How to satisfy subject access requests
Information to which Data Subjects are entitled
Individuals are entitled to ask data controllers for information about the following matters:
- Whether the data controller is processing any personal data about that individual and, if so, to be given:
- a description of the personal data;
- the purposes for which they are being processed; and
- the disclosees, or potential disclosees, of the personal data.
- To be given a copy of the information and to be told about the sources from which the data controller derived the information so long as those sources are available to him; and
- The logic involved in automated decisions relating to him.
Form of the request
The subject access request should be in writing.
The data controller is entitled to ask for a fee of £10 and two further pieces of information. Firstly, the data controller must satisfy himself that the person making the request is, in fact, the data subject. The use of a subject access request form is advised, since the greatest breach of a data controller’s security is for the data controller to satisfy a subject access request made by a person impersonating the data subject. The use of the form goes towards proving that the data controller has adequate identification and verification procedures in place. Secondly, the data controller is entitled to ask the data subject for further information to enable the data controller to locate the information which that person seeks.
When the last of these three pieces of information has been obtained, the forty day period starts to run. It is advisable to put procedures in place to ensure that the receipt of the request and the further information is correctly dated so that an organisation knows how long it has to satisfy the subject access request.
Negotiating with the Data Subject
At this stage, it is advisable to negotiate with the data subject. The location information the data subject will have already given will give a clue as to what it is the data subject really wants to have information about. The benefit of the Data Protection Act 1998 is that it allows data controllers to negotiate with data subjects to get the data subject to specify the exact information he or she wishes to receive.
However, if the data subject is adamant that he or she wishes to receive a copy of everything the data controller holds on him or her, then there is very little the data controller can do about this and a completely exhaustive search of the computerised and manually held data in the organisation will be required.
How to search systems
If this is the case, then a request to search all databases and all relevant filing systems (manual files) which are caught by the Act must then be issued throughout the organisation. This request must include all back up and archived files, whether computerised or manual which fall within the application of the Act. It is usual to put a time limit on these requests.
It is sensible to give one individual the responsibility for issuing requests for information and receiving all the returns. This will normally be the data protection officer in the organisation.
The data protection officer will then have the job of printing out all computerised information which has been returned to him by each department. He will also have received photocopies of all relevant manual files, and will therefore sit down with two piles of paper in front of him – one of computer printouts and the other of photocopied manual files.
The manual files which are caught by the Act are those which pass the two tests set out in the definition of a relevant filing system. The first test is whether the file in question forms part of a structured set. The set has to be structured by reference to individuals or characteristics relating to individuals. If the manual files are organised in alphabetical name order, or payroll number, they will form a structured set.
If this is the case, the second test has to be applied. Does any particular file in the structured set contain sufficient internal structure so that specific information about a particular individual is readily accessible? In other words, does the file contain internal dividers or does it consist of pro-formas which are always in the same place in each file? If the answer to these questions is yes, then the file is caught by the Act.
Third party data
At this stage, the data protection officer then has to pretend that he is the individual making the subject access request. He has to read every single page of information to see whether it reveals the identity of a third party, when viewed from inside the head of the person making the subject access request. If the identity of a third party is already known to the data subject, then the data containing the information relating to the third party can be revealed to the data subject, because he already knows it. However, if the identity of a third party is not already known to the data subject in the context revealed by the documents, then the data protection officer has to consider whether blanking out the name of the individual, or blanking out other identifying particulars or any other material, would be sufficient to disguise the identity of the third party from the data subject. At this point, all other information which is likely to come into the hands of the data subject must be considered as well. If the identifying material can be blanked out with black marker pen and the rest of the information on that page can be handed over without revealing the identity of the third party, then this information can be included in satisfying the subject access request.
If, however, blanking out will not disguise the identity of the third party because, for example, there is a report which has quite clearly been written by the head of the organisation, and no amount of blanking out will conceal the identity of the head of the organisation, then the data protection officer has to attempt to obtain the consent or otherwise of the third party whose identity will be revealed by handing over the information to the data subject.
