The arrival of the General Data Protection Regulation (GDPR) has given the “right of access” a new lease of life this year with many organisations, no doubt seeing an increase in requests for access to information.
In Ireland, the right of access has been in existence since the commencement of the data protection Act 1988, So one would assume that everyone is prepared to some degree by having pre-existing, effective policies and procedures in place for dealing with the now more commonly known “Subject Access Request (SAR)”. That would be ideal of course, however, we all know there are many organisations who will wait for that request to land in their inbox before they take action, if any at all!
From the 25th May 2018, according to Article 15 of the GDPR, a data subject (employee, customer, client or patient, for example), shall have the right to obtain information from the Controller who is defined by the GDPR as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” Art.4(GDPR).
It is important to have established by now whether your company is a Controller or a Processor. The data subject may request the purposes of the processing of his/her information, the categories of data concerned and finally the recipients to whom this data may or intend to be disclosed to, not forgetting cross-border data transfers, if this is applicable to your organisation.
How have Access Requests changed under the GDPR?
1. Time to Respond
This marks a key change. Subject Access Requests should be responded to without undue delay and no later than one month from receipt. If your Data Protection Officer/HR Department are prepared and have the adequate resources in place, such a turnaround time should not pose any issue, however, with the GDPR bringing a renewed interest in Subject Access Requests, it is imperative that an already pressured HR department does not become overstretched by demand and that careful planning and procedures are in place.
Should organisations be faced with Subject Access Requests that are complex or numerous, they may now seek a time extension of a further two months, provided they issue notice, to the data subject in question, within one month of receiving the request.
2. Subject Access Request Fees
Organisations will no longer be able to charge a nominal fee for the administrative costs involved in the process of sourcing, redacting third-party information and the final disclosure of the information to the data subject.
There is however, one exception to this. Should your organisation receive a request that is deemed to be “manifestly unfounded or excessive”, you may be able to apply a fee for dealing with such a request to cover additional administrative costs you may incur.
3. Unfounded and Excessive Subject Access Requests
When a Subject Access Request (SAR) is deemed to be unfounded or excessive by nature, it is commonly found with organisations who process vast volumes of data. In such cases, organisations may wish to seek clarification regarding the exact information, the data subject is seeking to evaluate prior to making a final call of “manifestly unfounded or excessive”.
Relying on this option as a get out clause is not advised. It is important to remember that granting individuals access to their data to verify the lawfulness of its processing, is a fundamental human right, so it is very unlikely that you would be able to avoid your responsibilities following a valid request.
Aside from Unfounded and Excessive requests, it important to remember that you can also outright refuse a data subject request , provided that you inform the data subject of the reason for refusal and also advise them regarding their right to make a complaint to the relevant supervisory authority (The Office of the Data Protection Commissioner). This communication should be made with undue delay or at the latest within one month of the request.
4. Automated and Manual Data
Regarding manual data, the important phrase here is “relevant filing system”. If we are to consider a large organisation for example with manual filing systems/cabinets, in addition to digital filing options, are the Manual Filling Systems structured in the following way?
- Does the data form part of set? Index? Department? Subject Matter?
- Is the set structured by reference to the individual or by relevant criteria? Name or ID for example?
- Is the data readily accessible and required during day-day undertakings?
If the data is structured as discussed above, then it is eligible and should be considered in conjunction with automated data prior to responding to a data subject request.
Like all legislation, there are of course exemptions, some of which may or may not be applicable to your organisation. The following is a selection of some of the key exemptions: (please see Section 60(6) of the Data Protection Act 2018 for the full list)
- Data relating to a third party. (Art15(4))
- Confidential expressions of opinion. Section 60 (3)(b) Data Protection Act.
- Data kept for the purpose of prevention, investigation, detection, and prosecution of criminal offences where release of data would be prejudicial (Section 60(3)(a)(vi) Data Protection Act).
- Data Consisting of estimate or kept for purpose of estimating liability in respect of claim (Section 60(3)(a)(vi) Data Protection Act.
- Legal Professional privilege.
- Contempt of Court.
- Manifestly unfounded or excessive requests (Art 12(5) GDPR) as discussed above.
- Health Data, Section 68(2), if release were to cause serious harm to physical or mental health.
Prepare for Subject Access Requests
It is clear to see that the overall structure and process for making and responding to subject access requests (SARs) remains relatively unchanged since the data protection Act 2018. However, careful consideration should be given to how your organisation could perhaps manage this process more effectively. Assuming appropriate retention periods have been adhered to, all eligible information will require sourcing and careful preparation prior to release. It is imperative therefore, that adequate resources, be they financial or people-power, are in place, to complete the process from receipt of request to completion. Companies should endeavour to take reasonable and proportionate steps throughout the entire process.
Note: Atlantic Compliance Ltd. is a data protection consultancy company providing services such as GDPR audits, gap analysis, data breach and subject access request management services as well as GDPR preparation workshops, online staff awareness training and an outsourced DPO service. Learn more at www.atlanticcompliance.eu