Data Protection and Freedom of Information Act: Subject Access Requests (SAR’s) – What data controllers need to do to comply?

Data Protection and Freedom of Information Act: Subject Access Requests (SAR’s) – What data controllers need to do to comply?

Section 7(1) of the Data Protection Act 1998 (the ‘Act’) gives individuals the right to access their personal data (subject access data). By making a written request and paying a fee, an individual is entitled to see 
  • the information which is the personal data; and 
  • any information available to the data controller about the source of the data. 
Subject access requests allow individuals to ask organisations about what information they hold about them.  If any information is held, the organisation will usually be required to supply copies to the individual making the request.  Generally, organisations are obliged to respond to any requests within 40 days of receiving that request.
The Information Commissioners Office (ICO), who regulates data controllers, who amongst other things requires compliance with the Data Protection Act 1998 and the Freedom of Information Act, receives a substantial number of complaints by individuals who believe that their subject access requests have not been dealt with correctly.  Over the last financial year, 6,000 such complaints were made. 
The subject access code of practice explains the rights that individuals have to access their personal data, and sets out the obligations of data controllers.
The Information Commissioner’s Office ("the ICO") has published guidance to assist organisations in dealing with requests from individuals for their data. 
In order to assist organisations in responding to subject access requests, the ICO has outlined ten steps for organisations to consider: 
  1. Identify whether a request needs to be considered as a subject access request;
  2. Obtain enough information to be sure of the requester’s identity;
  3. Ask the requester at an early stage if more information is required to assess their request;
  4. Check that the information the requester wants is available;
  5. Consider whether the records contain information about other people;  
  6. Do not make any changes to the records, even if they are inaccurate;
  7. Explain any complex terms or codes that are included in the information.  Organisations should ensure that the information can be understood by the requester; and
  8. If the organisation is charging a fee to deal with the request, this should be asked for promptly.  Organisations are permitted to charge a fee of up to £10, unless the request relates to medical or educational records;
  9. Consider whether any exemptions apply.  The exemptions include information held for the purposes of crime and taxation, certain types of management planning information and information that may prejudice negotiations with the requester;
  10. Where appropriate, provide the response in a permanent form unless the supply of such a copy is not possible or would involve disproportionate effort, or the data subject agrees otherwise.
According to the ICO’s new code, businesses must "make extensive efforts to find and retrieve the requested information". However, companies are not obliged to carry out an "unreasonable or disproportionate" search for information in order to disclose data under in accordance with individuals’ subject access rights, it said. 
The Data Protection Act does not limit the number of SARs an individual can make to any organisation. However, in terms of the ICO’s guidance, "The Act says you are not obliged to comply with an identical or similar request to one you have already dealt with, unless a reasonable interval has elapsed between the first request and any subsequent ones."
You need to consider the "nature of the data" being sought, such as its sensitivity; the purposes for which it is processed, including whether the processing is "likely to cause detriment (harm) to the requester"; and how often data is altered when determining whether there is a need to respond to a repeat SAR.
In considering a complaint about a SAR, the ICO will have regard to the volume of requests received by an organisation, the organisation’s size and the steps it has taken to ensure requests are dealt with appropriately even in the face of a high volume of similar requests.  
Another important area to consider when dealing with subject access requests is often responding to such subject access requests may involve providing information relating to another individual (a ‘third party individual’). For instance, if the requested information is a personnel file on an employee, it may contain information identifying managers or colleagues who have contributed to (or are discussed in) that file. This may lead to a conflict between the requesting employee’s right of access and the third party’s rights over their own personal information. 
Section 7(4) of the Act provides that if you cannot comply with the request without disclosing information relating to another individual who can be identified from that information, then you do not have to comply with the request unless: 
  • the third party has consented to the disclosure; or 
  • it is reasonable in all the circumstances to comply with the request without the consent of the third party individual.
The questions that you as Data Controller should be asking before making a decision whether to disclose in terms of a SAR:-     
                                                                                                                    1) Does the request require the disclosure of information which identifies a third party individual? 
Section 7(4) of the Act is only relevant if information about a third party individual is necessarily part of the information which the requesting individual is entitled to. 
You should consider whether it is possible to comply with the request without revealing information which relates to and identifies a third party individual. In doing so, you should not only take into account the information you are disclosing, but also any information which you reasonably believe the person making the request may have, or get hold of, that may identify the third party individual. 
2) Has the third party individual consented? 

The practical effect of section 7(4) and associated provisions of the Act is that the clearest grounds for disclosing the information is to get the third party individual’s consent. 

