Subject Access Requests
Are you familiar with recent court decisions on Subject Access Requests?
The Information Commissioner's Office (ICO) has issued an update to its code of practice to take into account what the courts have said on the obligations of data controllers when it comes to releasing information held.
What is a Subject Access Request?
This is when an individual exercises their right to see the information that an organisation holds on them. The reason that they have this right is so that they can, in appropriate circumstances, ask for that information to be corrected or deleted if it’s wrong.
There have been several court cases over the years that have clarified certain aspects of the Subject Access Request regulations. There are four main points to take away from these cases:
The data controller is only obliged to carry out a ‘reasonable and proportionate’ search. Data controllers can take into account issues such as time and cost when they are deciding what constitutes ‘reasonable and proportionate’.
It doesn’t matter if the person making the request has an ulterior motive, otherwise known as a ‘collateral purpose’. They may have ongoing legal action involving the employer but that can’t be considered when deciding whether to grant the Subject Access Request. Although courts will probably not enforce a Subject Access Request when it’s considered an abuse of purpose, this won’t affect the obligations on a Data Controller.
Although a Data Controller can cite legal professional privilege as an exemption to granting a Subject Access Request, they should do so in a very narrow and specific way, rather than as a general policy. One firm had tried to argue that the exemption of legal privilege should apply to all documents held on behalf of their client and therefore a search for the few documents that were not privileged would be disproportionate in nature and therefore exempt from a Subject Access Request.
When it comes to a Subject Access Request, there is a difference between information that is processed by somebody in the course of their work and information that relates to them personally. The same difference applies to corporate/employer email accounts and personal accounts. Generally speaking, a Subject Access Request can only apply to activities carried out on behalf of an employer, rather than the personal e-mail accounts of employees – unless it could be shown that they’d been used for employment purposes.
When attempting to demonstrate that they’ve made all reasonable requests to comply with a Subject Access Request, the burden of proof is on the data controller. The same applies to efforts to show that further compliance action would be disproportionate.
In the event of a complaint, the ICO will look favourably on data controllers who have communicated openly with the person making the Subject Access request about the information required and the costs and effort involved in providing it.
It’s worth noting that the ICO Code of Practice says that data controllers should have information management systems that will allow them to find and gather the data requested by Subject Access Requests and blank out any data that are personal to third parties.
There is no hard and fast rule that can be generally applied. Data controllers will need to assess the balance between granting a Subject Access Request and the disproportionate effort involved in responding on a case by case basis.
As far as employers are concerned, the ICO guidance makes data controllers’ duties a lot clearer and should, if followed, reduce the number of potential Subject Access Request breaches.