Data protection is not just about how your business processes and protects personal data; it gives individuals certain rights over their personal data.
One such right is the right of access – this means an individual can ask for a copy of their data. To do this, they make a subject access request (SAR). However, as there is no set form that a subject access request should take, businesses need to be able to spot when a SAR has been made and respond to it accordingly and, in most instances, within one month of the request being made.
According to the ICO, the common complaints they receive in relation to SARs are:
Not only is it vital businesses handle SAR in an appropriate manner, as failure to do so is likely to lead to a breakdown in the relationship with the individual and a lack of trust and confidence in the business, but the ICO has recently reported that it plans to take action against organisations in both the public and private sector who have failed to respond to SARs within the statutory deadline or at all, notably the Ministry of Defence, which has a backlog of around 9000 SARs dating back to March 2020.
Here are our top 10 tips to help you respond efficiently and effectively.
Communication is key, even if it's simply to acknowledge the request and confirm that it will be dealt with and a further response will be provided at a later date. People complain to the ICO when they feel unheard or badly treated. If you cannot meet the deadline for responding, keep the individual updated and informed as early as possible. Ensure all communications you send are clear, concise and easy for the individual to understand and explain why certain information has been excluded or redacted.
We recommend having a privacy@ email address and contact information for all SAR's to be directed to. This avoids SAR's getting missed in individuals' in-boxes and allows the business to coordinate and manage its response.
Verify the identity of the person making the request. It's fine to ask for further information if you are unsure of the requester's identity. If the request is made on behalf of another individual, ensure you are authorised to release information to the person making the request. Note - A child over the age of 12 years old is capable of making their own SAR, and you should request permission from that child first before releasing any information you hold about them to their parents or guardians.
Diarise when your full response has to be provided to the individual and ensure you meet the deadline. In most cases, you will have one calendar month to respond to a SAR. Note – the date the request is received (even if this is a weekend or public holiday) is when the calendar month starts to run from.
Your response will be due one calendar month later; if this falls on a weekend or public holiday, you have until the next working day to respond. You cannot add extra days when the calendar month is a shorter month - for example, if you receive a request on 31 January, you should respond by 28 February.
Ask the individual what information they require. Does their request relate to specific information/categories of information, or do they want everything your business holds about them?
You cannot ask requesters to narrow the scope of their request; however, by understanding the scope of their request, you can ensure you are providing the information they actually want and mitigate the risk that unsatisfactory information has been provided. It may also save you time compiling information that is not required. Clarity on what is being requested is key, particularly with complex requests or requests involving large amounts of data.
People make complaints to the ICO when they don't know what's happening with their request. If you're dealing with a particularly large or complex SAR, you can explain to the requester you will send out information in batches and provide a timeframe, so they know when to expect this.
Checking your databases, CRM and other contents management systems is not enough; you need to consider where else data may be stored, including text messages, WhatsApp, tablets, portable memory sticks, and call recordings. You should consider whether you operate a bring-your-own-device policy – if so, have all devices been checked for personal data? You must search for all the information you possess on the individual.
Before you provide information to the individual, you must review it and consider whether any information contained in the documents relates to a third party. Note - Personal information of a third party should not be disclosed. If there is any information relating to a third party, it should be blacked out, or a new document should be created that only contains information relevant to the individual making the SAR request.
When redacting information, you must ensure that the individual cannot reverse or see the redacted information, as this would amount to the unauthorised disclosure of another person's personal data. Where you can't separate the relevant data from another person's data, you should consider the impact of the third party's data on the requester. If you consider there will be a negative impact on the third party, then you may withhold the information from the response, but you should make a note of your reasons for doing so.
If the request was made by email, your reply should be sent to the same email address unless the individual has specifically asked you to send your reply by another method or to a different address. You should also check the format in which they'd like to receive the information and ensure that when emailing responses, you use a secure method to share the data with the individual only and ensure your response includes all required privacy information. Keep a dated record of the information you have sent (in case they are unhappy with the response or for reference if they make another request soon after).
You are only able to refuse a SAR in limited circumstances, for example, if the request is excessive. This can occur where a request repeats or overlaps significantly with a recent previous request or where a request is unfounded or unreasonable. A request may be unreasonable or unfounded where you have reasonable grounds to believe the requester is not really interested in obtaining the information and instead is more interested in interrupting or causing expense to your business. A particularly large request is not excessive simply because it is large. Note Where you decide to refuse to respond to a request, ensure that you keep a written record of your decision-making.
The ICO has various tools to ensure businesses comply with data protection legislation. These include assessment notices, reprimands, enforcement notices and penalty notices (fines). For the most serious breaches, the ICO has the power to levy a fine of the higher amount of £17.5 million or 4% of a company's annual global turnover.
It is more important than ever to have appropriate measures in place not only to deal with data processing and protection, but individual rights and that all members of your business follow these measures in practice. The ICO has recently investigated TikTok (TikTok Inc and TikTok Information Technologies UK Limited) and found that from May 2018 to July 2020, TikTok processed children's data without appropriate parental consent, failed to provide proper information to its users in a concise, transparent and easily understood way and processed special category data without the legal grounds to do so. The ICO has served a notice of intent on TikTok, which, subject to TikTok's representations that the appropriate standards were met during that period, could lead to TikTok facing a fine of £27 million.
Breaking News – The ICO’s verdict is in and TikTok has been fined £12.7 million for failing to protect the privacy of children. Whilst this is one of the largest fines issued by the ICO it’s still less than half the amount that we anticipated the ICO to fine.
The Information Commission Mr John Edwards stated “TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had. They did not do enough to check who was using their platform or take sufficient action to remove the underage children that were using their platform.”
The fine should serve as a warning to all platform operators to ensure they have the correct processes in place.
If you have any questions or would like more information regarding dealing with SARs or assistance with your data protection policies and processes, you can speak with our Data Protection Solicitors.
