• Welcome to the LegalBeagles Consumer and Legal Forum.
    Please Register to get the most out of the forum. Registration is free and only needs a username and email address.
    REGISTER
    Please do not post your full name, reference numbers or any identifiable details on the forum.

How to satisfy Subject Access Requests -

Collapse
Loading...
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to satisfy Subject Access Requests -

    This information is aimed at the company providing the data in the request as to what they must do to satisfy the request

    Information to which Data Subjects are entitled

    Individuals are entitled to ask data controllers for information about the following matters:
    • Whether the data controller is processing any personal data about that individual and, if so, to be given:
      • a description of the personal data;
      • the purposes for which they are being processed; and
      • the disclosees, or potential disclosees, of the personal data.

    • To be given a copy of the information and to be told about the sources from which the data controller derived the information so long as those sources are available to him; and
    • The logic involved in automated decisions relating to him.

    Form of the request

    The subject access request should be in writing.
    The data controller is entitled to ask for a fee of £10 and two further pieces of information. Firstly, the data controller must satisfy himself that the person making the request is, in fact, the data subject. The use of a subject access request form is advised, since the greatest breach of a data controller's security is for the data controller to satisfy a subject access request made by a person impersonating the data subject. The use of the form goes towards proving that the data controller has adequate identification and verification procedures in place. Secondly, the data controller is entitled to ask the data subject for further information to enable the data controller to locate the information which that person seeks.
    When the last of these three pieces of information has been obtained, the forty day period starts to run. It is advisable to put procedures in place to ensure that the receipt of the request and the further information is correctly dated so that an organisation knows how long it has to satisfy the subject access request.

    Negotiating with the Data Subject


    At this stage, it is advisable to negotiate with the data subject. The location information the data subject will have already given will give a clue as to what it is the data subject really wants to have information about. The benefit of the Data Protection Act 1998 is that it allows data controllers to negotiate with data subjects to get the data subject to specify the exact information he or she wishes to receive.
    However, if the data subject is adamant that he or she wishes to receive a copy of everything the data controller holds on him or her, then there is very little the data controller can do about this, and a completely exhaustive search of the computerised and manually held data in the organisation will be required.

    How to search systems


    If this is the case, then a request to search all databases and all relevant filing systems (manual files) which are caught by the Act must then be issued throughout the organisation. This request must include all back up and archived files, whether computerised or manual which fall within the application of the Act. It is usual to put a time limit on these requests.
    It is sensible to give one individual the responsibility for issuing requests for information and receiving all the returns. This will normally be the data protection officer in the organisation.
    The data protection officer will then have the job of printing out all computerised information which has been returned to him by each department. He will also have received photocopies of all relevant manual files, and will therefore sit down with two piles of paper in front of him – one of computer printouts and the other of photocopied manual files.

    Manual files


    The manual files which are caught by the Act are those which pass the two tests set out in the definition of a relevant filing system. The first test is whether the file in question forms part of a structured set. The set has to be structured by reference to individuals or characteristics relating to individuals. If the manual files are organised in alphabetical name order, or payroll number, they will form a structured set.
    If this is the case, the second test has to be applied. Does any particular file in the structured set contain sufficient internal structure so that specific information about a particular individual is readily accessible? In other words, does the file contain internal dividers or does it consist of pro-formas which are always in the same place in each file? If the answer to these questions is yes, then the file is caught by the Act.

    Third party data


    At this stage, the data protection officer then has to pretend that he is the individual making the subject access request. He has to read every single page of information to see whether it reveals the identity of a third party, when viewed from inside the head of the person making the subject access request. If the identity of a third party is already known to the data subject, then the data containing the information relating to the third party can be revealed to the data subject, because he already knows it. However, if the identity of a third party is not already known to the data subject in the context revealed by the documents, then the data protection officer has to consider whether blanking out the name of the individual, or blanking out other identifying particulars or any other material, would be sufficient to disguise the identity of the third party from the data subject. At this point, all other information which is likely to come into the hands of the data subject must be considered as well. If the identifying material can be blanked out with black marker pen and the rest of the information on that page can be handed over without revealing the identity of the third party, then this information can be included in satisfying the subject access request.
    If, however, blanking out will not disguise the identity of the third party because, for example, there is a report which has quite clearly been written by the head of the organisation, and no amount of blanking out will conceal the identity of the head of the organisation, then the data protection officer has to attempt to obtain the consent or otherwise of the third party whose identity will be revealed by handing over the information to the data subject.

