Subject access requests William Cursham argues that subject access requests could place a greater burden on time, given their increasing prevalence
Litigation is a very expensive and time-consuming process. One of the most expensive parts of it is disclosure, where the parties disclose all the relevant documents that they control to each other.
Since this process places such a heavy burden on the parties, there are strict court rules governing it.
However, there is a way that individuals can short-circuit this process and force an organisation to disclose documents, even where court proceedings have not commenced: section 7 of the Data Protection Act 1998 (DPA).
Section 7 provides individuals with “subject access rights”. These rights were intended to provide individuals with access to information about how organisations such as credit reference agencies and insurance companies obtain, process and share their “personal data”.
However, section 7 also enables an individual to obtain copies of this personal data in hard form, and it is
this provision that individuals are using to force organisations to provide documents that they hold about an individual.
These “subject access requests” (SARs) place a heavy burden on organisations, particularly as the timescales are tight. Once an organisation receives a valid SAR, it
will have to provide copies of all personal data promptly and, in any event, within 40 days of the request.
A valid SAR cannot be ignored. Failure to comply with a request could result in the Information Commissioner’s Office (ICO) investigating the organisation, and perhaps imposing a fine.
Alternatively, the organisation might end up with a court order against it, requiring it to comply with the
request.
What to provide
It is possible to receive an SAR from any individual on whom information is held. That could be an employee, a customer or even a contact.
The first thing to do on receiving such a request is to work out whether that information is personal data. The DPA defines personal data as information that:
• relates to a living individual;
• allows the individual to be identified from that information, either on its own or in conjunction with other information held; and
• includes an expression of opinion about the individual, or an indication of a person’s intentions in respect of that individual.
Invariably the definition of personal data is open to different interpretations.
On the one hand the courts take a narrow view of what personal data means, stressing that the information must include an expression of opinion about the individual.
On the other hand, the ICO takes a much wider approach, emphasising that personal data is simply information that is obviously about the individual, or is linked to the individual.
However, it does not matter who is right, since an individual has recourse to the courts or the ICO if an SAR is not complied with, and each will apply its own approach.
In reality, therefore, the safest and most practical thing is to assume that any document that refers to an individual is personal data.
The next thing to do is search for this personal data. This means an extensive search of all information held electronically, whether on a system or in an archive. However, deleted documents do not have to be retrieved, unless they still exist in “deleted items” folders. A search will also have to be made of any paper files if they are organised with a comprehensive indexing and tabbing system.
What shouldn’t be provided
Following the search, it is likely that a large bundle of documents containing personal data will have been amassed. However, they should not be provided to the individual without first sifting out personal data that also contains personal information about another individual. This may be another customer, or an employee.
In the first instance, the other individual’s consent should be sought. However, even if that individual’s consent cannot be obtained, the information should still be provided if it is reasonable in all the circumstances to do so.
There are also a number of other types of documents that shouldn’t be provided, in particular:
• management information – where the data is processed for management forecasting or management planning, and complying with the request is likely to prejudice the business or other activity of the organisation;
• negotiations with the individual – data that consists of a record of a party’s intentions in negotiations with the individual. An example of this would be an internal memo that one party produces, recording internal discussions about any settlement, and the maximum amount that they are willing to pay as compensation to the individual;
and
• legally privileged documents – correspondence between a party and their legal advisors. This extends to correspondence and documents passing between them, their legal advisers and third parties where litigation is contemplated, or in progress.
SARs are a shortcut to disclosure, and they place serious burdens on organisations in terms of time, effort and money.
While in the short term it is sensible to seek legal advice when one is received, in the long term it is worth training up one or more employees on how to deal with them.
Top tips
• Subject access requests may be comparatively rare, but they are increasing and they must be responded to promptly and, in any event, within 40 days.
• Given the different interpretations of personal data, it is probably easier and safer to provide all documents that refer to the individual, but do not provide unnecessary documents.
• Train up a member of staff in subject access requests and how to deal with them. In the long-run this will be more cost effective than referring to lawyers.
• Never put something about an individual in an e-mail or other document that you wouldn’t be prepared to shout out across a crowded room.
William Cursham is an associate at Gateley Plc
