Dealing with a subject access request (SAR), whether or not the person making the request is an employee, can be very time consuming. The Information Commissioner’s Office (ICO) issued a Code of Practice in August 2013 on “Dealing with requests from individuals for personal information” (the Code of Practice) which is intended to clarify what organisations must do to comply with their duties to give individuals access to their personal data. This OnPoint identifies some of the more useful practical guidance and “best practice” recommendations made in the Code of Practice.
The right of subject access
Under Section 7 Data Protection Act 1998 (DPA) an individual is entitled, amongst other things, to be informed by any data controller whether personal data of which they are the subject is being processed by or on behalf of the data controller and, if so, to be given a description of that personal data.
Status of the Code of Practice
Compliance with the Code of Practice is not mandatory. Rather, the Code of Practice is a guide on good practice and in some circumstances goes beyond the strict requirements of the law. Conversely, compliance with the Code of Practice will not guarantee compliance with the DPA. The Code of Practice is intended to “plug [the] gap” between the legal requirements of the DPA and the practical measures that could be taken to comply with them.
The Code of Practice advocates the benefits to organisations of taking a positive approach to subject access. It suggests that, by clearly explaining how individuals can request their personal information, explaining what the organisation needs from them and what it will do in return, organisations can avoid costly disputes and difficulties. In particular, the ICO recommends that organisations adopt the following indicators of good practice:-
Training – ensuring that all staff are trained to recognise a SAR (with more detailed training on handling SARs being provided to relevant staff).
Guidance – publishing an intranet page with links to SAR policies and procedures available to staff.
Appointing dedicated request handling staff – ensuring there is a specific person responsible for responding to SARs or, ideally, a dedicated team so the organisation can cope with requests whilst key employees are absent.
Appointing data protection experts – large organisations have data protection experts or “information champions” who can provide data protection expertise, including SAR advice, within departments where personal data is processed.
Monitoring compliance – this will involve monitoring compliance with SARs and discussing the same at information governance steering group meetings. Organisations should also collect and maintain management information which shows the number of SARs received. This will also help to ensure that requests that have not been actioned within the statutory time limit are escalated to a suitably senior forum so that any breaches are dealt with at a senior level.
The Code of Practice seeks to dispel some myths about the requirements for making a valid SAR:-
Although a SAR must be made in writing, it does not need to mention the DPA specifically or even say that it is a SAR. Sometimes it may be described as a freedom of information (FOI) request but it will be valid if it relates to the individual’s personal data. Although there is no strict obligation to respond to a SAR made orally, it might be reasonable to respond and, at a minimum, it will be good practice to explain to the individual how to make a valid request, rather than ignoring them.
Organisations cannot require individuals to use a certain form to make a SAR and this should not be used as a tool for delaying a response beyond the 40 day time limit. However, creating a standard form for submitting SARs will make it easier to recognise SARs and easier for the individual to include all the details the organisation needs to locate the requested information.
SARs submitted by email or fax will be valid, and SARs may also be received via social media or third party websites.
Individuals making requests do not have to give a reason for making the request or explain what they intend to do with the information requested, although it may help the organisation to find relevant information if the purpose of the SAR is explained.
Requests are valid even if not sent directly to the individual within the relevant organisation responsible for dealing with SARs. For this reason, it is important that all employees can recognise SARs and deal with them in accordance with the organisation’s procedure.
SARs made via a third party, such as a solicitor, are permitted although organisations should satisfy themselves that the third party is entitled to act on the individual’s behalf.
Responding to SARs
Responsibility of the data controller
The Code of Practice emphasises that responding to SARs is the responsibility of the “data controller”. A data controller is a person who determines the purposes for which and the manner in which personal data is processed. There may be circumstances in which the data controller uses the services of a “data processor”, namely a person who processes data on behalf of the data controller such as where, for example, an employer uses a third party processor to analyse its information relating to staff remuneration.
Data controllers are not permitted to extend the 40 day limit for complying with a SAR on the grounds that they have to rely on a data processor to provide the necessary information. Accordingly, data controllers should ensure that they have contractual arrangements in place with any data processor whom they engage to guarantee that SARs are dealt with properly, irrespective of whether they are sent to the data controller or the data processor.
Where an individual is “a disabled person” for the purposes of the Equality Act 2010, namely where the individual has a physical or mental impairment which has a substantial and long-term adverse effect on their ability to carry out normal day-to-day activities, employers have a duty to make “reasonable adjustments” to avoid the individual from suffering a substantial disadvantage as a result of the disability in question.
In the context of responding to SARs, it may be necessary for organisations to make any or all of the following (non-exhaustive) list of adjustments where the person making the SAR is disabled for the purposes of the Equality Act 2010:-
treating a verbal request for information as though it were a valid SAR where the individual concerned has difficulty communicating in writing;
documenting complex requests in accessible formats and sending the request to the individual to confirm the details; and
responding to the request in a format accessible to the individual such as Braille, large print, email or audio format.
