In the landmark case FT v. DW (Case C 307/22), the Court of Justice of the European Union (CJEU), delivered a ruling that sheds light on the intricacies of data subject access requests under the EU General Data Protection Regulation (GDPR). The dispute began when DW, a patient, sought an initial complimentary copy of their dental medical records from FT, a dentist, citing concerns about possible malpractice. FT, however, declined the request based on German law, which requires patients to pay for copies of their medical records. The ensuing legal tussle ascended through the German courts, eventually reaching the CJEU, which had to ponder three pivotal questions. These are detailed below.
Question 1: The Right to a Free Copy of Personal Data
The first deliberation was whether the GDPR mandates healthcare providers to provide patients with a cost-free copy of their personal data, irrespective of the request’s motive, which DW’s case seemed to imply was for potential litigation. The CJEU, examining Articles 12(5) and 15(3) of the GDPR and indeed Recital 63, concluded that the regulation does indeed stipulate that the first copy of personal data should be free and that individuals need not disclose their reasons for such requests, highlighting the GDPR’s overarching principle of transparency.
Question 2: Economic Considerations Versus Rights under the GDPR
The second matter concerned the intersection of the GDPR with pre-existing national laws that might impinge upon the economic interests of data controllers, such as healthcare providers. The CJEU assessed whether Article 23(1)(i) of the GDPR could uphold a national rule that imposes a fee for the first copy of personal data. The court found that while Article 23(1)(i) could apply to laws pre-dating the GDPR, it does not justify charges for the first copy of personal data, thus prioritizing the rights of individuals over the economic interests of data controllers.
Question 3: Extent of Access to Medical Records
The final issue addressed the extent of access to personal data, particularly whether it encompasses the entire medical record or merely a summary. The CJEU clarified that according to Article 15(3) of the GDPR, a “copy” entails a complete and accurate representation of the personal data, not merely a physical document or an abridged version. This means that a patient is entitled to access the full spectrum of their personal data within their medical records, ensuring they can fully verify and understand their information.
Conclusion
The CJEU’s decision in FT v DW reaffirms the GDPR’s dedication to data subject rights and offers a helpful interpretation of the GDPR. It highlights the right of individuals to a free first copy of their personal data for any purpose, refuting the imposition of fees by national law for such access, and establishing the right to a comprehensive reproduction of personal data contained within medical records. The judgement goes on to say the data must be complete even if the term ‘copy’ is used as well as being contextual and intelligible as is required by Article 12(1) of the GDPR.
We will be examining the impact of this on our upcoming Handling SARs course as well as looking at the ruling in our GDPR Update course. Places are limited so book early to avoid disappointment.
A recent High Court judgment highlights the importance of data controllers treating personal data in their possession with care and in accordance with their obligations under the General Data Protection Regulation (GDPR). Failure to do so will also expose them to a claim in the tort of misuse of private information.
The Facts
In Yae Bekoe v London Borough of Islington [2023] EWHC 1668 (KB) the claimant, Mr. Bekoe, had an informal arrangement with his neighbour to manage and rent out flats on her behalf, with the income intended to support her care needs. In 2015, Islington Council initiated possession proceedings against Mr Bekoe. During the proceedings, the council submitted evidence to the court, including details of Mr. Bekoe’s bank accounts, mortgage accounts, and balances. This provided a snapshot of Mr. Bekoe’s financial affairs at that time. Some of this information, it appears, was held internally by the Council, and disclosed by one department to another for the purpose of “fraud” whilst other information was received after making a court application for disclosure by the bank and Mr Bekoe. Subsequently, Mr. Bekoe filed a claim against Islington Council, alleging the misuse of his private information and a breach of the GDPR. Amongst other things, he argued that the council obtained his private information without any legal basis. Mr. Bekoe also claimed that the council failed to comply with its obligations under the GDPR in responding to his Subject Access Request (SAR). He made the request at the start of the legal proceedings, but the council’s response was delayed. Mr Bekoe also claimed that the council was responsible for additional GDPR infringements including failing to disclose further data and destroying his personal data in the form of the legal file which related to ongoing proceedings.
