Subject access requests – the individual’s right to request information
Now that the initial GDPR tsunami has passed, attention has passed to (1) dealing with data breaches and (2) a renewed interest in subject access requests. Article 15 of the General Data Protection Regulations (GDPR) gives the right to a data subject to obtain from a data controller any information they hold about the data subject. It can be a time consuming operation for an organisation to respond to such access request. The request has to be made in writing (which includes email) but it need not cite the GDPR or any of the specific rights granted to individuals under the Regulations.
Is the request valid?
The first thing for the organisation to do is to check that it is a valid request and that it is actually from the individual concerned.
Roughly half of the subject access requests are made by former members of staff of the data controller, so it may be that you are already painfully aware of the identity of the person making the request. However, if it is a new request, about someone with whom you are not familiar it is sensible to ask for confirmation of their identity (such as asking them to provide a copy of their driving licence or passport). In addition, to save time, it may help to ask the data subject whether there is any particular information that they wanted as an alternative to your providing every piece of information that you hold. Encouragement can be given to data subject to hone down the information by saying that you will be able to get it to them more quickly if they were to narrow down what kind of information they wish to know about.
Previously data controllers were allowed to charge £10 to answer such a request but since the advent of GDPR no charge can be made for responding to these requests. Furthermore, such responses have to be given to the data subject within 30 days of receipt, rather than 40.
What kind of information needs to be provided?
The data controller must provide a copy of all the factual information that it holds about the data subject. In addition it must give the following supporting information:
- Description of the purposes of the processing
- The likely recipients of the personal data
- The sources of the information (where available)
There are some exceptions, including management forecast information, information about negotiations, and information subject to legal, professional privilege.
A data controller is not obliged to give a copy of a reference which it itself has given in connection with the data subject. Data controllers can only take advantage of this exemption in relation to references that they themselves write and it does not cover references which they receive from third parties.
It often surprises clients that any photographs or film that the data controller many have of the data subject must be handed over in these circumstances. This will particularly apply to a former employee.
When handing over the copies of the personal data to the data subject, it is wise to remind them that (1) some of the information will be confidential, and, (2) the text will be protected by copyright it is not open season for the data subject to reveal all the information to the world.
A much wider use will be made in future of subject access requests, whether to “punish” an unpopular data controller, or as part of a wider popular activism.