In some sectors, it may not be unusual to receive bulk requests or high numbers of SARs in a short period of time. Whilst recognising that this can clearly be very time consuming and drain resources, the Code of Practice reminds organisations that SARs made in bulk requests have the same legal status as SARs made individually and the purpose for which a SAR is made does not affect its validity or the data controller’s duty to respond to it.
The Code of Practice suggests that in order to respond effectively to SARs it would be good practice for organisations to:-
Publish guidance on their website confirming the 40-day time limit and to ensure that each request is acknowledged in writing and the person making the SAR is informed of the date by which a response must be provided. Any delays in responding should be explained to the person making the SAR together with an estimate for the expected date of response.
Include with the response to a SAR an explanation of the searches carried out to deal with the request and the information revealed by those searches, thereby enabling the person making the SAR to understand whether they have received all of the information they are entitled to.
Keep an updated log of all SARs received and copies of information both supplied to the person making the SAR and withheld, together with an explanation as to why any information was withheld.
Finding and retrieving the relevant information
Difficulty of access and effort involved
The ICO emphasises that organisations may not exclude information from their responses simply because the information is difficult to access. The Code of Practice states that organisations should be prepared to make extensive efforts to find and retrieve requested information, although it does acknowledge that the DPA provides that the obligation on data controllers to supply personal data does not apply where supply of the information “is not possible or would involve disproportionate effort”.
The ICO stresses that organisations should only rely on the “disproportionate effort” exemption in the most exceptional of cases and that it rarely hears of instances where an organisation could legitimately use this exception as a reason for denying access to personal data. It also suggests that it will never be reasonable to deny access to the information requested merely because responding to the request may be labour-intensive or inconvenient.
Clarifying the request
Organisations may ask the person making the SAR for information reasonably needed to find the relevant personal data and need not comply with the SAR until they have received it. However, it is not acceptable to delay responding to a SAR unless the organisation reasonably requires more information to help it find the relevant data.
Furthermore, the Code of Practice states that data controllers cannot require those making the SARs to narrow the scope of their requests. Individuals are entitled to request “all the information” held about them. The data controller may, however, ask the individual to provide information about the context in which information about them has been processed and about likely dates when processing occurred.
Examples of the type of information which it may be reasonable to request include information about the type of electronic data being sought (such as letters or emails) and an indication of the dates when the data was created. This type of information may allow the organisation to identify whether the requested information has been deleted or archived (either printed off and held in a manual data archive, or removed from its “live” electronic data systems and held in an electronic archive).
Archived information and back-up records
The Code of Practice notes that, where electronic information has been archived, it has generally been retained in some form in case it is needed in the future. Accordingly, organisations should be able to find such data, perhaps with the help of location information from the person making the SAR (which is more likely to be needed where search mechanisms for archive and back-up systems are less sophisticated than those for “live” systems), and provide it in response to a SAR.
The Code of Practice states that the ICO does not expect organisations to reconstitute deleted electronic information - information which an organisation has attempted to permanently discard with no intention of ever trying to access it again - where doing so would involve expensive technical expertise.
As the Code of Practice states, however, this does not mean that information to which those making SARs are entitled is limited to information which it would be easy for the organisation to find. In the context of emails, for example, emails should not be regarded as deleted simply because they have been moved to a “Deleted Items” folder.
The Code of Practice suggests that in order for organisations to be effective in finding and retrieving information in response to SARs, it would be good practice to:
Provide an optional standard form for making SARs which invites the person making the SAR to give details of the specific information requested and therefore helps to narrow the scope of requests. Subsequent clarification can then be sought if needed.
Have in place an “information asset register” which states where and how personal data is stored, enabling the information to be located more quickly.
Have in place documented retention and deletion policies regarding personal information held which outline the different retention periods which apply to different classes of information.
Have in place a process for monitoring SARs where a high volume are received which may involve, for example, the relevant team holding weekly meetings to discuss progress and delayed cases.
SARs which involve other people’s information
A data controller is not obliged to comply with a SAR where it cannot do so without disclosing information relating to another individual who can be identified from that information, unless
the other individual has given their consent to the disclosure of the information to the person making the SAR; or
it is reasonable in all the circumstances to comply with the request without the other individual’s consent.
The Code of Practice makes clear that decisions about disclosing third party information should be made on a case by case basis and not on the basis of a blanket policy. It also makes clear that organisations cannot refuse to provide information simply because it was obtained from a third party.
