Initial guidance provided in April 2018 left many questions open as to how businesses should comply with their obligations as controller within the context of their commercial reality. For example, how to manage the volume of potential documents in scope of a subject access request (SAR) and when an organisation can deem a request to be 'excessive' or 'manifestly unfounded' and therefore charge a fee or refuse to act on the SAR.
The draft guidance provides further information about the extent of the right of access and of controllers' obligations, as well as the exemptions available. In this update, we have selected some key points from the draft guidance which will pose further challenges for organisations, and those which will make the controller's life easier.
The ICO simultaneously launched a consultation, closing on 12 February 2020, which invites organisations to give details of the points in the draft guidance where greater clarity is needed and of their experiences with handling SARs since the introduction of the GDPR in May 2018.
Reminder: what is the right of access?
Under Article 15 of the GDPR, data subjects have the right to obtain confirmation from data controllers as to whether their personal data is being processed and, if so, to obtain a copy of this data. This must be accompanied by various information about the processing of the individual's data, such as the purposes for which it is processed and whether it is shared with third parties.
In itself, this right is nothing new: SARs have been around since the 1980s, but there are some key differences under the GDPR. Data subjects' increasing awareness of their rights in relation to their data and concerns around data processing and privacy have also led to a marked increase in SARs.
What does the draft guidance say?
At 77 pages, the draft guidance takes a comprehensive sweep of all aspects of the right of access. However, organisations hoping to find a simple set of rules as to how to handle SARs may be disappointed. One of the general themes of the draft guidance is that each request must be dealt with on a case-by-case basis – few of its recommendations or clarifications are absolute. Organisations must look carefully at the particular circumstances of each request and assess that request discretely in its own context.
This makes it harder for organisations to introduce blanket policies to reduce the burden of handling SARs and will mean that those who have introduced such policies – for example, rejecting SARs requesting "all personal data" relating to the data subject, or not searching certain systems or types of data – will need to think again. Blanket policies are rarely going to be considered by the ICO to be compliant.
There are, however, some silver linings which provide organisations with much needed clarity.
Which parts introduce further challenges for businesses?
Using standard forms
The draft guidance recognises that providing standard forms for individuals to use to make a SAR can make life easier for businesses. However, it reiterates that SARs are equally valid regardless of how they are made (including verbally and via social media). Organisations must make clear that it is not compulsory to use the standard form and ensure that they are only inviting – not compelling – individuals to use them.
When is a request 'complex'?
Organisations must respond to SARs 'without undue delay' and at the latest within one month of receipt. This time limit can be extended to up to three months if the request is 'complex' or a number of requests have been received from the individual. The ICO makes clear that organisations cannot deem a request 'complex' solely because it involves a large amount of information or because they are reliant on a processor to provide information, although either of these factors may increase the likelihood that it will be 'complex'.
The meaning of 'complex' will depend upon the circumstances of each case and the controller in question: what is complex for a small organisation with limited resources will be different for a much larger one. Controllers must be able to demonstrate why a particular request is complex: relevant factors include where data is technically difficult to retrieve (for example, if it is electronically archived); if large volumes of particularly sensitive information are involved; or if specialist work is involved, such as redaction.
Handling bulk requests
The draft guidance takes a hard line on this issue, reminding controllers that all SARs have the same legal status and are equally valid, regardless of how many different requests a controller has to deal with; the purpose for which a SAR is made (unless manifestly unfounded or excessive); or the behaviour of a third party requester.
However, the ICO will take into account the volume of requests an organisation had at the time if it receives a complaint about a SAR, and any steps that they had taken to allow bulk applications to be dealt with effectively. The ICO will not take enforcement action if it is "clearly unreasonable" to do so.
The draft guidance makes clear that organisations cannot ask individuals to narrow the scope of their request and that requests for all of the information a controller holds are entirely valid.
Controllers may ask the individual to specify the information or processing activities their request relates to, and to provide additional details to help locate the relevant information, such as approximate dates or the context of processing. However, the individual does not have to respond and organisations cannot extend the deadline due to a clarification request.
