The ICO (the UK privacy regulator) has published draft guidance on the right of individuals under the GDPR to access their data. Key takeaways include:
- An acknowledgement that subject access requests can be burdensome, with a requirement to ‘make extensive efforts’ to locate and retrieve information and confirmation that a significant burden does not make a request ‘excessive’;
- A warning against companies asking for proof of identity as a matter of course when there is no reason to doubt the requestor’s identity; and
- Confirmation that it is possible to consider the intention or motive behind a subject access request when assessing whether or not it is possible to refuse to comply.
The right of access, or subject access, is recognised as a fundamental right given to data subjects under the GDPR, whereby they are entitled to obtain a copy of their personal data by virtue of Article 15 of the GDPR. However, as with many areas of the GDPR, such as the extra-territorial effect of the regulation, guidance for entities on how they are expected to prepare and react to such requests has been long awaited.
Given that, particularly for large organisations or organisations with complex IT systems/IT supply chains, responding to access requests can be difficult and time consuming, guidance from the ICO on what level of search controllers are expected to undertake and what a response to a subject access request might look like is nonetheless welcome.
Useful Tips from the ICO
On 4 December 2019, the ICO released draft guidance on subject access rights, alongside a consultation which will be open until 12 February 2020. At 77 pages, the guidance is a relatively in-depth read. See below our summary of some of the most interesting, helpful, practical tips from the ICO’s draft guidance:
- As it is the controller who is required to respond to subject access requests, joint controllers need to have transparent arrangements in place which set out who will deal with and respond to subject access requests;
- Controllers must take appropriate steps in anticipation of subject access requests such as training staff on how to recognise requests, appointing a specific person to respond to requests, and producing a standard checklist that staff can use to ensure a consistent approach to SARs across the company;
- It is not appropriate to respond to a request via social media (even though the request may have been received via that channel) for information security reasons – ask for an alternative contact channel for ongoing communications;
- If you have doubts about the identification of the person making the request you can ask for enough ID information to be able to decide whether the requestor is the person that the data is about – the key is to be reasonable about what ID you ask for and consider that the level of checks you undertake may depend on the level of harm that might occur if there was a disclosure of personal data to the wrong person;
- If a third party makes a request on someone else’s behalf it is the third party’s responsibility to provide evidence of their authority to make the request – if there is no evidence of their authority, you are not required to respond to the request;
- Counting time – if the date on which you are supposed to respond falls on a weekend or a public holiday, you have until the next working day to respond;
- When a request is complex, the timeframe for response may be extended – importantly, requests that involve a large volume of information may add to the complexity of a request. However, a request is not complex solely because the individual has requested a large amount of information. Factors which might indicate a request is complex include: (i) technical difficulties in retrieving the information; (ii) applying an exemption that involves large volumes of “particularly sensitive information” and (iii) if specialist work is involved in redacting information;
- Controllers are required to make extensive efforts to find and retrieve the requested information – difficulty finding data is not sufficient to relieve a controller of its regulatory obligations;
- Although you may ask a requester to specify the information or processing activities their request relates to, he/she is entitled to ask for ‘all the information you hold’ about them;
- There is no ‘technology exemption’ from the right of access and backed-up data still needs to be located – the ICO expects you to have procedures in place to find and retrieve backed-up data;
- Although subject access requests are generally motive blind, there are some interesting examples of when they may be considered ‘manifestly unfounded’ and therefore able to be refused – for example, when the individual clearly has no intention to exercise their right of access, or when the request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption;
- When relying on one, you should justify and document your reasons for relying on an exemption so you can demonstrate your compliance;
- Insights about an individual’s behaviour which are based on a data subject’s use of your service are personal data and are also subject to the right of access; and
- Failure to comply with a subject access request could result in a complaint to the ICO and enforcement action. The requesting individual could also apply to the court for a court order requiring you to comply.
The ICO consultation
The consultation is open until 12 February 2020. In particular, the ICO is seeking feedback on whether: there is enough detail provided and the examples provided. Interestingly, the ICO appears interested to include a wide variety of examples in relation to “manifestly unfounded or excessive” subject access requests (which controllers are permitted to charge a fee for responding to, or to refuse to act upon) across various sectors, and is asking respondents to provide examples of what they consider to be a manifestly unfounded or excessive request.