If your charity has already been in receipt of a “subject access request” from a difficult or demanding individual, or perhaps an employee in unfortunate circumstances, then you will need no reminding of how burdensome (and time-consuming) it can be. Here follows a quick reference guide to this troublesome procedure.
Given the limited resources of many charities but the need for all organisations in the sector to justify expenditure, dealing properly with these requests can seem wholly disproportionate. Yet, because of the need to protect confidential or privileged information or the private data of third parties, full and open disclosure is often not an option – so there tends to be no quick way out. Careful consideration of documents, page-by-page, is often necessary.
If you are one of the lucky organisations yet to receive a really tricky request, you cannot expect that this will remain the case forever: public awareness is ever growing, and this area of law attracts people of limited means who wish to cause maximum disruption. However, you can make sure you are well prepared.
Where does the "Subject Access right" come from? Is it the same as Freedom of Information?
The Data Protection Act 1998 (DPA) is intended to protect the privacy of individuals by regulating the use of their "personal data" – as opposed to Freedom of Information (FOI), which concerns all other types of information (but is subject to wider exemptions). Unlike FOI, the DPA subject access right does not apply just to public authorities but to any “data controller”: broadly, that means an organisation that holds people’s personal data. The DPA is enforced by the Information Commissioner's Office (ICO) or on occasion the Courts.
What is “personal data”?
"Personal data" is defined by the DPA as including all electronically held information (and some in hard copy – see further below) which "relates to" an identifiable, living individual. This includes expressions of opinion about that individual, or the intentions of any person towards them, as well as anything more obviously “biographical” (address, personal history etc.). The ICO takes a broad and inclusive view of this definition.
What is a "Subject Access Request"?
Under the DPA, individuals have the right to know what personal data about them is being held and used by organisations – subject to certain limitations and exemptions – and for what purpose, as well as certain information about the source of that personal data (and any disclosures of it). A "Subject Access Request" (SAR) is the way individuals can access it.
What information has to be disclosed?
A SAR provides access to the individual's own "personal data" held on your systems, or parts of documents that comprise it: emails, letters, spreadsheets are all caught. But it is not the same as the right to disclosure of documents in a court case, and does not extend to any and all evidence relevant for a person’s claim or complaint (or other matters of personal interest to the requester). Hence it will not always mean handing over original copies of documents wholesale, even if doing so is sometimes a labour-saver.
You will also need to provide general information like why you hold the personal data, where you got it from, and who (generally speaking) receives it – inside the organisation and out.
How must we provide the information?
Individuals are also entitled to a "permanent copy" of the data held, unless doing so would entail "disproportionate effort" (but the ICO is strict on what this means – it cannot be used to limit the scope of the search in the first place). This data must be communicated in “intelligible form”: that could mean transcribing it, or giving a faithful description, rather than using the exact form as it appears on your systems. However, the method of disclosure must not alter the nature (and meaning) of the information as you hold it.
What are the formalities for a valid SAR?
A SAR must be made in writing, but do not need to follow a specific form nor even mention the DPA. Organisations can request (i) payment of a fee of up to £10; and (ii) any information reasonably required in order to locate the data sought (e.g. what relationship the requester has to the organisation, if this is not immediately obvious, or how to find what they are looking for – for example if CCTV footage is requested). Organisations will sometimes need to confirm the identity of the individual, including if they are using a third party or lawyer to make the request.
What are the time limits for compliance?
Organisations must respond “promptly” but in any event within 40 (calendar, not working) days, starting with the date on which the SAR is received; or, if later, the date on which the fee or other confirming information referred to above is received. However, the ICO frowns on organisations which deliberately delay a request in this way to artificially extend the deadline.
Do hard copy records need to be searched?
Generally, the DPA (and the Subject Access right) apply to hard copy records only if they are held in a "relevant filing system" (i.e. are sufficiently well-organised to give easy access to specific information about an individual). No-one would recommend keeping a deliberately disorganised file, but hard copies in storage boxes and random or even chronological files are likely to fall outside what the DPA regulates.
What if the information identifies other people?
Real care needs to be taken in this area, as disclosure of information which also relates to a third party may be undesirable and may even give rise to a breach of confidence or the DPA towards that other person. Where personal data about the person making a SAR also constitutes "personal data" about another person, a data controller is not obliged to disclose it in response to a SAR unless:
• the third party has consented; OR
• it is "reasonable in all the circumstances" to disclose without consent (and if it is, you must disclose it unless some other ground applies).
