How to satisfy subject access requests
This guide is based on UK law. It was last updated in
September 2008.
Information to which Data Subjects are entitled
Individuals are entitled to ask data controllers:
• Whether the data controller is processing any personal
data about that individual and, if so, to be given:-
- a description of the personal data;
- the purposes for which they are being processed; and
- the disclosees, or potential disclosees, of the personal
data.
• For a copy of the information and to be told about the
sources from which the data controller derived the information so
long as those sources are available to him; and
• About the logic involved in automated decisions relating
to him.
Form of the request
A request for Personal Data is a subject access request under
the Act. However, it may not always be necessary to treat a request
for information as a formal request under the Data Protection Act
1998 (the "Act"). If the request for information
is one which you would normally deal with within the normal course
of your business, you should consider whether you need to deal with
this as a formal subject access request under the Act.
If you treat the request as a formal subject access request, the
data controller is entitled to ask for a fee of £10 (unless the
request relates to medical or education records) in order to deal
with the request and it is advisable to do so without delay. The
subject access request should be in writing. The data controller is
also entitled to the following two further pieces of information
before the forty calendar day response period commences:
- Firstly, the data controller must satisfy himself that the
person making the request is, in fact, the data subject. The use of
a subject access request form is advised, since the greatest breach
of a data controller's security is for the data controller to
satisfy a subject access request made by a person impersonating the
data subject. The use of the form goes towards proving that the
data controller has adequate identification and verification
procedures in place.
- Secondly, the data controller is entitled to ask the data
subject for further information to enable the data controller to
locate the information which that person seeks. It should be
remembered that the individual is within their rights to request
copies of all information held about them. However, you may wish to
try to help the data subject to try to narrow their request for
information. This is discussed further below.
When the last of these three conditions have been
satisfied, the forty day period starts to run. It is advisable to
put procedures in place to ensure that the receipt of the request
and the further information is correctly dated so that an
organisation knows how long it has to satisfy the subject access
request.
Negotiating with the Data Subject
As referred to above, it is advisable to negotiate with the data
subject. The location information the data subject will have
already given will give a clue as to what it is the data subject
really wants to have information about. The benefit of the Data
Protection Act 1998 is that it allows data controllers to negotiate
with data subjects to get the data subject to specify the exact
information he or she wishes to receive.
However, if the data subject is adamant that he or she wishes to
receive a copy of everything the data controller holds on him or
her, then there is very little the data controller can do about
this, and a completely exhaustive search of the computerised and
manually held data in the organisation will be required.
How to search systems
If this is the case, then a search of all databases and all
relevant filing systems (manual files) which are caught by the Act
must then be carried out throughout the organisation. The
organisation will need to consider the extent to which back up and
archived files are searched. It is usual to put a time limit on
these requests.
It is sensible to organise the response to the request by giving
one individual the responsibility for issuing requests for
information throughout the organisation and receiving all the
returns. This will normally be the data protection officer.
The data protection officer will then have the job of printing
out all computerised information which has been returned to him by
each department. He will also have received photocopies of all
relevant manual files, and will therefore sit down with two piles
of paper in front of him – one of computer printouts and the other
of photocopied manual files.
Manual files
The manual files which are caught by the Act are those which
pass the two tests set out in the definition of a relevant filing
system. The first test is whether the file in question forms part
of a structured set. The set has to be structured by reference to
individuals or characteristics relating to individuals. If the
manual files are organised in alphabetical name order, or payroll
number, they will form a structured set.
If this is the case, the second test has to be applied. Does any
particular file in the structured set contain sufficient internal
structure so that specific information about a particular
individual is readily accessible? In other words, does the file
contain internal dividers or does it consist of pro-formas which
are always in the same place in each file? If the answer to these
questions is yes, then the file is caught by the Act.
Restrictions following receipt of a request
The Act is not intended to interfere with the normal running of
a data controller’s business and following the receipt of a request
a data controller is able to make changes to the requested
information in the normal course of operation provided that no
changes are made because of the request; even if the data
controller would rather not release the information in its current
form. This includes the correction of any incorrect data held as
the principle is that the individual has a right to request the
actual information held about them (whether or not it is
correct).
Third party data
Once the information has been collected, the data protection
officer must consider his obligations to other data subjects. The
data protection officer must essentially pretend that he is the
individual making the subject access request. He has to read every
single page of information to see whether it reveals the identity
of a third party, when viewed from inside the head of the person
making the subject access request. If the identity of a third party
is already known to the data subject, then the data containing the
information relating to the third party can be revealed to the data
subject, because he already knows it.
However, if the identity of a third party is not already known
to the data subject in the context revealed by the documents, then
the data protection officer has to consider whether the request
requires the disclosure of the information relating to the third
party or whether it is possible to separate this information from
the other information to be disclosed, for example, by blanking out
the name of the individual, or blanking out other identifying
particulars or any other material, would be sufficient to disguise
the identity of the third party from the data subject. At this
point, all other information which is likely to come into the hands
of the data subject must be considered as well. If the identifying
material can be blanked out with black marker pen and the rest of
the information on that page can be handed over without revealing
the identity of the third party, then this information can be
included in satisfying the subject access request.
If, however, blanking out will not disguise the identity of the
third party because, for example, there is a report which has quite
clearly been written by the head of the organisation, and no amount
of blanking out will conceal the identity of the head of the
organisation, then the data protection officer must consider
whether to attempt to obtain the consent of the third party whose
identity will be revealed by handing over the information to the
data subject or whether it would be reasonable to supply the
information without their consent (for example, because the data
subject is already aware of the information in question in any case
or where it is not possible to attempt to get consent from the
third party as this would unavoidably disclose the personal data of
the data subject making the request). If consent can be obtained
then the information must be disclosed to the data subject
(including the third party's information).
