Fri 03 Jan 2020

5 ways to deal more effectively with subject access requests

In the wake of GDPR coming into force, employers are finding themselves dealing with subject access requests on a much more regular basis. Of the 41,000 concerns raised to the ICO by members of the public in the first 12 months of GDPR, over a third of those concerns (38%) related to subject access requests. How then can you better prepare your organisation to deal with SARs? Here are five potential steps that should be considered by employers in seeking to deal effectively with subject access requests:

1. Have a clear process to follow when a SAR arrives

As we know, the timescale for complying with a SAR is short (without undue delay and within one calendar month). It is therefore vital that you are able to recognise a SAR in the first place. An individual doesn't need to use the words "subject access request", they don't need to submit a particular form and they don't even have to make a request in writing, so long as it's clear they are requesting their information which you hold. Whenever any such request is made, all staff should know to pass it on immediately to whoever is responsible for data protection (or in their absence, whoever is designated). At the outset, you should also consider if you need to seek appropriate proof of identity in relation to the person making the request, so you are satisfied they are who they say they are.

2. Clarify the request made where necessary

In some cases, it will be very obvious what information is requested and this will be easy enough to locate. However, in other cases, a request might be very general or wide-ranging in nature. Where this might involve a "large quantity" of information, GDPR recognises that you may need to ask an individual to specify the information or activities the request relates to before complying. However, this cannot be used as a delaying tactic and if the individual does not wish to further specify or narrow the scope of their request, you must still try to comply with their request, even if this means providing a large amount of information.

In many cases, individuals may well be willing to restrict the scope of requests either by date-range or by subject-matter (or in relation to emails, by sender or recipient), so it is often worthwhile at the outset looking to clarify the scope of a wide or generic request. If a request is particularly complex, you may extend the timescale for compliance by up to a further two months, but you must let the individual know this (and the reason why further time is required) within the standard timescale of one month. The circumstances you can refuse to comply with a request (where it is "manifestly unfounded" or "excessive") are interpreted very narrowly by the ICO and will rarely arise in HR practice.

It is also worth mentioning that individuals don't have to provide any reason for making a request. It has been accepted by the courts that a motive of making a subject access request with a view to or as part of litigation (which is now a common tactic seen in practice) is irrelevant to the validity of a request.

3. Carry out proportionate searches

It is clear from both ICO Guidance and from case law that you need to be prepared to make "extensive efforts" to find and retrieve the information sought. Preferably, information should be held on your IT systems in such a way that it can be readily searched for information relating to particular individuals. You are expected to search those areas where the information requested is most likely to be found, using appropriate search identifiers. However, this is not a case of leaving "no stone unturned" and you are not expected to go to disproportionate efforts to locate information (e.g. to try and forensically recover deleted information). A related point is that you should look to ensure, more broadly, that any retention periods you have specified are being applied in practice, so when a SAR is received, no unnecessary work has to be undertaken. However, once a SAR is received, while routine updating is still permitted (e.g. an annual exercise asking employees to check/update their personal details held), it is a criminal offence to alter or erase personal data with the intention of preventing disclosure.

4. Be clear on what individuals are entitled to receive

Keep in mind that individuals are entitled to receive only information which is their "personal data" - i.e. it somehow relates to or is about them. To take an obvious example, the mere fact that an email has been sent to a team of people, including one individual, does not make the content of the email that individual's "personal data" falling within the scope of a SAR (unless the content relates to or is about them as an individual).

Similarly, a common misconception that can arise is that there is no right to be provided with copies of particular documents or emails. The right of subject access is to information amounting to "personal data"; so while a common approach is to redact emails or other documents so that only the part relevant to the individual is provided, it is perfectly permissible for you to extract the relevant information into a separate format which can then be provided instead.

Note that as well as information amounting to their "personal data" you must also provide individuals with certain other prescribed information (which largely corresponds to the information you should already provide in a privacy notice). This includes, for example, the purposes of processing, the categories of personal data, the relevant sources of and recipients of their personal data, and their individual rights. In many cases, you may be able to make reference to your existing privacy notice to address these aspects.

You should also keep in mind the exemptions that apply, including in relation to professional legal privilege, confidential employment references and also where disclosure would cause prejudice to management forecasting or planning (e.g. a proposed restructure affecting the individual) or negotiations with the individual (e.g. where a protected conversation or settlement agreement is under discussion).

5. Ensure you protect the rights of third parties.

This can often be the trickiest area of subject access requests - where providing information would also disclose personal data relating to a third party (often a manager or work colleague) and where redaction would be insufficient to protect their identity. In this situation, the law is clear that you are not obliged to provide that information unless either (a) you have the consent of the third party or (b) it is reasonable to provide the information without consent.

While there is no obligation to seek consent, it will normally be advisable to do so and means that you will then be better able to take into account any express refusal of consent and any reasons given for this, as part of considering whether it is still "reasonable" to disclose. In effect, that requires you to carry out a balancing exercise in relation to whose rights ought to prevail. In carrying this out, you need to take into account all of the relevant circumstances including the type of information, any duty of confidentiality owed, any steps taken to seek consent and any express refusal of consent. Other factors might include the importance or significance of the information to the individual, whether it has adversely affected them, whether they might dispute the content and whether it is already known to them.

With all indications being that employers are set to continue receiving more subject access requests than ever before, following a consistent and structured approach each time to "standardise" the process so far as possible, is likely to help manage risk and build confidence overall in dealing with such requests when they arise.

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice