Managing Risk in a Transforming World | Has your approach to Subject Access Requests kept up with the law and guidance?

Businesses are embracing the value of processing personal data about their customers and employees, and as a result, are holding more of it. Meanwhile, the general public are becoming more aware of their rights in relation to their personal data (primarily as a result of the introduction of GDPR, and frequent multi-million pound headline-grabbing fines from the ICO for data breaches). Disputes lawyers acting for employees, shareholders or any other individuals are also now routinely recommending the use of SARs in order to gain leverage and early disclosure.

Many data controllers put in place processes to deal with SARs in response to the introduction of GDPR in 2018, but unless that process has been updated since, it is almost certainly out of date due to Brexit, developments in the law, and updated ICO guidance.

Brexit

Letters providing the supplementary information in response to a SAR are likely to be out of date. Data controllers typically state that "no personal data is transferred outside of the EEA" in these letters in order to comply with Article 15(2) GDPR. Such a statement is not compliant with the UK GDPR: if transfers of personal data are made anywhere outside the UK, the response must now include information as to the appropriate safeguards used.

High Court enforcement

At the end of last year, a High Court judgment (in Lees v Lloyds Bank plc) listed a number of circumstances that may result in the court choosing not to exercise its discretion to require a data controller to respond to a SAR. These include where:

• numerous and repetitive SARs are issued (which is abusive);
• the purpose of the SAR is to obtain documents (and not personal data); and
• there is a collateral purpose to the SAR (such as using the documents in litigation).

Some may have seen this judgment as an opportunity to ignore SARs that are made in parallel with litigation or an employment dispute. Unfortunately, the UK Information Commissioner's Office (ICO) Guidance on handling SARs does not reflect the judgment. The guidance, which was updated at the end of last year but does not take account of the case, clearly states that "the purpose for which an individual makes a SAR does not affect its validity, or your duty to respond..."

Until clarity is provided as to whether this judgment takes precedence over the ICO Guidance, we suggest following the ICO Guidance

Updated ICO Guidance

One important change that the updated ICO Guidance brought in (as we reported here) is an opportunity to "stop the clock".

If you process a large amount of information about an individual, and clarification is genuinely required in order to respond to the SAR, you can now ask the requester to specify the information or processing activities their request relates to before responding to the request. The time limit for responding to the request is then paused until clarification is received, and if the data subject does not respond at all, you do not have to provide any personal data and can close the request.

The updated guidance also provided clarity on what is a manifestly excessive request, and what can be included when charging a fee for excessive, unfounded or repeat requests.

As the volume of SARs, and the risk associated with them, increase, it is important to ensure that your policies and processes are up to date with current law and guidance and are kept under review. A careful balance needs to be struck between dealing robustly with requests that are misplaced or insufficiently clear, while remaining compliant with the prevailing law and guidance.

If you would like any assistance or advice on handling SARs, Osborne Clarke offers a comprehensive and cost-efficient SAR service which helps data controllers manage and meet their obligations. Feel free to get in touch with one of our experts, listed below.