The Judgement
The judge awarded Mr. Bekoe damages of £6,000 considering the misuse of private information, the loss of control over that information, and the distress caused by the breaches of the GDPR. He ruled that the information accessed went beyond what was necessary to demonstrate property-related payments. Regarding the breach of the GDPR, the judge concluded that:
The council significantly breached the GDPR by delaying the effective response to the subject access request for almost four years.
There was additional personal data belonging to Mr. Bekoe held by the council that had not been disclosed, constituting a breach of the GDPR.
While the specifics of the lost or destroyed legal file were unclear, there was a clear failure to provide adequate security for Mr. Bekoe’s personal data, breaching the GDPR.
Considering the inadequate response to the subject access request, the loss or destruction of the legal file, and the failure to ensure adequate security for further personal data, the council breached Mr. Bekoe’s GDPR rights under Articles 5 (data protection principles), 12 (transparency), and 15 (right of access).
The Lessons
Whilst this High Court decision is highly fact-specific and not binding on other courts, it does demonstrate the importance of ensuring there is a sound legal basis for accessing personal data and for properly responding to subject access requests. Not only do individuals have the right to seek compensation for breaches of the UK GDPR, including failures to respond to subject access requests, the Information Commissioner’s Office (ICO) can take regulatory action which may include issuing reprimands or fines. Indeed, last September the ICO announced it was acting against seven organisations for delays in dealing with Subject Access Requests (SARs). This included government departments, local authorities, and a communications company.
This and other GDPR developments will be discussed in our forthcoming GDPR Updateworkshop.
Dame Alison Rose, the CEO of NatWest, resigned on Wednesday morning after being accused of leaking information on Nigel Farage’s bank account to the BBC. Following a GDPR subject access request, the ex-UKIP leader received information from the bank that contradicted its justification for downgrading his account. Some say that this incident highlights the power of data protection rights, while others argue that Dame Alison was forced to resign as a result of Mr Farage’s continued influence over the Government. The truth is probably a mix of the two.
Background
In a Twitter post on 29th June, Mr Farage said his bank (who we now know to be Coutts) had decided to stop doing business with him. He said that a letter from the bank contained no explanation and he had then been told over the phone that it was a “commercial decision”. Mr Farage claimed he was being targeted because the “corporate world” had not forgiven him for Brexit.
On 4th July, a BBC report claimed that the real reason the bank did not want his custom was because Mr Farage did not have enough money in his accounts. Coutts requires clients to have at least £1m in investments or borrowing or £3m in savings. The BBC reported that Mr Farage’s political opinions were not a factor in the decision, but this turned out not to be the case.
Mr Farage submitted a Subject Access Request (SAR) to Coutts. The response contained a 40-page document, published by the Daily Mail, detailing all of the evidence Coutts accumulated about him to feed back to its Wealth Reputational Risk Committee. It revealed staff at the bank spent months compiling evidence on the “significant reputational risks of being associated with him”. It said continuing to have Mr Farage as a customer was not consistent with Coutts’ “position as an inclusive organisation” given his “publicly stated views”. Several examples were cited to flag concerns that he was “xenophobic and racist”, including his comparing Black Lives Matter protesters to the Taliban and his characterisation of the RNLI as a “taxi-service” for illegal immigrants.
On 24th July, the BBC issued an apology to Mr Farage. It’s business editor Simon Jack also tweeted his apology, saying the reporting had been based on information from a “trusted and senior source” but “turned out to be incomplete and inaccurate”. This source later turned out to be Dame Alison. The Telegraph reported Dame Alison sat next to Simon Jack at charity dinner the day before the BBC story was published.
Dame Alison resigned after days of mounting pressure. The resignation was expected in the wake of briefings by Downing Street that she had lost the confidence of the Prime Minister and Chancellor. The Government owns a 38.6% in NatWest, the owner of Coutts.
