How to handle data subject access requests under the UK GDPR
This blog post is a short(ish) guide to the core issues in handling subject access requests under the UK GDPR.
If you have received a request and you are not sure where to start, this will help you get going.
What is a subject access request?
Under the UK GDPR, data subjects - an individual about whom you process personal data - have a number of rights.
One of those rights is the right to ask for a copy of the personal data you are processing about them, and some supplementary information.
This is commonly known as a "subject access request".
How can someone make a request?
Seemingly, however they want. There is, for example, no requirement within the UK GDPR that a request is valid only if it is in writing.
My view is that is that it is risky to attempt to reject a subject access request because of the manner in which it has been made.
However, I note that the EDPB - the European Data Protection Board - says in its own privacy notice that:
In principle, we cannot accept verbal requests (telephone or face-to-face) as we may not be able to deal with your request immediately without first analyzing it and reliably identifying you.
I am sceptical that this is consistent with the UK GDPR, especially the requirement to "facilitate" the exercise of data subject rights. To my mind, this would include taking a phone message and passing it to someone to deal with, even if that entails asking the data subject to identify themselves suitably, and then verifying their identity to the appropriate standard (see below).
It would be sensible to ensure that all staff are trained in recognising a subject access request, with particular emphasis on staff with customer facing roles, including those responsible for your organisation's social media accounts.
Can we require someone to complete our form?
You can offer a form, and it might be easier if the data subject completes it, but you cannot reject someone's request because they have not completed your form.
Identifying and verifying the data subject
Identifying the data subject
You need to be able to tell who someone is, when compared with the data you are processing, to give effect to their subject access request.
You can ask them to the provide the information that you reasonably need to identify them, if you have reasonable doubts about their identity, such as if their identity is not apparent from their initial communication with you.
For example, if you have two customers called "Neil Brown", you need to identify to which one the request relates.
If you are not in a position to identify the data subject, you are entitled to refuse to act on the request.
You do not have to collect personal data solely for the purpose of enabling you to identify an otherwise-unidentifiable data subject.
Verifying the data subject
In addition to being able to identify a data subject, you should verify their identity to an appropriate standard.
The distinction between the two things is that identification means linking the person making the request with the data you are processing, while verifying them means ensuring that they are who they say they are.
For example, if you have identified to which Neil Brown's data the request relates, verification is the process of determining, to an appropriate standard, that the person making the request is that Neil Brown.
If you do not verify the data subject, you run the risk that you are dealing with a fraudster, trying to obtain someone's personal data illegally.
What is appropriate for the purpose of this verification will depend on the systems at issue, and the risk associated with the request they are making.
You may find that some data subjects refuse to provide information to enable you to verify them. You might wish to point them to Article 32 of the UK GDPR, which contains your legal obligation to take appropriate technical and organisational security measures, as long as what you are asking for is appropriate.
Working out what you need to do
A copy of their personal data undergoing processing
Half of the right of access is a right to obtain a copy of personal data undergoing processing.
Importantly, since it is a right to a copy of personal data, it is not a right to obtain copies of documents (unless those documents are, in themselves, personal data):
"The claimant has no right to documents, nor does he have a right to know the full contents of documents. His right is to the information in personal data ... Information can be presented in intelligible form without the need to provide its full context, or even the whole of the sentence in which it appears." (Rudd v Bridle)
It may be more convenient for you to provide full documents (for example, copies of email), but it is not a requirement.
Instead, you could extract only the personal data, and provide those.
The data subject might complain, especially if they are using the subject access request process in lieu of waiting for discovery in litigation (for example), so making sure you are getting it right legally is important.
Inherent in this exercise is having a clear understanding of what constitutes "personal data". In some cases, this will be relatively easy - for example, the data subject's name - but, in other circumstances, it can be trickier.
In addition to a copy of the personal data undergoing processing, a data subject is entitled to some supplementary information about the processing of their data.
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
If you have a record of processing activity, your life will be a lot easier.
Similarly, some of this information will (or, at least, should) already be included in your transparency information, so you may be able to lift some of what you need from there.
When it comes to providing information about recipients of the personal data, the UK GDPR permits you to provide "categories of recipient". Different people have different views as to whether you should only use this as a fallback, and as to how specific those categories must be.
In terms of the source of personal data, you are required to provide "any available information". This is broader than the requirement relating to recipients. If the source is an individual, you will need to provide their data unless a suitable exemption applies.
Can you ask for clarification?
Yes, but it needs to be genuine, and reasonable, clarification.
In principle, and subject to exemptions, a data subject is entitled to a copy of all personal data which you are processing about them.
Depending on what you do, and for how long you keep their data, this could be a lot of personal data, and responding to their subject access request could be burdensome. This is unlikely to excuse timely compliance.
Conversely, you are not required to undertake an exhaustive search for every last scrap of someone's personal data: the emphasis again is on undertaking a reasonable and proportionate search.
If a data subject is asking for specific information, it may be reasonable to ask them to assist you in locating it. What this means in practice will depend on your processing activities, and the nature of the request.
There is a difference between asking for clarification to help you find information, and insisting that a data subject limits the scope of their request to reduce the burden on you. This latter approach is unlikely to be seen as compliant.
How you must provide the information
If the data subject makes their request by electronic means, you must provide the response by electronic means "where possible", unless the data subject has asked you to use some other means.
In addition to your obligations under the data protection framework, you should also consider obligations under the Equality Act 2010.
How long do you have to respond?
As with all of the rights under the UK GDPR, you are obliged to take action without undue delay, and, in any event, within one month of receipt of the request.
In other words, you'll need to get your skates on. Do not leave it to the last minute.
That period may be extended by two further months (making three months from receipt, in total) where necessary, taking into account the complexity and number of the requests. As the right of access is a key part of the framework, expect this to be interpreted narrowly.
Are there exemptions?
Yes. There are a number of exemptions from the the right of access, including exemptions relating to:
- national security (see my blog post on the scope of this exemption)
- the prevention and detection of crime
- information subject to legal professional privilege
- management planning and forecasting
- confidential references
None of these offers a complete "get out of jail free" card, and each will entail careful, case-by-case, consideration. As with an extension of time - indeed, probably more so - since applying an exemption restricts the exercise of one of the data subject's key rights, exemptions are likely to be interpreted narrowly.
From an accountability point of view, keeping a reasonable note of what exemption you have applied to what data, and why, would be sensible.
Can I charge for a subject access request?
You must give effect to someone's subject access request, and provide the information you are required to provide, free of charge.
If, however, requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, you can either:
charge a reasonable fee (taking into account the administrative costs of providing the information or communication or taking the action requested); or
refuse to act on the request.
The onus is on you, as the controller, to demonstrate that the request is manifestly unfounded or has an excessive character.
(Under the previous data protection regime, you could charge for subject access.)
There is a lot of information about the right of access on the Information Commissioner's Office's website.
My article for the Society for Computers and Law on the case of Rudd v Bridle.