So what DO I have to provide when I receive a subject access request?
With conflicting advice still available on the ICO website there seems to be a lot of confusion around exactly what a data subject is entitled to when they exercise their right of access under GDPR.
Many data subjects still seem to think that this right entitles them to receive a full copy of their file free of charge, when actually that will not be the case 99.9% of the time.
The Right to Be Informed
Individuals have the right to be informed about the collection and use of their personal data, including-
The purpose for processing the data and how you will process the data
The retention periods you will apply
Who you will share the data with.
You provide this information in your privacy notice which should be given at the point of collection and you will provide a link to the information on your website.
The Right of Access
Individuals have the right to access their data, and can make a ‘subject access request’ verbally, in writing or even via social media (don’t forget to check your tweets!).
You now have one calendar month instead of 40 days to respond to the request and you can no longer charge a fee.
The data subject is entitled to –
Confirmation that you are processing their data
A copy of their ‘personal data’ (we will come back to this in a minute!)
Other ‘supplementary’ information which is basically the information you provide in your privacy notice.
But what exactly does ‘a copy of the data’ mean? You will be pleased to know that by and large this does not mean that they are entitled to a copy of the entire file of papers. A ‘copy of the data’ is basically that, a list of the data fields that you process, which can identify the data subject (name, address, date of birth etc.).
Where it becomes slightly complicated is if it is possible to identify the data subject from the information you are processing then that information may also be personal data. In a recent ICO live chat I was given the example of where you hold on file an email from an individual complaining about the data subject. Whilst I did engage in a long debate with the representative about whether this would be appropriate for a law firm to disclose, or potentially for an employer to disclose where an investigation was being carried out for example, the conclusion from the ICO was that I would need to consider this type of document carefully and make a decision about whether there was a valid reason to withhold the document or not.
In situations where you are simply instructing a third party, for example a letter to an expert which sets out the name, address and contact details of the data subject, but is then just a business to business email giving instructions on work to be carried out, then a copy of this letter would not need to be provided.
Review the types of communications you will have on your files – if any of them ‘could’ fall within the definition of personal data then make sure your staff are aware to consider these and flag them to the DPO for confirmation of whether they need to be included in the response of not.
Data subjects can only be given a copy of their own data – an individual cannot request information on behalf of a partner for example.
If a data subject requests something specific, for example a copy of a specific email by date or a copy of a specific call recording then you should look to provide this.
You should ensure your staff are trained to recognise a request (remember social media!).
You should have a documented process and should keep a log of all requests.
The ICO’s Subject Access Request Code of Practice has not been updated for GDPR yet.
99% of the requests you receive will be straight forward but for that 1% which you maybe aren’t so sure about, remember you can ‘Ask Teal’ by contacting us through our website or emailing email@example.com – we don’t keep business hours, we are available evenings and weekends to give you the advice and guidance you need to get a good night’s sleep!