The Data Protection Angle
The Information Commissioner, John Edwards, has issued a statement emphasising the importance of banks’ duty of confidentiality and the need for Coutts to be able to response to Mr Farage’s complaint. Mr Edwards has also written to UK Finance to remind them of their responsibilities on information they hold.
It is arguable that Dame Alison, or more accurately Coutts as the Data Controller, breached the UK GDPR which requires, amongst other things, for personal data to be processed fairly, lawfully and in a transparent manner. That is assuming she disclosed personal data about a client to a journalist without consent or lawful authority. Dame Alison has said she did not reveal any personal financial information about Mr Farage, but admitted she had left Simon Jack “with the impression that the decision to close Mr Farage’s accounts was solely a commercial one.” She said she was wrong to respond to any question raised by the BBC about the case.
Has Dame Alison committed a criminal offence under S.170 of the DPA 2018; that of unlawfully disclosing personal data without the consent of the Data Controller? This is unlikely as, being the head of the bank, her views and that of the controller would in effect be the same. Were others in Coutts to argue otherwise, there are a number of “reasonable belief” defences available to her.
Many think this row is more about politics than confidentiality or banking. Labour MP Darren Jones has queried why the Prime Minister is intervening on one man’s bank account. He posted a string of other examples where he says the government has not intervened going on to give his reasons for the Government’s stance.
The Power of Subject Access
Whatever you think of Nigel Farage’s political views, this incident shows that the subject access right is a powerful tool which can be used by individuals to discover the truth behind decisions which affect their lives and to challenge them.
Article 15 of the UK GDPR allows a data subject to receive all their personal data that is held by a Data Controller, subject to certain exemptions. This does not just include official documentation but also emails, comments and any other recorded discussions, whether they are professionally expressed or not. Coutts have now apologised for some of the language used about Farage describing it as “deeply inappropriate”. A high profile individual’s use of GDPR rights also reminds the normal public of the same rights. The BBC reports that NatWest has now received hundreds of subject access requests from customers.
On the same day as Dame Alison announced her resignation, Sky News reported the story of a woman who alleges that she was drugged and sexually assaulted while being held in custody by Greater Manchester Police. Zayna Iman has obtained bodycam and CCTV footage which is supposed to cover the 40 hours from when she was arrested and covering her detention in police custody. From that period, there are three hours of missing footage which GMP have so far failed to supply without any explanation. Miss Iman’s allegations are the subject of an ongoing investigation and referral to the Independent Office for Police Conduct.
Back to the Nigel Farage case and there is an irony here; Mr Farage was able to challenge the bank’s decision by using a right which originates in EU law; the UK GDPR being our post Brexit version of the EU GDPR!
GDPR has introduced some new Data Subject rights including the right to erasure and data portability. The familiar right of Subject Access though still remains albeit with some additional obligations. Last week the Information Commissioner’s Office (ICO) published its long awaited right of access detailed guidance following a consultation exercise in December. The guidance provides some much needed clarification on key subject access issues Data Controllers have been grappling with since May 2018.
Reasonable Searches
Sometimes Data Subjects make subject access requests with the aim of creating maximum work for the recipient. “I want to see all the documents you hold which have my name in them, including e mails” is a common one. How much effort has to be made when searching for such information? The new guidance states that Controllers should make reasonable efforts to find and retrieve the requested information. However, they are “not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.” Factors to consider when determining whether searches may be unreasonable or disproportionate are:
the circumstances of the request;
any difficulties involved in finding the information; and
the fundamental nature of the right of access.
Thus there is no obligation to make every possible effort to find all instances of personal data on the Data Controller’s systems. However, the burden of proof is on Controllers to be able to justify why a search is unreasonable or disproportionate.
Stopping the Clock
Data Controllers have one month to respond to a subject access request. Normally this period starts from the day the request is received. Previously the ICO guidance stated that the day after receipt counted as ‘day one’. They revised their position last year following a Court of Justice (CJEU) ruling.
