In the second of a series of posts on recent developments in the field of data protection law, my colleague Sherif Malak highlights some important aspects concerning the rights of individuals to access their data and the consultation on a new code that is currently underway. A number of privacy campaigns have sought to raise the public’s awareness of the increasing volumes of personal data used and collected by service providers online, so it is important to have the right processes and procedures in place when dealing with a user request for access to their personal data.
The public consultation period for a draft code of practice on the access right of data subject access published by the ICO (the UK data protection authority) is due to end next month. The 60 page draft code contains guidance on the requirements of the Data Protection Act (DPA) as well as points of good practice that it recommends organisations adopt in respect of the rights of access data subjects have under sections 7-9A of the DPA. Generally, within 40 days of request and for a nominal fee (max. £10), individuals are entitled to be told whether personal data are being processed and to be given a description of that data, the reasons for processing and whether data will be shared with other organisations or people. They are also entitled to be given a copy of the personal data and, if available, details of their source.
For many organisations and other data controllers, such subject access requests (“SARs”) are commonplace and so the guidance may have a significant impact on how they conduct their request handing procedures. The draft code emphasises that organisations should embrace the opportunity to take a positive approach to data subject access rights by streamlining request handling through staff training and guidance and by monitoring compliance. We recommend reading through the paper which is quite detailed and provides a number of useful examples. In the meantime, a few points made in the draft that will no doubt be of interest include:
- Although a SAR must be made in writing, it does not need to take a prescribed form nor mention the DPA (or that it’s a SAR) and can even appear at first sight to be a Freedom of Information Act request. In fact, a request can be sent, directly or indirectly, by post, email, fax, via an organisation’s website or even posted on its social media site or a third party website. So make sure you’re vigilantly checking your organisation’s tweets if it has a Twitter page!
- A child’s rights may be exercised by parents/guardians but it is the child who has the right of access. If an organisation is confident that a child is mature enough to understand his/her rights then it should respond to the child and not to the parent (regardless whether the parent or the child made the SAR). The draft code helpfully lists a number of factors to consider in borderline cases on page 13.
- The 40 day period to respond to a SAR cannot be extended because an organisation is relying on a data processor to supply the required information. So organisations using data processors take note – you will need to put in place contractual arrangements to make sure that you can deal with SARs promptly, including when they are send to your processors directly.
- You should not ignore a SAR simply because an individual has not paid the fee, has not provided enough information or if you reasonably require more information to confirm the requester’s identity. You should contact the individual promptly and inform them of what is needed for their request to be processed. If you have done so, the 40 day period will not begin until you’ve obtained these things from the requester.
- The draft code clarifies that the ‘disproportionate effort’ exception applies to the supplying of the information by organisations but does not permit you to exclude information from your response just because it is difficult to access or find. Data controllers are therefore obliged to make extensive efforts to locate data relevant to a SAR but not obliged to “leave no stone unturned”. You cannot require the requester to narrow the scope of their request if they have asked for “all the personal information held” about them.
- You should have procedures in place to find and retrieve personal data requested that has been electronically archived or backed-up. However, the ICO has said that it does not expect you to use expensive technical expertise to ‘undelete’ deleted information that can technically be recovered.
- The draft code also covers in detail how you should deal with requests involving 3rd party data, special cases (such as credit and health records) and the form in which you can respond to a SAR.
The consultation period ends on 21 February 2013 and if you would like to participate and provide your feedback, you can find the submission form for your comments as well as a copy of the draft code on the ICO’s webpage here.
Have a great week,