The latter question must take the whole picture into account, including: the likely or express views of the third party; any obligation of confidentiality owed to them; whether it is sensitive personal data; and whether the applicable information will be in the general knowledge of the requester anyway (e.g. if they were at the relevant meeting, or a witness to an incident being described). However, one cannot simply assert that information personal to the requester is confidential to one’s organisation, or its senior management. Generally, the more senior a person is at the organisation, the more likely it is they should be identified.
It should also be remembered that even if a third party’s identity needs to be protected, that does not stop the requester being entitled to see as much of their information as can be provided without identifying that third party.
Are there any other exemptions to the Subject Access right?
Yes: for example, information may be exempt from disclosure if it is legally privileged (though this is not always a straightforward question and may require legal advice in itself).
There are other exemptions involving some types of confidential reference; strategic negotiation with the requester; and specific circumstances around law enforcement, social work, regulatory activity, or a person's medical or educational records. However, these exemptions are often complex, narrow, or subject to conditions.
Do bear in mind, however, that frequently the information requested will not be that person’s personal data – even when retrieved by a search by reference to the requester’s name. This is perhaps the easiest test for organisations to apply themselves, but the most often forgotten.
But we are just a charity! Is there any room for proportionality in all this?
Regrettably little: it is a wide right, blind to motive or cost, and the ICO interprets it strongly in the individual’s favour. Although the courts have at times been more considerate to organisations (in how they define personal data, for example, or how much it costs an organisation, or whether the requester has an ulterior motive), this is uncertain – and of course by the time the court is involved the expense is already multiplied. However, the ICO can be reasonably understanding of the burden. More important than getting all the data on time or at the first time of asking is to engage, and show willing.
It is often worth asking the individual to help you out by narrowing the search to what they really want, so you can get it to them quicker. Even if they are inflexible, the ICO is less likely to criticise an organisation when the record of correspondence shows that it was trying hard to the best of its resources to please a demanding and aggressive individual.
What are the consequences of non-compliance with a SAR?
For charities, reputation is a priceless asset – and run-ins with regulators are highly undesirable. ICO Enforcement Notices for non-compliance are published on the ICO website and often picked up by the media, and such incidents would be expected to be reported to the Charity Commission.
Individuals who are dissatisfied with an organisation's response to a SAR may complain to the ICO, which will routinely investigate and (generally giving the organisation a chance to state its case) and offer its view on whether the organisation is likely to have complied fully with the DPA. If the ICO considers not, it may simply ask the organisation informally to reconsider, with no further consequences. However, a tenacious individual can make mischief with such a finding; and even if it takes no action, the ICO will keep a “rap sheet” which could have an impact on how future complaints are dealt with.
Alternatively, and less frequently, the ICO may issue a formal Enforcement Notice (failure to comply with which is a criminal offence), enforce powers of audit to search your systems, or require the organisation to give a public undertaking committing to do better in future. Although historically slow actually to fine charities, despite taking a harder line with them in recent months, the ICO may in theory impose monetary penalties of up to £500,000 for breaches of the DPA (though we have yet to see one for non-compliance with a SAR).
Instead of (or perhaps alongside) complaining to the ICO, individuals may apply to the Court, which can order organisations to comply with a SAR, and/or to pay compensation if the individual has suffered damage or distress as a result of the organisation's breach of the DPA. So non-engagement is never a sensible option.
How can we be better prepared next time?
There is nothing like a really punishing subject access request to make organisations, and in particular charities, have a proper soul-search about how it organises its files, retention periods, and its staff policies on committing thoughts to email or digital files. This is really a question of good data protection practice generally, but clear considerations include:
• “Data minimisation” and regular review and deletion of unnecessary files, documents and messages (because it is too late to do this once the SAR has come in!);
• Keeping a professional tone and not putting anything in an email that you would not say to someone’s face;
• Copying in legal advisers (in house or external) for really tricky questions about “problem” individuals that require advice; and
• Making sure a clear policy is in place where an appropriate and experienced person takes hold of the request early, establishes a healthy communication with the requester.
Failure to keep on top of any of these things will ensure that 40 days suddenly does not seem nearly long enough. This response period is being slashed to 30 days from 25 May 2018.
Where can we get more information?
The ICO has published extensive guidance on the Subject Access right (available on its website, www.ico.org.uk), including in its "Subject Access Code of Practice" (also available on the website). Naturally, ICO guidance reflects the ICO's own interpretation of the law. For our own take, click here to read our regular newsletter Information Matters, providing updates, commentary and thoughts on cases, trends and issues within this area of law.
If you require further information on anything covered in this briefing please contact Owen O'Rorke(firstname.lastname@example.org) or your usual contact at the firm on 020 3375 7000. Further information can be found on the Charities page of our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, January 2017