Data Controllers can ask the Data Subject to clarify their request, if it is unclear what they want, but this often leaves little time to meet the one month deadline. Having considered consultation responses, the ICO’s position now is that where a request requires clarification, in certain circumstances, the clock can be stopped whilst Controllers are waiting for clarification.
Manifestly Unfounded and Excessive
Article 12(5) of GDPR allows Data Controllers to refuse a Data Subject request or charge a fee whereit is “manifestly unfounded or excessive.” The burden of proving this is on the Controllers whose staff often struggle with these concepts. The ICO has now provided additional guidance on these terms.
A request may be manifestly unfounded if:
The individual clearly has no intention to exercise their right of access; or
The request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual:
explicitly states, in the request itself or in other communications, that they intend to cause disruption;
makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice;
targets a particular employee against whom they have some personal grudge; or
systematically sends different requests to the Controller as part of a campaign, e.g. once a week, with the intention of causing disruption.
To determine whether a request is manifestly excessive Data Controllers need to consider whether it is clearly or obviously unreasonable. They should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. This will mean taking into account all the circumstances of the request, including:
the nature of the requested information;
the context of the request, and the relationship between the Controller and the individual;
whether a refusal to provide the information or even acknowledge if the Controller holds it may cause substantive damage to the individual;
the Controller’s available resources;
whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or
whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive).
The Fee
What can be included when charging a fee for manifestly unfounded or excessive requests? The new guidance says Data Controllers can take into account the administrative costs of:
assessing whether or not they are processing the information;
locating, retrieving and extracting the information;
providing a copy of the information; and
communicating the response to the individual
A reasonable fee may include the costs of:
photocopying, printing, postage and any other costs involved in transferring the information to the individual;
equipment and supplies (e.g. discs, envelopes or USB devices)
Staff time can also be included in the above based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate. In the absence of relevant regulations under the Data Protection Act 2018, the ICO encourages Data Controllers to publish their criteria for charging a fee and how they calculate it.
Finally, the new ICO guidance emphasises the importance of preparation particularity the need to have:
Training for employees to enable them to recognise subject access requests;
Technical systems in place to assist with the retrieval of requested information.
Our Handling Subject Access Requests workshop is now available online. It covers all aspects of dealing with SARs including identifying and applyingexemptions. Looking for a GDPR Qualification? Final places left on our online GDPR PractitionerCertificate
Responding to the Covid-19 pandemic is stretching our public services. Most obviously the NHS is diverting all the resources it can to meeting critical health needs. But local authorities are also struggling to maintain vital services in the face of unprecedented demands and staff who, if not already ill and self-isolating, are obliged to comply with social distancing measures. Other public authorities are facing logistical challenges in maintaining services and some are even having to put some staff on HMRC-funded furlough.
In such challenging circumstances, where does dealing with information requests under Freedom of Information and DataProtection laws sit in the scheme of priorities? Many authorities who are fortunate enough to have staff dedicated to handling FOI requests or data subject access requests will have re-tasked them to undertake more business-critical roles. Where staff have information request handling as only part of their role, other more pressing duties are likely to trump FOI and DP timescales. And where staff are working from home and access to premises either discouraged or forbidden, manual records may remain inaccessible for weeks or months to come. Where requests are made by post, they may be delivered to offices which will not be staffed for some time.
The response of the Scottish Government has been robust. On 1 April 2020, the Scottish Parliament passed the Coronavirus (Scotland) Bill which, while retaining the statutory requirement to “respond promptly”, extends the timescale for responding to requests under the Freedom of Information (Scotland) Act 2002 from twenty to sixty working days. Moreover, Part 2 of Schedule 6 provides a mechanism for the Scottish Ministers to allow Scottish public authorities to extend the timescale, subject to providing written notice to the applicant, by a further forty working days, where the authority “determines that it is not reasonably practicable to respond to the request within the relevant period because of… (a) the volume and complexity of the information requested, or (b) the overall number of requests being dealt with by the authority at the time that the request is made.”