Archived information and back-up records
Although the ICO recognises that it can take longer to retrieve electronically archived or backed-up data, it highlights that there is no "technology exemption" from the right of access, and that organisations need to have systems and procedures in place to retrieve such data.
In pre-GDPR guidance from 2014, the ICO had said that if information had been "put beyond use" – even if not actually deleted – then it would not require data controllers to grant individuals subject access to it. The ICO had set out four safeguards for determining whether data was, in fact, "put beyond use". For many businesses, with vast archives of personal data, that was a useful caveat to the right of access. Unfortunately, that caveat does not appear anywhere in the draft guidance.
The ICO has likely concluded that because there are technical solutions available now to effectively search archived information and back-up records, there is no need for it to be treated any differently to "live" data. This may be a point that is further clarified in the final version of the guidance.
As currently drafted, this means that businesses should have appropriate retention schedules, not only for "live" data, but also for archived and back-up data. The more data a business stores, the harder it will be to comply with a SAR.
Information contained in emails
Not surprisingly, the draft guidance states that information contained in emails still need to be disclosed, as these are a form of electronic record, and that items in a user's 'deleted' folder do not count as having been deleted. The right extends to information contained in archived emails.
The meaning of 'manifestly unfounded' and 'excessive'
Controllers can refuse to act on a SAR if a request is 'manifestly unfounded' or 'excessive'.
The draft guidance clarifies that requests are 'manifestly unfounded' if the individual clearly and obviously has no intention to exercise their right of access: for example, if they offer to withdraw their request in return for a benefit; or if the request is malicious in intent and its purpose is to cause disruption. Examples include requests that make "unsubstantiated accusations against the company or specific employees" or if the individual is targeting an employee against whom they hold a grudge. Again, this depends upon the circumstances and each request must be judged on its merits: a previous 'manifestly unfounded' or 'excessive' request from an individual does affect subsequent requests.
Requests cannot be deemed excessive merely due to the volume of information requested. Instead, this applies more to repeated or overlapping requests made before a reasonable interval has passed. What constitutes a reasonable interval will depend upon the nature of the data, the purposes of processing, and how often the data is altered.
Does any of the draft guidance make life easier for controllers?
As a whole, the draft guidance provides valuable clarity for data controllers on the extent of their obligations.
Whilst the ICO shows an understanding of the challenges faced by organisations, the bottom line is that organisations must ensure they have efficient data management and retention policies and systems in place that allow them to respond to SARs to the full extent of the data subject's rights and within the time limits.
The ICO recommends:
- informing individuals about how they can make a SAR;
- ensuring staff know how to recognise a SAR and providing detailed training to those handling them;
- creating internal guidance notes with links to SAR procedures and policies;
- appointing a specific team to handle requests and producing checklists to ensure staff take a consistent approach to requests;
- ensuring data can be sent securely;
- maintaining "information asset registers" to help quickly identify where data is stored; and
- ensuring that data is not kept for longer than necessary, thereby reducing the amount of data that falls in scope for disclosure.
What are the risks of non-compliance?
Organisations that breach the right of access risk enforcement action from the ICO, which can include enforcement notices, undertakings, fines and even criminal prosecutions.
The Data Protection Act 2018 introduced a new criminal offence. Under section 173, it is an offence to "alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information" that an individual would have been entitled to receive under a SAR. The draft guidance makes clear that following a SAR, organisations should be careful not to amend or delete data that should be disclosable under it, unless such amendments/deletions result from the routine use of data whilst SARs are being handled.
We have not yet seen any prosecutions come through the courts for infringement of section 173. Nevertheless, data controllers need to ensure that all staff are aware of the existence of this offence and that all are effectively trained on SARs and the implications of getting it wrong.
If you would like any assistance or advice on handling SARs, Osborne Clarke offers a comprehensive SAR service which helps data controllers manage and meet their obligations. We can provide discrete advice on any particular issues that are causing you concern, provide an end-to-end service on responding to a SAR (including strategy, review, redaction and disclosure), and help you manage your entire SAR response portfolio. Feel free to get in touch with one of our experts, listed below.
This article was written with the assistance of Lucy Price, trainee solicitor at Osborne Clarke LLP.