part of a relevant filing system.
They were filed under the description of the relevant Trust and the client is recorded as the Trustee. The files clearly related to Trusts in which the requestors were potential beneficiaries.  On this basis the  High Court was satisfied that this was sufficient to satisfy (a) and (b). Turning to point (c) the Court said that since the files were arranged chronologically this would of course require someone to ‘turn the pages’ of the files to locate the personal information. However, the Court did not think that this would be an onerous task and the search would enable the personal data of the requestors to be easily retrieved. In any event the Court acknowledged that the law firm must have done this exercise in order to reach its conclusion that the majority of the personal data it held was subject to legal professional privilege.

 For details about the Court’s reasoning see our more detailed case note.

The disproportionate effort issue

The High Court rejected the law firm’s arguments that a search through the files would involve a disproportionate effort. The decision makes it very clear that the onus is on the Data Controller to provide evidence about the time and cost involved in conducting searches. Taylor Wessing had failed to do this.

Implications of the decision

The case was considered under the DPA 1998. The GDPR and DPA 2018 now provide a subtly different definition of a filing system. However, the case shows that the approach of the Courts to the interpretation of data protection laws is more focussed on the rights of data subjects rather than the burdens faced by Data Controllers. It is also clear that Data Controllers need to produce clear evidence in terms of time and costs if they wish to argue it would involve disproportionate effort to supply personal data. This will impact on the way subject access requests (and other rights) are dealt with under GDPR. Article 12(5) allows Data Controllers to refuse requests where they are “manifestly unfounded or excessive.” The burden of demonstrating this is on the Data Controller.

 

Susan Wolf is a trainer with Act Now. More on these and other developments in our GDPR Update workshop. Looking for a GDPR qualification, our practitioner certificate is the best option.

Act Now launches GDPR Policy Pack

The first fine was issued recently under the General Data Protection Regulation (GDPR) by the Austrian data protection regulator. Whilst relatively modest at 4,800 Euros, it shows that regulators are ready and willing to exercise their GDPR enforcement powers.

Article 24 of GDPR emphasises the need for Data Controllers to demonstrate compliance through measures to “be reviewed and updated where necessary”. This includes the implementation of “appropriate data protection policies by the controller.” This can be daunting especially for those beginning their GDPR compliance journey.

Act Now has applied its information governance knowledge and experience to create a GDPR policy pack containing essential documentation templates to help you meet the requirements of GDPR as well as the Data Protection Act 2018. The pack includes, amongst other things, template privacy notices as well as procedures for data security and data breach reporting. Security is a very hot topic after the recent £500,000 fine levied on Equifax by the Information Commissioner under the Data Protection Act 1998.

We have also included template letters to deal with Data Subjects’ rights requests, including subject access. The detailed contents are set out below:

  • User guide
  • Policies
    • Data Protection Policy
    • Special Category Data Processing (DPA 2018)
    • CCTV
    • Information Security
  • Procedures
    • Data breach reporting
    • Data Protection Impact Assessment template
    • Data Subject rights request templates
  • Privacy Notices
    • Business clients and contacts
    • Customers
    • Employees and volunteers
    • Public authority services users
    • Website users
    • Members
  • Records and Tracking logs
    • Information Asset Register
    • Record of Processing Activity (Article 30)
    • Record of Special Category Data processing
    • Data Subject Rights request tracker
    • Information security incident log
    • Personal data breach log
    • Data protection advice log

The documents are designed to be as simple as possible while meeting the statutory requirements placed on Data Controllers. They are available as an instant download (in Word Format). Sequential files and names make locating each document very easy.

Click here to read sample documents.

The policy pack gives a useful starting point for organisations of all sizes both in the public and private sector. For only £149 plus VAT (special introductory price) it will save you hours of drafting time. Click here to buy now or visit or our website to find out more.

Act Now provides a full GDPR Course programme including one day workshops, e learning, healthchecks and our GDPR Practitioner Certificate. 

Exit mobile version
%%footer%%