THE INFORMATION COMMISSIONER

January 8, 2015

Subject Access Requests Update

Section 56 of the Data Protection Act 1998 makes it a criminal offence to require an individual to exercise their subject access rights to gain access to information about their convictions and cautions and provide that information to a person. This section of the Act was due to come into force on 01 December 2014, but has been delayed by the government, though enforced subject access requests are discouraged by the Information Commissioner’s Office.

What is a Subject Access Request?

Section 7 of the Data Protection Act 1998 (DPA), sets out an individual’s right to see copies of the personal data an organisation holds about them, why this information is held, and to whom it may be disclosed.

‘Personal data’ means data relating to a living individual or from which that individual can be identified, either on its own, or with other information likely to come into the possession of the data controller.

What information is an individual entitled to?

The Code of Practice on subject access requests released by the Information Commissioner’s Office confirms that an individual is entitled to be told whether any of their personal data is being processed, the reason for the processing, and whether it will be given to any other people or organisations.
Individuals should also be given a description of the data and are entitled to know its source. ‘Personal data’ can be data held in electronic form or in a ‘relevant filing system’. Paper records count as a relevant filing system for the DPA if they are held in a ‘sufficiently systematic, structured way’. If paper records are held in no particular order (for example in an unindexed file), they may not be subject to the right of access. Most HR records will now be held electronically, easily accessible, and therefore qualify as ‘personal data’.

Recognising a SAR

A subject access request must be made in writing. It is not uncommon for organisations to provide requesters with a standard, in-house form to fill in. There is no legally prescribed form and the request does not need to contain the words, ‘subject access,’ or refer to the DPA. Employers should assess the potential for SARs to be received through social media such as the company Facebook or Twitter and “take reasonable and proportionate steps to respond effectively to requests received in this way”.

Data controllers are entitled to satisfy themselves as to the identity of the person making the request, so an employee who makes a SAR through social media will also need to confirm it separately, for example in writing with evidence to confirm their identity or in person. Data controllers can charge a fee up to £10 to process the request and are not obliged to comply with the request until they have received the fee, together with any proof identity sought and any information requested to locate documents.

Finding and retrieving information

The DPA explicitly states that extensive efforts to find and retrieve relevant information should be made. The Code states that as it is difficult to truly erase all electronic records, a data subject may be entitled to personal data that an employer does not have ready access to as long as it stills holds the data and in time and with technical expertise can retrieve it. Employers should have procedures in place to find and retrieve personal data that has been electronically archived or backed up, for example in the Cloud.

A policy restricting the circumstances in which staff may hold information about contacts, clients, customers or other employees on their own devices or in private email accounts is advisable. Employers should check that their Bring Your Own Device policy is comprehensive in taking account of all possible ways in which data may be held by employees and also enables easy compliance with the requirements of a SAR.

Third party information

Responding to a SAR may involve providing information relating to a third party. Under the DPA, an employer is not required when complying with a SAR to disclose information about another individual (e.g. another employee) who can be identified from that information, unless the other individual has consented to the disclosure, or it is reasonable in all the circumstances to comply with the request without that individual’s consent. The decision will involve balancing the data subject’s right of access to personal data with the other employee’s rights in respect of their own personal data. An employer  should consider whether a duty of confidentiality is owed to the third party, and also any specified refusal of consent.

In the employment relationship information that is not generally available to the public may have been disclosed to the employer with the expectation that it will remain confidential. Depending on the circumstances, it may be possible to provide some information, having redacted the document by blanking out the data that would identify the other employee or otherwise breach confidentiality.

Responding to a SAR

Personal data that is relevant to the request should be communicated to the subject in an intelligible form, and a copy should be supplied in a permanent form. However, the employer is not required to produce the relevant information in permanent form where the data subject agrees to another format or when the supply of such a copy would involve disproportionate effort i.e. where a large volume of data is concerned.

An organisation has 40 days to respond to the SAR.

Exemptions

The DPA recognises that there are circumstances in which an employer may have a legitimate reason for not responding in full to a SAR. The Code lists actual examples, such as confidential references given for the purposes of an employee’s training or employment. References received from a third party do not benefit from this exemption. Personal data that is processed for management forecasting or disclosure of which would be likely to prejudice the business or other activity of the organisation is also exempt. For example, if an employer is planning a redundancy exercise and an employee makes a SAR before the process starts, the company does not have to disclose its plans in response to the SAR if doing so would, as is likely, prejudice the conduct of the  business.

Some organisations which perform regulatory activities such as the protection of the public or charities, or fair competition in business can withhold personal information on the receipt of a SAR. Personal data for which legal professional privilege can be claimed in legal proceedings is also exempt. This means as long as they are clearly privileged that emails and letters between HR and their advisers do not have to be provided in response to a SAR. Employers should ensure that they mark these communications appropriately. Where, however, privilege cannot be claimed, an employer may not refuse to supply information in response to a SAR simply because it is requested in connection with actual or potential legal proceedings. The DPA provides that the right of subject access overrides any other legal rule that limits disclosure.

The Code, however, recognises a discrepancy between the DPA and case law. The courts have decided that the SAR régime is not a substitute for the disclosure process during litigation. The Code records that the Information Commissioner does not accept this view but recognises that the courts have discretion whether or not to order compliance with a SAR. If a court believes that the provision of information is best dealt with in disclosure in connection with legal proceedings it may refuse to order personal data to be disclosed in response to a SAR.

Enforcement

An employee who believes they are affected by the processing of personal data may ask the ICO to assess whether that processing complies with the DPA. A compliance assessment is carried out by the ICO and if it shows that an organisation has failed to comply with the DPA, the ICO can require that it takes steps to comply with the data protection principles. The Information Commissioner may also serve an enforcement notice if he is satisfied that an organisation has failed to comply with the subject access provisions.

Failure to comply with an enforcement notice is a criminal offence. He also has a statutory power to impose a financial penalty on an organisation if satisfied that the organisation has committed a serious breach of the DPA likely to cause substantial damage or distress. An individual may also apply for enforcement by court order. If an individual suffers damage because their employer or organisation has breached the DPA, they can claim compensation in the courts from the employer or organisation.

Good practice guidance for processing a SAR

Ten simple steps which organisations should ensure they follow when processing a SAR:

1. Identify whether a request qualifies as a SAR and provide a written acknowledgment of receiptindicating a likely timescale (within a 40 day limit).

2. Ensure there is enough information to verify the data subject’s identity (not likely to be an issue for employers.)

3. Ask for any further information needed from the individual to find out what they want at an early stage.

4. Ask for a fee required promptly (up to £10).

5. Check whether the information the individual wants is available and ensure an adequate search is taken out.

6. Not change any relevant data, even if it is inaccurate or embarrassing.

7. Consider whether the relevant records contain information about other people, if so, consider gaining consent or redacting document.

8. Consider whether any of the exemptions apply.

9. Explain any complex terms or codes in the information disclosed.

10. Provide the response in a permanent form, where appropriate. It is important to further note that all employers should check their ‘Bring Your Own Device’ policy and also review their protocols for communication between HR and external advisors.

Please note: The content of this article is for information purposes only and further advice should be sought from a professional advisor before any action is taken.