The ICO advocates a three step process for assessing whether to disclose information relating to a third-party individual. Further guidance on this is also contained in the ICO’s guidance on “Access to information held in complaint files”.1
Step 1 – Does the request require the disclosure of information that identifies a third party? This will entail consideration of whether disclosure would reveal information relating to and identifying a third party individual. For example, if an employee requests a copy of their HR file, even if a particular manager is only referred to by their job title, the individual is likely to be able to identify them based on the information already known to the requester. As the obligation for disclosure relates to information, not documents, it is permitted to delete names or edit documents if the third party information does not form part of the requested information.
If it is impossible to separate the third party information from the requested information and still comply with the request, steps 2 and 3 must be considered.
Step 2 – Has the third-party individual consented? There is no obligation to obtain consent and in some circumstances it will clearly be reasonable to disclose without trying to obtain consent, such as where the person making the SAR will already be aware of the information. It may not be appropriate to seek consent if doing so would involve disclosure to the third party individual of the personal data of the person making the SAR.
Step 3 – Would it be reasonable in all the circumstances to disclose without consent? In making this assessment the ICO considers the following factors are likely to be relevant (in addition to those listed at Section 7 DPA):
whether the third party’s information is already known to the person making the SAR or publicly available; and
the importance of the information to the person making the SAR.
There are special rules regarding access to health, educational and social work records.
It is also good practice to keep a record of the organisation’s decisions with regard to third party information and the reasons for it.
The format in which information should be supplied
Information disclosed in response to a SAR must be provided in permanent form unless it is not possible, doing so would involve disproportionate effort or the person making the SAR agrees otherwise. It is therefore good practice to check in what form the person making the SAR wishes to receive the information.
The Code of Practice points out that requests do on occasion ask for certain personal data, such as domestic energy consumption data, to be supplied in an “open re-usable format”, such as a Comma Separated Value (CSV) format. This format makes it easier for the data subject to re-use the data. The ICO encourages organisations to consider disclosing data in open re-usable formats “for appropriate datasets” but recognises that the cost and practicality of doing so must be taken into account.
Given that the DPA provides a right to see the information constituting personal data, rather than copies of the actual documents containing the information, it is not strictly necessary to provide copies of original documents, although that will often be the easiest way to effect the disclosure required. Organisations may, for example, provide transcripts or extracts of relevant documents or print outs of the relevant information
The information provided in response to a SAR must also be disclosed in an “intelligible form”. The ICO suggests this means that the information should be understandable by the average person, but that it does not require organisations to provide the information in a form that is intelligible to the particular person making the SAR. For example, the ICO states that, if data is being disclosed which uses coding, such as “A” or “M” to signify whether an individual attended or was absent from a training session, the organisation must explain how the coding works. Conversely, if it was disclosing handwritten notes which were difficult to read, the organisation would not be obliged to provide a typed up copy of those notes.
The Code of Practice suggests that it would be good practice for organisations to:
Enable customers, where appropriate, to access their personal information free of charge by using a secure website. This has the benefit of reducing the number of SARs the organisation is likely to have to deal with.
Implement procedures enabling those making SARs to view the requested information on the organisation’s premises if it is voluminous or requires further support.
Stamp hard copy documents supplied in response to a SAR to help identify the source of any further disclosure of the information, should that be necessary.
The DPA establishes certain situations in which a data controller will not be obliged to comply with a SAR. Of particular interest to employers may be the exemption under paragraph 5 Schedule 7 DPA which exempts data controllers from complying with a SAR where personal data is processed for the purposes of management forecasting or management planning to assist the data controller in the conduct of any business or other activity to the extent to which complying with the SAR would be likely to prejudice the conduct of the business or activity.
The Code of Practice cites the example of an organisation whose management is planning a reorganisation which may involve a number of redundancies and which receives a SAR from an employee before the plans are revealed to the workforce. The Code of Practice suggests that, when responding to the request, the organisation would not be required to reveal its plans to make the employee redundant if doing so would likely prejudice the conduct of the business by, for example, causing staff unrest in advance of a formal announcement of its plans.
Legal advice and proceedings
The Code of Practice notes that there have been suggestions that recent case law provides authority for organisations to refuse to comply with a SAR where the individual is contemplating or has begun legal proceedings.2
The Code of Practice states emphatically, however, that the ICO does not accept this view and that there is nothing in the DPA which either permits organisations to refuse to supply information in response to a SAR because it is requested in connection with actual or potential legal proceedings, or which limits the purposes for which a SAR may be made.
The ICO does, however, recognise that the courts have discretion as to whether or not to order compliance with a SAR. If a court believes that disclosure of information in connection with legal proceedings should more appropriately be determined by the Civil Procedure Rules, it may refuse to order the disclosure of personal data. However, the ICO emphasises that just because the courts may choose not to order the disclosure of an individual’s personal data, it does not mean that the DPA does not require an organisation to disclose it.
Ten step guide
Finally, appended to the Code of Practice is a guide on “Ten simple steps to understanding subject access requests” which provides a useful summary of the basic rules regarding SARs.3