The emergency legislation also allows the Scottish Information Commissioner to find that a public authority has not failed in their duties under FOISA if he is satisfied that the failure to respond within timescales was due to the impact of coronavirus and reasonable in the circumstances. The Scottish Information Commissioner for his part is keen to remind public authorities that their duty to respond promptly remains, that the measures are temporary, and that they do not extend to the Environmental Information (Scotland) Regulations 2004 (EISR).
Of course, the Scottish Parliament cannot legislate with regard to data protection (where EU and UK legislation applies) nor can it amend the timescales for requests under the EISR as they implement the obligations of the Aarhus Convention. But as far as they can do so, the Scottish Government and Parliament have sought to relax the demands of information requests in the face of the pandemic.
For data subject access requests under GDPR (or s 45 of the Data Protection Act 2018 where they relate to law enforcement processing) and requests under the Freedom of Information Act 2000, there is no relaxation of the law. This was despite the call to do so from some quarters, including the Local Government Association who called on Parliament to include measures “temporarily relaxing the requirements on councils in regard to GDPR and FOI”. We rely instead on flexibility from the Information Commissioner as regulator.
While the UK Government did not take the opportunity of the Coronavirus Act to take extend time limits(and would be unable to do so in any case with regard to GDPR as we are still in the transition period), the ICO has made clear they will not penalise organisations who have made understandable decisions to prioritise other tasks. As they state on their website, “We are a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with information rights work when assessing a complaint brought to us during this period, we will take into account the compelling public interest in the current health emergency.”
Organisations should therefore be reassured that they are unlikely to face official censure or significant public criticism if they make reasonable decisions to prioritise other tasks to protect and serve the public ahead of normal levels of service for FOI requests and subject access requests. If your organisation, almost inevitably, is finding it difficult to meet the timescales at this difficult time, we would suggest you take a common-sense and measured approach:
Make a record of your decisions to re-allocate resources from handling information rights requests to other service-delivery priorities;
Document the practical challenges (such as inaccessibility of manual records or post, and unavailability of key colleagues) which mean that it is “reasonable in all the circumstances” that the organisation is not able to meet normal levels of performance;
Manage the expectations of applicants through your website and in your acknowledgements of requests and your automated email responses, and continue to communicate with applicants as far as you are able to do so;
At the point at which your organisation, and the rest of humanity, is beginning to recover from the Covid-19 emergency, develop and document an action plan for addressing any backlog of requests which has built up.
At Act Now, we are passionate about the importance of information rights: They are at the heart of our democracy and our human rights. But the right to life must take priority over others, and we would be the first to recognise that organisations and individuals must make decisions which put people first, particularly at a time of global emergency.
Be kind and stay safe.
More on this and other developments in our FREE GDPR update webinar. Looking for a GDPR qualification from the comfort of your home office? Our GDPR Practitioner Certificate is now available as an online option.
The supplementary information mentioned above is the same as under section 7 of the DPA (e.g. information about the source and recipients of the data) but now also includes, amongst other things, details of international transfers, other Data Subject rights, the right to lodge a complaint with the ICO and the envisaged retention period for the data.
Time Limit
The DPA allowed Data Controllers 40 calendar days to respond to a SAR. Under GDPR Article 12, the requested information must be provided “without undue delay and in any event within one month of receipt of the request”. This can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, the Data Subject must be contacted within one month of the receipt of the request with an explanation of why the extension is necessary.
When does the one month to respond start from?
Previously the ICO guidance stated that the day after receipt counted as ‘day one’. This has now been revised following a Court of Justice of the European Union (CJEU) ruling.
It says that Data Controllers should calculate the time limit from the day they receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. For example, a Data Controller receives a request on 3rd September. The time limit will start from the same day. This gives the Data Controller until 3rd October to comply with the request.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, Data Controllers have until the next working day to respond.
This means that the exact number of days Data Controllers have to comply with a request varies, depending on the month in which the request was made. For example, an organisation receives a request on 31st March. The time limit starts from the same day.
