The Data Protection Act 2018 and the General Data Protection Regulation (GDPR) impose various duties on organisations, businesses and government departments who collect and retain personal data - data in respect of natural persons.
Personal data includes any information which relates to and which can be linked to an identifiable living person. Under rights enshrined in the Data Protection Act and GDPR private individuals normally have a right to find out what information an organisation holds about them.
A request to provide this information is known as a “data subject access request” or “DSAR”. A DSAR does not need to be made in writing and does not have to state that it is a data subject access request as long as it is clear that the individual is requesting a copy of their personal data.
What can an individual request?
An individual (a “data subject”) is entitled to request an organisation to:
- provide them with a copy of all the personal data they hold on the data subject;
- confirm the purpose for which they are using the data;
The response time to a DSAR
There is a tight deadline for a response to a DSAR. An organisation must normally respond within one calendar month from the day of receipt of the request. The period may be extended by up to two further months where necessary, taking into account the complexity of the request and the amount of data involved. However, the Information Commissioner’s Office, or ICO, which is responsible for the overall regulation of data protection issues in the UK has indicated that an extension of time is only appropriate in exceptional circumstances. In any event, the organisation is still obliged to respond to the data subject within the one calendar month period to advise them of the reason for the delay so that the data subject is aware of the situation and has the opportunity to complain to the ICO if they so choose.
Is an organisation permitted to charge for providing the required information?
Since the introduction of GDPR it is no longer permissible to charge a fee for reasonable subject access requests. However, if a request is “manifestly unfounded or excessive” then a reasonable fee may be charged. This fee should only cover administrative costs and nothing more.
An organisation is not obliged to commence work on the DSAR until the fee is paid and the one calendar month period then runs from the date the fee is received.
Can an organisation refuse to provide the requested information?
As a general rule if an organisation holds personal data about an individual they are obliged to respond to a DSAR. Under the GDPR an organisation is however permitted to refuse to comply with a DSAR if it is manifestly unfounded and/or excessive.
The ICO has indicated that a request will be considered “manifestly unfounded” in circumstances where the individual has no clear intention to access the information or is malicious in intent and is using the request to harass an organisation with no real purposes other than to cause disruption. A request may be “excessive” if it repeats the substance of previous requests and a reasonable interval has not elapsed or if it overlaps with other requests.
Each request must be considered on its own merits however and the question of whether a DSAR is manifestly unfounded or excessive can only be determined by considering the facts of the request. The ICO has indicated that a DSAR will not be considered manifestly unfounded and/or excessive merely because, for example:
- The data subject has made previous requests;
- They have requested a large volume of information;
- It will be difficult and time-consuming to respond;
- The request is accompanied by aggressive or unpleasant language.
Can an organisation request more information to process the request?
An organisation is entitled to request the data subject to prove their identity or, if the request is being made by a third party, proof of their authority to make the request on behalf of the data subject and the one calendar month period for responding the request will not start to run until the day when such information is provided.
An organisation may also request further information to assist in responding to the request. This may be useful in situations where the amount of data held is significant or falls into a number of different categories. If a data subject has requested all personal information then that is what an organisation is legally obliged to provide. If the data subject is really only interested in obtaining information relating to a particular issue however it may be possible to supply only data relating to that issue if the data subject agrees. It is important to remember that a request for further information does not in itself extend the deadline for providing a response.
What is the situation if the data requested under the DSAR contains personal data about other natural persons?
In providing a response an organisation needs to be careful not to disclose the personal data of persons other than the data subject who has submitted the request unless:
- The organisation has the third party’s permission to make the disclosure;
- It is reasonable to comply with the request without the third party’s consent.
The question as to whether it would be reasonable to disclose third party information without that party’s consent is not easily answered and involves balancing the rights of the person making the DSAR with the potential impact of disclosing a third party’s information on that third party. In such circumstances it is normally safer to disclose the information only with consent.
If neither of the above exceptions apply care must be taken to ensure that third party personal data is redacted (blocked out) from any records before they are supplied to the data subject who has submitted the DSAR.
Successfully responding to a DSAR within the prescribed timeframe is much easier when suitable systems are in place within the organisation to enable the request to be handled correctly and efficiently. Key to this is a well-organised data storage system which allows all relevant data to be recovered easily. Adequate staff training is also important to ensure that an employee is able to recognise a DSAR when received and that they know to whom it must be passed to ensure that it is dealt with promptly. Also, as indicated above, deciding how to deal with a DSAR is not always straightforward.
Deciding on whether a request is manifestly unfounded and/or excessive for example or whether it is reasonable to provide third party data when responding to a DSAR may not be easy and in such circumstances taking legal advice is normally advisable.
This article is provided by Burlingtons for general information only. It is not intended to be and cannot be relied upon as legal advice or otherwise. If you would like to discuss any of the matters covered in this article, please contact Andrew Pike or write to us using the contact form below.