Focus on Data Protection Act Subject Access Requests
It would be fair to say that way back when I started out as a commercial lawyer a great many of us (me included) did not really worry over much about data protection.
All that has now very much changed and today data protection and privacy generally are right up there and constantly in the news as big issues for individuals, society, governments and definitely now for businesses. Indeed, for some major businesses this is probably one of the largest and most complex legal issues now facing them.
The focus of this note is the important right of an employee (or of any individual) to demand details of the personal data held about them by an organisation.
From the individual’s perspective this can be a jolly good thing: for a maximum cost of only £10 he or she can require the organisation to disgorge details of all of the information it holds about them. This can be an extremely powerful tool in relation to any prospective employment related issues or litigation.
However, from an employer’s perspective this can be highly problematic especially if the employer does not understand the precise nature of its obligations and how to respond to such a request.
What is the nature of the legal duty? In essence, the employer must first identify and locate all personal data held by the employer relating to the individual and then provide the individual with details of that data (in the form of an intelligible copy) together with details of the purposes for which the information is being used, its source and who receives it, all within 40 days.
The standard which the employer is expected to meet in discharging this obligation is very high and common difficulties or pitfalls include:
- identifying when a relevant “data subject access request” has been received, which might not be immediately evident since, as exemplified by the heading of this article, the request can be in just about any written form;
- identifying what information is personal data and so needs to be disclosed which, on the safe side, will be any information relating to an identifiable living individual;
- locating all of the necessary information, which can be difficult because this can be included not just in databases but also in emails, hard drives, paper files, telephones, logs and even in archive data; and
- specific additional complications arising where the data includes personal information relating to another individual (in particular where the other individual is the source of the information) or relating to the health of the individual.
Unfortunately for employers the legislation allows them very little latitude for failing to understand or comply with their obligation. In a few situations there may be some limited scope for requiring the individual to provide evidence of their identity or any information necessary for the organization to be able to locate the information required. However, generally and in relation to any well prepared request, the set 40 day time limit from receipt of the request will have to be observed.
It should be apparent that in order to be in a position to deal with any data subject request within the timeframe required, an organisation would be well advised to arrange any necessary training or advice in relation to the nature of its obligations and also to have in place any appropriate systems and procedures necessary to be ready and able to respond.
It should also be noted that the Subject Access Requests discussed in this note are just one very small element of the obligations set out in the Data Protection Act which apply to organisations which hold and process personal data. In all the Act sets out eight important data protection principles and policies and procedures may be required in respect of each of these.
Sydney Mitchell has recent relevant experience in advising a UK subsidiary of a multi-national group on data protection compliance in connection with a US stock exchange flotation where data protection issues were central to the nature of the business and also in advising another multi-national major local employer on designing and operating its procedures for Subject Access Requests and so is well placed to give advice in this area.
Please contact our commercial team for further information or advice. Call us on 0121 698 2200 or fill in our online enquiry form.
 |
 |
 |
 |
 |
 |
|
