1 Subject Access Request Webinar Friday 20 May 11am

2 Why am I attending a Webinar on Subject Access?1. Opening Slide ‘Subject Access’ is the right provided by the Data Protection Act 1998 for individuals to request a copy of all of the personal data held in relation to them by any organisation processing information about them. SARs make up the majority of the complaints the ICO receives (44% of around 15,000). This proportion is broadly reflected in concerns we receive relating to small to medium size enterprises. Because of that we want to take the opportunity to discuss some of the more challenging areas facing organisations handing SARs . We will explore some of the more common pitfalls data controllers make when handling SARs. In particular we will look at what you as an organisation are entitled to require before administering an SAR, ‘disproportionate effort’, third party data, and exemptions from the obligation to disclose personal data under the SAR provisions. Why am I attending a Webinar on Subject Access?

3 Subject Access Requests Joff Gray Dinah Balsillie

4 What are the common difficulties faced by Data Controllers?Delay Not a SAR Poor searches Disproportionate effort Repeated requests No data held Blanket approach Personal issues Third party data What are the common difficulties faced by Data Controllers? 3. Common causes for concerns to be raised with us Some of the most common mistakes we see organisations make are really easy to rectify, such as responding late. Common examples include; Responding outside of 40 days; Failing to recognise subject access requests, only responding to part of the request – not making adequate searches, repeated requests, not the data subjects personal data; applying a blanket approach when using exemptions; not responding because of personal issues with the data subject Some more potentially trickier situations bear a little more consideration – for example errors in applying the provision concerning disproportionate effort when responding to an SAR, errors in considering third party data, and errors in applying an exemption to the SAR provisions. We will look further at these later on in the presentation.

5 What can organisations require before responding?Under the DPA, organisations who receive a subject access request does not have to supply any information in response unless provided with; The fee Information reasonably required to establish the identity of the person making the request Information reasonably required to locate the data being sought If the above is not provided with the request organisations must promptly ask for it. The 40 day time period with which the DPA requires a response is provided does not begin until the above has been received by the organisation – but a delay in requesting the above on the part of the organisation may lead to a breach. Establishing Identity – take circumstances and type of data into account – for example is the person making the request a current or former employee, or a customer? Is the type of data being sought financial or otherwise sensitive (medical etc.)? Locating the data – general requests lead to general searches. Scope of search must be proportionate taking into account the privacy of third parties. For example, a request for copies of s; Individual making the request would be expected to provide dates or range of dates Names of recipients/senders Any know content of subject line Any further information concerning context If request for s is too broad (scope anticipated to include hundreds/thousands of s etc.) no search is necessary as information reasonably required to locate the data has not been provided. Further, to search hundreds/thousands of s would in many circumstances be disproportionate in relation to the privacy of other people.

6 Subject Access and disproportionate effortThe provision concerning disproportionate effort is frequently misapplied by organisations in receipt of a subject access request. It does not mean that organisations don’t have to respond to a subject access request if to do so would be to much work. What the Act says: Section 8(2): ‘The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless –The supply of such a copy is not possible or would involve disproportionate effort…’ The DPA does not define ‘Disproportionate Effort’ further. Due to the way the DPA is worded, our guidance says section 8(2) cannot be applied to searching for personal data. It applies only to the provision of the data in a permanent form. In other words the time and expense related to: Locating; Collating, and Redacting are not relevant considerations in terms of assessing disproportionate effort. Even where providing the information in permanent form may involve disproportionate effort – the data controller should still try and comply with the request in some other way. The right of subject access is central to the DPA. For example: Invite the subject to the premises to view the data. Where a request appears to be very large in scope, for example relating to recordings of telephone calls, CCTV footage, or s, organisations can and should request further information ‘reasonably required to locate the data’.

