Speedbrief: How to deal with Data Subject Access Requests – a new code of practice

• United Kingdom

• Privacy, data protection and cybersecurity

03-12-2020

What is new? 

Towards the end of 2020 the ICO issued its new statutory code of practice on data subject access requests (‘DSARs’).  Many organisations are seeing a flurry of these requests during the lead up to the holiday period. 

Why is this relevant? 

The ICO is, of course, the regulator who enforces data protection laws in the UK.  The new code is highly relevant to all organisations who are ‘controllers’ of personal data about any individuals whether employees and other staff, contractors, customers, business contacts or others.  The ICO expects its new code to be adhered to when DSARs are handled. 

In its statement issued during the pandemic about its approach to enforcement action, the ICO stressed the importance of continuing to deal with GDPR rights requests, even if the reality is they take longer than usual for organisations struggling under the strain of reduced resources.

What does the code say? 

It is 80 pages long.  It includes a wealth of helpful new guidance and provides clarity on several points.  It follows a consultation by the ICO on an earlier draft. 

There are several nuggets in the code including:

Complex requests: Where necessary controllers can have up to a further 2 months to deal with a complex DSAR.  The burden of proof is on the controller.   It’s still the case that one month is the normal statutory deadline. 

The Code clarifies what can amount to a complex request.  The volume of data by itself is not sufficient.  Factors such as the need to obtain specialist legal advice (perhaps in relation to exemptions) can mean a request is complex (although not if legal advice is routinely sought).  Technical difficulties in retrieving data from electronic archives can also make a DSAR complex.  

If an organisation (or its ‘processor’/’data processor’ – with permission) decides that it is necessary to extend the time limit by two months, it must let the individual know within one month of receiving their request and explain why.

Reasonable adjustments: Consider whether reasonable adjustments need to be made for individuals who are disabled people and who wish to access their personal data (for instance, large text might be needed by some visually impaired people).   

Clarification of a request: There is a key difference between asking an individual to clarify a request (i.e. where it’s needed to be sure what data they want) versus asking them if they wish to narrow the scope (to get to the data they really want – e.g. emails during 12 months prior to an acrimonious end to the employment relationship with that person).  The one month deadline can be paused only in the first scenario – until clarification is forthcoming. 

Training: There is a useful reminder about the need to provide general training to all staff to recognise a DSAR.  For example, ensure that staff know that oral DSARs by telephone are entirely valid (though the controller or its processor would need to be sure the person is who they say they are – in the usual way), as are DSARs by social media messaging. 

DSAR packs: The Code stresses the need to apply exemptions to the DSAR pack before it is sent (which can be tricky).  In addition, third party personal data usually has to be redacted (i.e. blanked out or removed). 

What about bulk requests?

Bulk requests are multiple requests from the same third party on behalf of individuals.  These bulk requests must be considered case by case.  Unless the request from or on behalf of an individual is manifestly unfounded or excessive (very rare) it cannot legally be refused. The third party’s behaviour (such as the claims management company) should not be taken into account in assessing this, says the ICO. 

Check the individual does want the DSAR to happen (is there proof of authorisation) and secondly is there proof of ID.  Respond to the DSAR even if only to confirm no personal data is held. 

In considering a complaint about a DSAR, the ICO will have regard to the volume of requests received by an organisation and the steps they have taken to ensure they deal with requests appropriately, even when facing a high volume of similar requests.  The organisation’s size and resources are also likely to be relevant factors.  The ICO has discretion as to whether to take enforcement action, and indicates it would not take such action if it is clearly unreasonable to do so. 

What will the position be after the end of the Brexit transition period? 

The UK GDPR (in effect the GDPR with European Union terminology replaced) will apply from 1 January 2021 when the post Brexit transition period ends.  DSAR rules will continue unaltered.

What should we do next? 

The end of PPI claims has meant claims management companies are looking for alternative revenue streams, including possibly claims against organisations where individuals’ GDPR rights have been infringed. Add to this the Court of Appeal’s recent decision to give the green light to class actions for compensation claims in the UK under GDPR and the importance of making sure that DSARs are dealt with properly becomes clear. 

Practical steps to consider:

• if your organisation has a DSAR protocol – update it to take account of the new code.  If your organisation has a European wide presence – care is needed because DSAR exemptions in the UK are not the same as those in EU countries.  Each member state (and the UK) has derogated powers to apply exemptions to the right of access differently. 
• If there is no formal protocol, consider whether the code is accounted for in other ways. 

Don’t forget that if your organisation is ‘joint controller’ with another for GDPR purposes, each of you has joint responsibility for DSARs in respect of the joint processing.   It’s possible that entities within a multi-national group are joint controllers for some joint use of data.