As there is no equivalent date in April, the Data Controller has until 30th April to comply with the request. If 30th April falls on a weekend, or is a public holiday, the Data Controller has until the end of the next working day to comply.
The ICO says that, for practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
Data Controllers need to consider the implications of the revised ICO guidance on their SAR procedures and standard response letters.
The old Data Protection Act 1998 not only gave Data Subjects a right to see their personal data held on computer but also that which was held on paper records which were held in a “relevant filing system”. A recent case, albeit under the DPA 1998, has an impact on the way Data Controllers deal with subject access requests under the GDPR.
The question of what constitutes a “relevant filing system” under the DPA 1998 has always been a vexed one, particularly since the 2003 Court of Appeal ruling in Durant v Financial Services Authority [2003]. The Court of Appeal’s interpretation of this term has been criticised in various quarters for being too restrictive and particularly for focussing on the burdens and costs imposed on Data Controllers rather than the rights of the data subjects. Therefore the recent decision by the High Court in in Dawson-Damer v Taylor Wessing LLP [2019].May be welcomed by those who believe a more ‘rights- based’ approach is appropriate.
The case involved subject access requests made by Mrs Dawson-Damer and her two children to Taylor Wessing LLP (an English law firm). In short, the firm did not act for the Data Subjects, but it did hold personal data about them in a series of trust files in which they were potential beneficiaries. Taylor Wessing refused to provide their personal data, and this resulted in protracted litigation. One of the key questions that the High Court had to address was whether the Trust files constituted a “relevant filing system” for the purposes of the DPA 1998. The Court also considered whether the law firm could rely on S. 8 of the DPA 1998 which removes the obligation on a Data Controller to provide a copy of the personal data where it would involve disproportionate effort.
For further details of the Dawson-Damer request and the litigation that followed see our more detailed case note.
The definition of relevant filing system under DPA 1998
Readers familiar with the DPA 1998 will recall that it defined:
Data as data processed or intended to be processed by equipment operating automatically and ‘manual’ data recorded as part of a ‘relevant filing system.
Personal as ‘data’ which relate to a living individual who can be identified from those data, or from that data and other information, which is in the possession of, or is likely to come into the possession of, the Data Controller.
In Durant, the Court of Appeal interpreted the concept of a ‘relevant filing system’ as a system of files in which the files forming part of it are:
Structured or referenced in such a way as clearly to indicate at the outset of a search whether the personal information of a person requesting the information is held within the system, and if so in which file or files it is held.
The structuring or referencing mechanism of the filing system had to be sufficiently sophisticated and detailed to indicate whether and where the requestors information could be located.
The key feature of this interpretation is the focus on the way in which the system is structured by reference to individuals and the ease with which specific information could be accessed. Personal data held in an unstructured manual filing system did not fall within the scope of the DPA 2018 (although there was an amendment for such data held by public authorities subject to FOI).
The Trust Files: Do they form part of a relevant filing system?
The case concerned a series of paper files that were held by Taylor Wessing prior to 2005, when it moved over to an electronic filing system. The manual files were labelled by reference to the law firm’s clients or the respective Trusts and they contained correspondence and advice that was arranged chronologically. Taylor Wessing argued that the only way it could determine if the files contained the personal data of the requestors was to go through each file page by page and therefore the any personal data was not easily accessible. On this basis the law firm argued that the files did not form part of a “relevant filing system” as interpreted by the Court of Appeal in Durant. The requestors argued that the files did form part of relevant filing system and that the law firm had failed to carry out a reasonable and proportionate search of them.
The 2019 High Court decision
The High Court decided that in the light of recent domestic and European case law the decision in Durant was too restrictive and the requirements of a relevant filing system are that:
The data must be structured by reference to specific criteria; and
The criteria must be “related to individuals”; and
The specific criteria must enable the data to be easily retrieved.