However, there is no obligation to try to get consent. There will be some circumstances where it will clearly be reasonable to disclose without trying to get consent, for example, where the information concerned will be known to the requesting individual anyway. Indeed it may not always be appropriate to try to get consent (for instance, if to do so would inevitably involve a disclosure of personal data about the requesting individual to the third party individual). 

If the third party individual has consented, you would be obliged to comply with the subject access request and disclose all the relevant information, including that relating to the third party individual. However, in practice, it may be difficult to get consent. The third party may be difficult to find, they may refuse to give consent, or it may be impractical or costly to try to get their consent in the first place. In these situations, you would then need to consider whether it was ‘reasonable in all the circumstances’ to disclose the information anyway (section 7(4)(b)). 
3) Would it be reasonable in all the circumstances to disclose without consent? 
Section 7(6) of the Act provides a non-exhaustive list of factors to be taken into account when deciding what would be ‘reasonable in all the circumstances’.
These are: 
  • any steps you have taken to try to get the consent of the third party individual; 
  • whether the third party individual is capable of giving consent; and 
  • any express refusal of consent by the third party individual. 
The ICO would expect you to be able to justify and keep a record of your course of action and reasoning, including, for example, why you chose not to try to get consent or why it was not appropriate to try to do so in the circumstances. 
Please ensure that your Firm is on the ICO Register. The ICO will be carrying a survey of websites later this year, with the aim of identifying what information organisations provide to users who may want to make subject access requests.  A report on the findings is expected in early 2014.

Legal Eye

Legal Eye works with law firms to ensure compliance and optimise performance. Their extensive and thorough knowledge of the law and regulations will ensure your law firm is compliant and your processes sound. Files are audited to ensure you are not only complying with the service level agreements you have in place, but very importantly, also the code of conduct.

They provide a documented audit trail which is firstly, a requirement of the code of conduct and secondly, essential for PI Insurance purposes and very often for CQS, Lexcel and other quality accreditations. This provides documented evidence of a proactive approach towards risk management. The advice they offer is clear and practical, and they pride themselves on exceptional customer service and unbeatable work quality.

Services include:

  • Specialist expertise across the full range of regulatory, risk and compliance issues to inform your internal decision making.
  • Additional qualified resource where you simply do not have the time to review your regulatory position or to carry out essential ongoing tasks such as file reviews.
  • An online risk hub –  an online resource centre for law firms. The hub provides a comprehensive bank of resources to help COLPs, COFAs, partners, directors and managers to manage risk. It includes precedent policy and procedure documents and templates, access to online training on a range of risk and compliance topics, and a range of useful materials such as ‘how to’ guides, short videos and articles.
  • Drafting and review of key policies and procedures including the supply of ‘document packs’ to save you time researching and writing documentation.
  • Expert advice on how to comply with up-to-date regulation including the very latest requirements complete with a written set of recommendations.
  • Specialist outsourced complaints  handling service provided by former SRA and LeO officers.
  • Gap analysis of your firm’s policies, processes and procedures as they relate to the Solicitors Accounts Rules (SAR) including the production of a written report summarising the strengths and weaknesses of the current arrangements and detailing recommended next steps and actions to put your firm in an even stronger position.
  • Training on SAR and on anti money laundering (AML) as well as other finance-related training which can be delivered virtually for your firm, face-to-face (subject to government guidance) or online via Legal Eye’s Training Academy.
  • A Standard Procedures Manual to provide a practical and comprehensive roadmap for firms to follow when looking to double check whether the current operating procedures are fit for purpose, setting up a new firm – or arm of a firm – or starting a new finance function from scratch.
  • Experienced advice and support for one-off projects such as achieving quality accreditations or switching regulators.
  • Proven high quality training for fee earners and staff held at your office/s covering essential risk topics such as  Anti Money Laundering, data  protection, cybercrime, conflict of  interest and more.
  • Online training from The Legal Eye Academy – core modules available to all staff at their convenience. Includes built-in auto reminder functionality so that you no longer have to chase staff indi-vidually to complete important training. Your package includes free updates to ensure knowledge is always up to date.
  • Added value updates by email to all your key people covering all the latest updates on risk and compliance.

The Legal Eye team includes former solicitors, partners and directors in law firms; former case handlers at regulators such as the Solicitors Regulation Authority and the Legal Ombudsman and experienced risk and compliance professionals.

Contact: Paul Saunder

Tel: 0203 0512 049

Email:  [email protected]

The Old Grammar School
Church Road

Leave a Reply

Your email address will not be published.