If it is not possible to obtain the third party's consent, then
it may still be possible for the data protection officer to provide
the data subject with the information it would be "reasonable in
all the circumstances" to do so. This will involve a balancing
exercise taking into account any duty of confidentiality owed to
the third party (for example, if they are an employee of the data
controller), attempts to receive the consent of the third party
(and whether they have expressly refused consent), whether the
third party is actually able to give consent, whether the
information will already be known to the requesting data subject in
any case and the impact on the privacy of the third party if the
information is disclosed. These considerations are discussed
further below under "Exemptions".
If consent cannot / is not received from the third party and the
data protection officer concludes that it would not be reasonable
to disclose the information without consent, then the data
protection officer should still attempt to deal with the request as
far as possible, for example, by blanking out or separating
information which is to be withheld.
Consent
Forty days is a very short period in which to obtain consent
from numerous third parties so try to think ahead. If your
activities are likely to give rise to frequent subject access
requests, for example, if you are running an investigations
department, it is sensible to obtain consent from third parties
when compiling reports for investigations. This will save time at a
later date if and when subject access requests are received.
Exemptions
The next stage is to apply the exemptions. Legal
professional privilege applies in two areas. Firstly,
legal professional privilege attaches to any document which was
created with the dominant purpose of being used in current or
potential litigation. The document can be created by anybody so
long as this was its dominant purpose. The second branch of legal
professional privilege attaches to any document which was brought
into being in order to obtain legal advice from a barrister or
solicitor. This will include documents created by third parties as
part of the process of giving or receiving legal advice.
Information in respect of informal grievances may well not be
covered by legal professional privilege if the information is not
the giving or receiving of legal advice from a barrister or
solicitor. Lots of other people give legal advice, such as
accountants, patent agents and management consultants, but none of
these attract legal professional privilege.
The next useful exemption is negotiations with the data
subject. If the data controller is negotiating with the
data subject at the time at which the data subject makes the
subject access request, the data controller does not have to reveal
requested information if to do so would be likely to prejudice
those negotiations. Once the negotiations are complete and have
been put into effect, the whole file becomes subject to subject
access in the normal way. Similarly, there is an exemption for
information relating to management forecasting or
management planning.
Emails are subject to subject access, as are archived
computerised and manual files and all back up tapes. It must be
remembered that CCTV footage and tapes of telephone conversations
may also be included as personal data and must be searched on
receipt of a subject access request if the data subject so
requires. The compliance costs of subject access can sometimes be
very high.
Other general exemptions to subject access are national
security and the prevention or detection of
crime, or the apprehension or prosecution of
offenders.
Confidential references given in confidence by
the data controller are not subject to subject access in the hands
of the data controller, but they may well be in the hands of
the recipient. This is a two way street and therefore any
confidential references given to you could correctly be subject to
release under the Act.
Where the personal data contain health information, there is a
duty on the data controller to consult an appropriate health
professional before the information can be released to the data
subject. This is to avoid disclosing information about adverse
health conditions to a data subject where the disclosure may be
harmful to the data subject or to another person. This requirement
does not apply where the data subject has already had access to the
information, or where the data subject originally provided the
information himself or herself.
If consent has not been obtained by the data controller for
whatever reason, the data controller has to apply the four
guidelines set out in the Act. These tests have been included in
the Act to take account of the human rights case of Gaskin, where a
young man had spent his childhood in the care of a local authority.
When he got into his twenties, he made a request to the local
authority to see a copy of his file. The local authority records
relating to his time in care were considered to provide the only
coherent record of his early childhood and formative years. On
receipt of the request, the Council discovered that his file
revealed the identities of well over a hundred other individuals.
The Council attempted to gain consent from these people but in
fact, after several years, had only managed to achieve consent from
around half the people on the file. The case went all the way to
the European Court of Human Rights in Strasbourg, and the Court
considered that people in his situation had a vital interest
protected by the European Convention on Human Rights in receiving
the information necessary to know and understand their childhood
and early development. Lack of consent from third parties should
not prevent the information from being handed over where this would
place the data subject’s Human Rights in jeopardy.
In summary, the four guidelines are:
- Consideration of any duty of confidentiality owed to the other
individual;
- Consideration of any steps taken by the data controller with a
view to seeking the consent of the other individual;
- whether the other individual is capable of giving consent;
and
- any express refusal of consent by the other individual.
There is no extension of the 40-day time period for obtaining
consents. Failure to respond to a subject access request within the
40-day period gives rise to the ability of the individual to obtain
a court order to require the data controller to comply with the
request. In addition, failure to respond within 40 days will be a
breach of the Sixth Data Protection Principle. Any person affected
by the breach may bring an action for damages (provided they can
prove loss, which may be difficult to do) and any associated
distress.
Any such failure may be reported by the individual to the
Information Commissioner and may well give rise to an investigation
by the Information Commissioner.
It is possible for the data controller to negotiate with the
data subject as to the form in which the data controller hands over
the information to the data subject. The default position is that
the data subject gets a hard copy of the information in a permanent
and intelligible format (which may make it necessary for any
internal codes released with the information to be explained),
unless the supply of such a copy is not possible or would involve a
disproportionate effort, or the data subject agrees otherwise. Any
terms which are not intelligible without an explanation must be
accompanied by an explanation.
Contacts
