Section 7(1) of the Data Protection Act 1998 (the ‘Act’) gives individuals the right to access their personal data (subject access data). By making a written request and paying a fee, an individual is entitled to see
- the information which is the personal data; and
- any information available to the data controller about the source of the data.
Subject access requests allow individuals to ask organisations about what information they hold about them. If any information is held, the organisation will usually be required to supply copies to the individual making the request. Generally, organisations are obliged to respond to any requests within 40 days of receiving that request.
The Information Commissioners Office (ICO), who regulates data controllers, who amongst other things requires compliance with the Data Protection Act 1998 and the Freedom of Information Act, receives a substantial number of complaints by individuals who believe that their subject access requests have not been dealt with correctly. Over the last financial year, 6,000 such complaints were made.
The subject access code of practice explains the rights that individuals have to access their personal data, and sets out the obligations of data controllers.
The Information Commissioner’s Office ("the ICO") has published guidance to assist organisations in dealing with requests from individuals for their data.
In order to assist organisations in responding to subject access requests, the ICO has outlined ten steps for organisations to consider:
- Identify whether a request needs to be considered as a subject access request;
- Obtain enough information to be sure of the requester’s identity;
- Ask the requester at an early stage if more information is required to assess their request;
- Check that the information the requester wants is available;
- Consider whether the records contain information about other people;
- Do not make any changes to the records, even if they are inaccurate;
- Explain any complex terms or codes that are included in the information. Organisations should ensure that the information can be understood by the requester; and
- If the organisation is charging a fee to deal with the request, this should be asked for promptly. Organisations are permitted to charge a fee of up to £10, unless the request relates to medical or educational records;
- Consider whether any exemptions apply. The exemptions include information held for the purposes of crime and taxation, certain types of management planning information and information that may prejudice negotiations with the requester;
- Where appropriate, provide the response in a permanent form unless the supply of such a copy is not possible or would involve disproportionate effort, or the data subject agrees otherwise.
According to the ICO’s new code, businesses must "make extensive efforts to find and retrieve the requested information". However, companies are not obliged to carry out an "unreasonable or disproportionate" search for information in order to disclose data under in accordance with individuals’ subject access rights, it said.
The Data Protection Act does not limit the number of SARs an individual can make to any organisation. However, in terms of the ICO’s guidance, "The Act says you are not obliged to comply with an identical or similar request to one you have already dealt with, unless a reasonable interval has elapsed between the first request and any subsequent ones."
You need to consider the "nature of the data" being sought, such as its sensitivity; the purposes for which it is processed, including whether the processing is "likely to cause detriment (harm) to the requester"; and how often data is altered when determining whether there is a need to respond to a repeat SAR.
In considering a complaint about a SAR, the ICO will have regard to the volume of requests received by an organisation, the organisation’s size and the steps it has taken to ensure requests are dealt with appropriately even in the face of a high volume of similar requests.
Another important area to consider when dealing with subject access requests is often responding to such subject access requests may involve providing information relating to another individual (a ‘third party individual’). For instance, if the requested information is a personnel file on an employee, it may contain information identifying managers or colleagues who have contributed to (or are discussed in) that file. This may lead to a conflict between the requesting employee’s right of access and the third party’s rights over their own personal information.
Section 7(4) of the Act provides that if you cannot comply with the request without disclosing information relating to another individual who can be identified from that information, then you do not have to comply with the request unless:
- the third party has consented to the disclosure; or
- it is reasonable in all the circumstances to comply with the request without the consent of the third party individual.
The questions that you as Data Controller should be asking before making a decision whether to disclose in terms of a SAR:-
1) Does the request require the disclosure of information which identifies a third party individual?
Section 7(4) of the Act is only relevant if information about a third party individual is necessarily part of the information which the requesting individual is entitled to.
You should consider whether it is possible to comply with the request without revealing information which relates to and identifies a third party individual. In doing so, you should not only take into account the information you are disclosing, but also any information which you reasonably believe the person making the request may have, or get hold of, that may identify the third party individual.
2) Has the third party individual consented?
The practical effect of section 7(4) and associated provisions of the Act is that the clearest grounds for disclosing the information is to get the third party individual’s consent.
However, there is no obligation to try to get consent. There will be some circumstances where it will clearly be reasonable to disclose without trying to get consent, for example, where the information concerned will be known to the requesting individual anyway. Indeed it may not always be appropriate to try to get consent (for instance, if to do so would inevitably involve a disclosure of personal data about the requesting individual to the third party individual).
If the third party individual has consented, you would be obliged to comply with the subject access request and disclose all the relevant information, including that relating to the third party individual. However, in practice, it may be difficult to get consent. The third party may be difficult to find, they may refuse to give consent, or it may be impractical or costly to try to get their consent in the first place. In these situations, you would then need to consider whether it was ‘reasonable in all the circumstances’ to disclose the information anyway (section 7(4)(b)).
3) Would it be reasonable in all the circumstances to disclose without consent?
Section 7(6) of the Act provides a non-exhaustive list of factors to be taken into account when deciding what would be ‘reasonable in all the circumstances’.
- any steps you have taken to try to get the consent of the third party individual;
- whether the third party individual is capable of giving consent; and
- any express refusal of consent by the third party individual.
The ICO would expect you to be able to justify and keep a record of your course of action and reasoning, including, for example, why you chose not to try to get consent or why it was not appropriate to try to do so in the circumstances.
Please ensure that your Firm is on the ICO Register. The ICO will be carrying a survey of websites later this year, with the aim of identifying what information organisations provide to users who may want to make subject access requests. A report on the findings is expected in early 2014.