The Court decided that some 35 Trust files formed part of a relevant filing system. They were filed under the description of the relevant Trust and the client is recorded as the Trustee. The files clearly related to Trusts in which the requestors were potential beneficiaries. On this basis the High Court was satisfied that this was sufficient to satisfy (a) and (b). Turning to point (c) the Court said that since the files were arranged chronologically this would of course require someone to ‘turn the pages’ of the files to locate the personal information. However, the Court did not think that this would be an onerous task and the search would enable the personal data of the requestors to be easily retrieved. In any event the Court acknowledged that the law firm must have done this exercise in order to reach its conclusion that the majority of the personal data it held was subject to legal professional privilege.
For details about the Court’s reasoning see our more detailed case note.
The disproportionate effort issue
The High Court rejected the law firm’s arguments that a search through the files would involve a disproportionate effort. The decision makes it very clear that the onus is on the Data Controller to provide evidence about the time and cost involved in conducting searches. Taylor Wessing had failed to do this.
Implications of the decision
The case was considered under the DPA 1998. The GDPRand DPA 2018now provide a subtly different definition of a filing system. However, the case shows that the approach of the Courts to the interpretation of data protection laws is more focussed on the rights of data subjects rather than the burdens faced by Data Controllers. It is also clear that Data Controllers need to produce clear evidence in terms of time and costs if they wish to argue it would involve disproportionate effort to supply personal data. This will impact on the way subject access requests (and other rights) are dealt with under GDPR. Article 12(5) allows Data Controllers to refuse requests where they are “manifestly unfounded or excessive.” The burden of demonstrating this is on the Data Controller.
The first fine was issued recently under the General Data Protection Regulation (GDPR) by the Austrian data protection regulator. Whilst relatively modest at 4,800 Euros, it shows that regulators are ready and willing to exercise their GDPR enforcement powers.
Article 24 of GDPR emphasises the need for Data Controllers to demonstrate compliance through measures to “be reviewed and updated where necessary”. This includes the implementation of “appropriate data protection policies by the controller.” This can be daunting especially for those beginning their GDPR compliance journey.
Act Now has applied its information governance knowledge and experience to create a GDPR policy pack containing essential documentation templates to help you meet the requirements of GDPR as well as the Data Protection Act 2018. The pack includes, amongst other things, template privacy notices as well as procedures for data security and data breach reporting. Security is a very hot topic after the recent £500,000 fine levied on Equifax by the Information Commissioner under the Data Protection Act 1998.
We have also included template letters to deal with Data Subjects’ rights requests, including subject access. The detailed contents are set out below:
User guide
Policies
Data Protection Policy
Special Category Data Processing (DPA 2018)
CCTV
Information Security
Procedures
Data breach reporting
Data Protection Impact Assessment template
Data Subject rights request templates
Privacy Notices
Business clients and contacts
Customers
Employees and volunteers
Public authority services users
Website users
Members
Records and Tracking logs
Information Asset Register
Record of Processing Activity (Article 30)
Record of Special Category Data processing
Data Subject Rights request tracker
Information security incident log
Personal data breach log
Data protection advice log
The documents are designed to be as simple as possible while meeting the statutory requirements placed on Data Controllers. They are available as an instant download (in Word Format). Sequential files and names make locating each document very easy.
The policy pack gives a useful starting point for organisations of all sizes both in the public and private sector. For only £149 plus VAT (special introductory price) it will save you hours of drafting time. Click here to buy now or visit or our website to find out more.
In recognition of National Poetry day last week, that was my shockingly brilliant (!!) effort at a short rhyme in aid of this blog post. I know, stick to the day job right? (And yes, I know that we are in October and not May).
As the rhyme suggests however, I was indeed browsing the web and I did indeed come across an interesting legal case looking at rights of access and metadata in telecoms/internet providers in Australia. Something of particular relevance at the moment in the light of the Australian Government announcing its new Data Retention Law.