Forty days is a very short period in which to obtain consent from numerous third parties. If your activities are likely to give rise to frequent subject access requests, for example, if you are running an investigations department, it is sensible to obtain consent from third parties when compiling reports for investigations. This will save time at a later date if and when subject access requests are received.
The next stage is to apply the exemptions. Legal professional privilege applies in two areas. Firstly, legal professional privilege attaches to any document which was created with the dominant purpose of being used in current or potential litigation. The document can be created by anybody so long as this was its dominant purpose. The second branch of legal professional privilege is any document which was brought into being in order to obtain legal advice from a barrister or solicitor. This will include documents created by third parties as part of the process of giving or receiving legal advice.
Information in respect of informal grievances may well not be covered by legal professional privilege if the information is not the giving or receiving of legal advice from a barrister or solicitor. Lots of other people give legal advice, such as accountants, patent agents and management consultants, but none of these attract legal professional privilege.
The next useful exemption is negotiations with the data subject. If the data controller is negotiating with the data subject at the time at which the data subject makes the subject access request, the data controller does not have to reveal his intentions if to do so would be likely to prejudice those negotiations. Once the negotiations are complete and have been put into effect, the whole file becomes subject to subject access in the normal way. Similarly, there is an exemption for information relating to management forecasting or management planning.
Emails are subject to subject access, as are archived computerised and manual files and all back up tapes. It must be remembered that CCTV footage and tapes of telephone conversations may also be included as personal data and must be searched on receipt of a subject access request if the data subject so requires. The compliance costs of subject access can sometimes be very high.
Other general exemptions to subject access are national security and the prevention or detection of crime, or the apprehension or prosecution of offenders.
Confidential references given in confidence by the data controller are not subject to subject access in the hands of the data controller, but they may well be in the hands of the recipient.
Where the personal data contain health information, there is a duty on the data controller to consult an appropriate health professional before the information can be released to the data subject. This is to avoid disclosing information about adverse health conditions to a data subject where the disclosure may be harmful to the data subject or to another person. This requirement does not apply where the data subject has already had access to the information, or where the data subject originally provided the information himself or herself.
If consent has not been obtained by the data controller for whatever reason, the data controller has to apply the four guidelines set out in the Act. These tests have been included in the Act to take account of the human rights case of Gaskin, where a young man had spent his childhood in the care of a local authority. When he got into his twenties, he made a request to the local authority to see a copy of his file. The local authority records relating to his time in care were considered to provide the only coherent record of his early childhood and formative years. On receipt of the request, the Council discovered that his file revealed the identities of well over a hundred other individuals. The Council attempted to gain consent from these people but in fact, after several years, had only managed to achieve consent from around half the people on the file. The case went all the way to the European Court of Human Rights in Strasbourg, and the Court considered that people in his situation had a vital interest protected by the European Convention on Human Rights in receiving the information necessary to know and understand their childhood and early development. Lack of consent from third parties should not prevent the information from being handed over.
In summary, the four guidelines are:
- any duty of confidentiality owed to the other individual;
- any steps taken by the data controller with a view to seeking the consent of the other individual;
- whether the other individual is capable of giving consent; and
- any express refusal of consent by the other individual.
There is no extension of the 40-day time period for obtaining consents. Failure to respond to a subject access request within the 40-day period gives rise to the ability of the individual to obtain a court order to require the data controller to comply with the request. In addition, failure to respond within 40 days will be a breach of the Sixth Data Protection Principle. Any person affected by the breach may bring an action for damages (provided they can prove loss) and any associated distress.
Any such failure may be reported by the individual to the Information Commissioner and may well give rise to an investigation by the Information Commissioner.
It is possible for the data controller to negotiate with the data subject as to the form in which the data controller hands over the information to the data subject. The default position is that the data subject gets a hard copy of the information in a permanent and intelligible format, unless the supply of such a copy is not possible or would involve a disproportionate effort, or the data subject agrees otherwise. Any terms which are not intelligible without an explanation must be accompanied by an explanation.