    Consent


    Forty days is a very short period in which to obtain consent from numerous third parties. If your activities are likely to give rise to frequent subject access requests, for example, if you are running an investigations department, it is sensible to obtain consent from third parties when compiling reports for investigations. This will save time at a later date if and when subject access requests are received.

    Exemptions


    The next stage is to apply the exemptions. Legal professional privilege applies in two areas. Firstly, legal professional privilege attaches to any document which was created with the dominant purpose of being used in current or potential litigation. The document can be created by anybody so long as this was its dominant purpose. The second branch of legal professional privilege is any document which was brought into being in order to obtain legal advice from a barrister or solicitor. This will include documents created by third parties as part of the process of giving or receiving legal advice.
    Information in respect of informal grievances may well not be covered by legal professional privilege if the information is not the giving or receiving of legal advice from a barrister or solicitor. Lots of other people give legal advice, such as accountants, patent agents and management consultants, but none of these attract legal professional privilege.
    The next useful exemption is negotiations with the data subject. If the data controller is negotiating with the data subject at the time at which the data subject makes the subject access request, the data controller does not have to reveal his intentions if to do so would be likely to prejudice those negotiations. Once the negotiations are complete and have been put into effect, the whole file becomes subject to subject access in the normal way. Similarly, there is an exemption for information relating to management forecasting or management planning.
    Emails are subject to subject access, as are archived computerised and manual files and all back up tapes. It must be remembered that CCTV footage and tapes of telephone conversations may also be included as personal data and must be searched on receipt of a subject access request if the data subject so requires. The compliance costs of subject access can sometimes be very high.
    Other general exemptions to subject access are national security and the prevention or detection of crime, or the apprehension or prosecution of offenders.
    Confidential references given in confidence by the data controller are not subject to subject access in the hands of the data controller, but they may well be in the hands of the recipient.
    Where the personal data contain health information, there is a duty on the data controller to consult an appropriate health professional before the information can be released to the data subject. This is to avoid disclosing information about adverse health conditions to a data subject where the disclosure may be harmful to the data subject or to another person. This requirement does not apply where the data subject has already had access to the information, or where the data subject originally provided the information himself or herself.
    If consent has not been obtained by the data controller for whatever reason, the data controller has to apply the four guidelines set out in the Act. These tests have been included in the Act to take account of the human rights case of Gaskin, where a young man had spent his childhood in the care of a local authority. When he got into his twenties, he made a request to the local authority to see a copy of his file. The local authority records relating to his time in care were considered to provide the only coherent record of his early childhood and formative years. On receipt of the request, the Council discovered that his file revealed the identities of well over a hundred other individuals. The Council attempted to gain consent from these people but in fact, after several years, had only managed to achieve consent from around half the people on the file. The case went all the way to the European Court of Human Rights in Strasbourg, and the Court considered that people in his situation had a vital interest protected by the European Convention on Human Rights in receiving the information necessary to know and understand their childhood and early development. Lack of consent from third parties should not prevent the information from being handed over.
    In summary, the four guidelines are:
    • any duty of confidentiality owed to the other individual;
    • any steps taken by the data controller with a view to seeking the consent of the other individual;
    • whether the other individual is capable of giving consent; and
    • any express refusal of consent by the other individual.