In the news article and legal case an Australian citizen, Mr Grubb, exercised his rights under the Australian Privacy Act 1988 to ask for all information Telstra (a phone company) held about him. His request specifically asked for the meta-data associated against him:
“…I’d like to request all of the metadata information Telstra has stored about my mobile phone service (XXX XXX XXX).
The metadata would likely include which cell tower I’m connected to at any given time, the mobile phone number of a text I have received and the time it was received, who is calling and who I’ve called and so on. I assume estimated longitude and latitude positions would be stored too. This is the type of data I would like to receive.”
Although Telstra provided some data to Grubb, it refused to hand over internet protocol address information, edited versions of incoming call records and website URL information stating that retrieving the information would take disproportionate effort and therefore was unreasonable.
The Commissioner supported Telstra in its exemption of some pieces of information to do with telephone numbers of 3rd parties, particularly where those numbers had registered with a Telephone Preference type service in Australia. Telstra argued that it had no effective method of determining those numbers and removing them from the list therefore the entire list of inbound numbers to the Data Subject’s telephone line would be exempt.
The Commissioner did however reject a number of claims made by Telstra about the difficulty in retrieving and linking data to a person’s identity. Telstra relied in part on this submission to argue that certain types of Grubb’s data was not “personal information” because it could not be linked to the Data Subject’s identity. However, the Commissioner in his decision drew attention to Telstra’s provision of data to law enforcement agencies to show that it has (and has used in the past) the ability to process and connect different types of metadata to individuals.
It’s also interesting that since the case was initiated Telstra’s approach to customer access to metadata has shifted significantly. Telstra customers will now be able to access the same metadata about them (save for shared information) that Telstra would provide to law enforcement agencies, on request without a warrant.
Now while Australia is a very long way away from Europe this case does pose some interesting questions. I ran a search online for cases where metadata was refused under a Subject Access Request (SAR) but could not find any in the public domain. As we all know there are a growing number of laws appearing that require telecoms companies to capture and store such metadata for government access but to date I’ve not seen a similar legal challenge whereby the data has been refused in a SAR.
For those that don’t have much experience with metadata the Oxford English dictionary defines metadata as “a set of data that describes and gives information about other data”. In this context, telecommunications data, is data that is associated with an account and its usage (e.g. masts used, websites visited, numbers called) which on their own do not automatically equate to personal data, but do so when associated with one number form the metadata of that persons account. Therefore it is personal data as it can identify them and/or be associated with them.
The current subject access request code of practice from the UK Information Commissioner’s Office doesn’t specifically talk about metadata being or not being personal data or in scope for a SAR. Based on the principles of the Data Protection Act 1998 (DPA) and the fact that such metadata can and is requested by law enforcement agencies and is used to identify you; I would argue that this is Personal Data, as defined by the Act, and should be provided to a requestor under subject access.
How does this sit under the current proposed EU Data Protection Regulation text(s)? Well, you won’t find the term “metadata” in the Regulation text anywhere so there won’t be a crystal clear stance on it. Instead we will need to look at the definition of Personal Data as proposed.
In the European Council’s text Chapter 1, Article 4 (1) it defines Personal Data as;
“any information relating to an identified or identifiable natural personal (“data subject an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person).”
So while the new proposed definition doesn’t specifically call out metadata it does seem to imply that it would be. For example, your mobile number and all data that can identify your location (phone mast data for example) would be considered Personal Data under that definition; which isn’t that far removed from DPA definition of Personal Data.
On that note, following a brief search online I have not been able to find any cases on SAR and telecoms in the public domain. I can find plenty of commentaries and a remotely similar financial services case. I would therefore be interested to see if anyone knows of one currently ongoing or that has been tested in the courts / tribunal so far to date?
Currently the UK Government is looking to revive the so-called “snooper’s charter” under the Draft Communications Data Bill. Therefore if government agencies are to spy / monitor / keep / ignore my personal data then I think that we should, at any point, see what that personal data is. I bet mine is really rather dull…but it’s my dull data dammit.
Scott Sammons an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.
Read more about the EU Data Protection Regulation. Attend our full day workshop.