7 Subject Access and third party dataSection 7(4) makes it clear that where you cannot comply with a request without disclosing information relating to another individual who can be identified from that data, then you are not obliged to do so. However this is not absolute. You should still consider if the individual has consented to the disclosure; or it is reasonable in all the circumstances to comply with the request without consent. Good example of where this issue comes into play can be complaint files – third party data often included in such files. First ask yourselves if responding to the request actually requires the disclosure of third party data. If it does then you have to consider if it can be redacted or anonymised. If it can then the disclosure does not require the disclosure of third party data and you should disclose. If it can’t then it does and you go onto the second question. Do you have the third parties consent, if you do then it would not be unreasonable to disclose the information, if not then you need to go onto consider if it is reasonable in all the circumstances to disclose. First port of call is 7(6) which provides a non exhaustive list of factors you should consider including: any duty of confidence owed to the individual; any steps taken to obtain consent; whether the individual is capable of giving consent; any express refusal of consent. In terms of confidentiality this arise where the information which is not generally available to the public is provided with the expectation that it will be kept confidential. Various well established duties of confidence such as solicitor / client and doctor patient but you should never assume confidence exists – get advice. Other things to take into account is whether the information is already known to the requestor – is it generally available to the public or has it previously been made available to the person making the request and what are the circumstances of the request. You should always balance the importance of the information to the individual against the importance of maintaining the confidentiality of the third party.

8 When is it ok to withhold someone’s data?7. Exemptions General Points on Exemptions: In the main, they apply to processing of personal data for specific purposes. Only apply to the extent that the application of a specific provision/provisions would prejudice those purposes. Should be construed narrowly. Applied on a case by case basis. Issues on application: You must be able to demonstrate that the information is being processed for purposes relevant to the exemption. You must be able to demonstrate ‘real and substantial’ prejudice where required, if the relevant provision is complied with. Be sure to document the process of applying the exemption – This should help with the above points, as well as if we get complaints. Examples; Section 29 Crime and Taxation Exemption – Section 29 applies to personal data processed for the purposes of: Prevention or detection of crime; Apprehension or prosecution of offenders; Assessment or collection of any tax, duty or similar imposition – liaise with Police! Miscellaneous Exemptions (found in SI 2000 No.419) include; The Management Forecasts/Planning Exemption – applies to the extent to which application of subject access provisions to information processed for the purpose of planning and or forecasting would prejudice the conduct of the business. The Negotiations Exemption – applies to information which consists of a record of the organisation’s intentions in relation to any negotiations with the individual making the request, to the extent to which the provision of copies of the information would prejudice those negotiations. The Legal Professional Privilege Exemption - Personal data is exempt from the subject access provisions if it consists of information for which legal professional privilege (or its equivalent in Scotland) could be claimed in legal proceedings. This includes any correspondence between the organisation and its legal advisers, and can also cover other information if it is being relied upon to prepare for intended or anticipated litigation. The DPA cannot replace civil disclosure rules – but remember, the right of subject access is purpose blind! When is it ok to withhold someone’s data?

9 New Regulations dpreform.org.ukThe EU is currently finalising new regulations to update the DPA. Anticipated that the new Regs. Will come into force in approximately 2 years. Guidance and advice will be published on our website to help organisations prepare etc. We are currently in the process of examining anticipated changes and preparing for their effects on our functions etc. General principle of the DPA likely to remain – changes will be to the detail of the legislation. Best preparation is to ensure your organisation is compliant now, with current provisions. Anticipated changes to fee, registration fee, definition of consent, PIAs etc.

10 The ICO’s Regulatory RoleHelping organisations comply with their responsibilities under the DPA, and helping individuals exercise their rights. General responsibilities include; Providing guidance, advice and codes of practice to organisations Providing guidance and advice to individuals Challenging incidents of non compliance and systemic issues Considering concerns brought to us by individuals (section 42 Request for Assessment). We have a helpline and written enquiry service available to both individuals and organisations. Assessments require us to come to an impartial view as to whether, in the circumstances brought to us, compliance with the DPA is ‘likely’ or ‘unlikely’. We initially go off the information provided by the individual – we will usually ask them to raise their concern with the organisation first. In many cases we may not need to contact the organisation – if we do it’s not personal! We use assessments to achieve compliance, to gain an understanding of organisation’s levels of knowledge in the area, and to improve information rights practices – not primarily a tool to prosecute etc.

11 Use Us! Helpline 10. Use Us! We are a resource for you to use. Our responsibility to assist applies equally to organisations and to individuals. Contact us with real or hypothetical queries Remain anonymous if you’re more comfortable (helpline) If you hear from us in relation to an assessment, don’t hesitate to call us before responding if you have any questions etc. Use the opportunity to make a contact!

12 Any Questions? Helpline: 0303 123 1113Keep in touch by subscribing to our e-newsletter at or find us on…