    There is no extension of the 40-day time period for obtaining consents. Failure to respond to a subject access request within the 40-day period gives rise to the ability of the individual to obtain a court order to require the data controller to comply with the request. In addition, failure to respond within 40 days will be a breach of the Sixth Data Protection Principle. Any person affected by the breach may bring an action for damages (provided they can prove loss) and any associated distress.
    Any such failure may be reported by the individual to the Information Commissioner and may well give rise to an investigation by the Information Commissioner.
    It is possible for the data controller to negotiate with the data subject as to the form in which the data controller hands over the information to the data subject. The default position is that the data subject gets a hard copy of the information in a permanent and intelligible format, unless the supply of such a copy is not possible or would involve a disproportionate effort, or the data subject agrees otherwise. Any terms which are not intelligible without an explanation must be accompanied by an explanation.

  • #2
    Checklist for compliance with the Data Protection Act 1998

    This checklist is based on UK law. It was last checked in August 2007.

    This checklist is intended as an aide memoire for those who already understand the basics of data protection. It is not an exhaustive list.
    1. Appoint a data protection officer or someone with compliance responsibility.
    2. Ensure that the company is registered with the Information Commissioner if required and maintain those registration. Remember that separate members of your group will need separate registrations if they are also data controllers.
    3. Identify all collection points of data, e.g. websites, application forms, in-bound and out-bound telephone calls, emails, SMS, faxes, CCTV, employment application forms, attendance at events or functions or exchanges of business cards.
    4. Identify what data are collected and whether directly from the data subject or via a third party.
    5. Identify all purposes for processing, all internal and external access and all disclosures of data.
    6. Identify all marketing activities and make sure the Privacy and Electronic Communications Regulations are complied with.
    7. Draft and put in place an appropriate Data Protection Notice in each collection process setting out all purposes for processing and all disclosures.
    8. Consider how you will provide a Data Protection Notice to individuals where you obtain their information via a third party.
    9. Train all staff who come into contact with personal data. Employees attract personal criminal liability for an unauthorised disclosure of personal data or unauthorised obtaining.
    10. Train staff to recognise subject access requests from data subjects.
    11. Train managers who make decisions about databases.
    12. Ensure that Data Protection Notices are provided to all employees containing an explicit consent statement to the processing of their sensitive personal data. Consider what else employees need to be told.
    13. Identify any automated decision making processing and put a review or appeal procedure in place for any customer or employee who is turned down by any automated decision software, for example, psychometric testing or credit scoring.
    14. Identify the grounds under Schedule 2 (and the grounds under Schedule 3 for sensitive personal data) which give legitimacy to processing, e.g. consent, explicit consent, contract or legitimate interest.
    15. If the ground is consent, ensure that your Data Protection Notices include Consent Statements and provoke a positive response from customers and business contacts.
    16. Identify all third party data processors used by the company. Ensure that data processor contracts are in place.
    17. Identify all transfers of personal data to EU countries and to third countries. Put appropriate contracts or other compliance methods in place.
    18. Ensure that IT systems provide adequate security.
    19. Identify all manual files and decide whether they fall within the definition in the Act.
    20. Review security of processing in the light of ISO17799 – physical, logical, technical and operational measures to ensure the security of processing.
    21. Review procedures for ensuring quality of data – how often are data reviewed for accuracy?
    22. Put in place processes and procedures to identify and satisfy subject access requests.
    23. Review internet and e-mail policies and CCTV policies to make sure they comply with the Data Protection Act 1998, the Regulation of Investigatory Powers Act 2000 and the Information Commissioner's Guidance.
    24. Put in place processes to deal with requests for disclosure by the Police, Inland Revenue or other Government departments.
    25. Review employment contracts, disciplinary procedures and guidance issued to employees.
    26. Put a data protection help site and help line on the intranet.

    Comment

    View our Terms and Conditions

    LegalBeagles Group uses cookies to enhance your browsing experience and to create a secure and effective website. By using this website, you are consenting to such use.To find out more and learn how to manage cookies please read our Cookie and Privacy Policy.

    If you would like to opt in, or out, of receiving news and marketing from LegalBeagles Group Ltd you can amend your settings at any time here.


    If you would like to cancel your registration please Contact Us. We will delete your user details on request, however, any previously posted user content will remain on the site with your username removed and 'Guest' inserted.
    Working...
    X