Archived Gibraltar Regulatory Authority website

DEALING WITH SUBJECT ACCESS REQUESTS

Section 14 of the Data Protection Act 2004 provides that individuals are entitled to be informed by an organisation whether any personal data relating to them are being processed by or on behalf of that organisation and to see all of the information that is being processed and its source.

Personal data includes any expression of opinion about an individual and any indications of the intentions of the organisation or any other person in respect of that individual. The DPA defines individuals as "data subjects", organisations that process personal data as "data controllers" and a request by an individual to see their information is commonly termed a Subject Access Request, (SAR).

An individual's general right of access is qualified by exemptions, which are detailed in section 14 of the DPA. Many of these exemptions are particularly relevant to the processing of personal data by government departments or other public bodies.

It is recommended that an organisation nominates a Data Protection Officer (DPO), who should be primarily responsible for the coordination of all data protection matters. Larger organisations, or those with diverse functions, may appoint additional DPOs with a more limited remit. For example, different people may be responsible for dealing with information relating to customers and clients, suppliers of services and staff matters. It is specifically recommended that responses to SARs are coordinated by the DPO to ensure consistency of treatment.

The DPO needs to be thoroughly familiar with subject access rights and the extent to which any exemptions are applicable. The DPO would normally need to have unqualified access rights to all files within their area of responsibility that may include personal data and be able to search the files for information relating to the person making the SAR (the Subject). However, the DPO may not have access to certain sensitive personal data relating to staff, (such as medical data or vetting checks) in order to protect the confidentiality of such data. In such cases the relevant persons should be involved in dealing with any SARs submitted by staff.

Recommended actions to be undertaken following receipt of an SAR

a) Log the SAR for future reference;

In a large organisation it is helpful to be able to track the progress of a SAR, particularly if it has been necessary to contact a number of people in order to obtain a full response.

b) Note if the SAR is submitted in writing or orally - there should be a policy as to whether oral SARs are accepted and/or whether a specific subject access request form needs to be completed.

Generally speaking, it is not good practice to accept an SAR orally nor is the data controller under an obligation to accept it - it is more difficult to validate its authenticity as the organisation needs to be on its guard against fraudulent attempts to obtain personal information. An email request can be accepted, provided adequate evidence of identity can be provided.

c) Note whether a fee has been submitted - there should be a policy as to whether a fee (maximum £10) is charged.

Imposition of a fee is primarily to cover any administration charge but also designed to dissuade against frivolous or vexatious requests, rather than to represent the cost of responding to an SAR. It is not permissible to impose an extra administrative charge e.g. for photocopying.

d) Establish the identity of the Subject - depending on the nature of personal data processed the requirement for identity verification may be strong or weak.

The organisation is permitted to ask the Subject for proof of identity. This could be some form of personally addressed official communication or document such as an ID Card. Where particularly sensitive personal data is held, further evidence of identity may be requested.

e) Is the Subject applying for their own personal data or on behalf of another - if on behalf of another are they authorised to do so?

Normally, the SAR will come from the data subject, but a request may be made by an agent, such as a lawyer or (for a minor) a parent or guardian. Evidence is needed that the agent is authorised to obtain the information.

f) Has sufficient information been given to enable the SAR to be satisfied - there should be a policy as to whether the Subject is routinely asked whether they wish to limit the scope of an SAR (note that a Subject is not obliged in law to give a reason for the SAR or to limit its scope).

Where an organisation holds a large quantity of information, or where much information may be held manually, it is permissible to ask the Subject whether they are able to provide additional information to enable the scope of the search to be narrowed. However, the Subject is allowed to refuse such a request and ask for all the information.

g) Acknowledge receipt of the SAR and fee (if applicable) and request any further information (if needed).

h) Start the clock - although there is a maximum of 28 days in which to respond to a

SAR, a response should be given as soon as possible;

The clock starts as soon as a fee (if required) has been received together with any additional information requested from the Subject.

i) Check whether the subject has made any prior SARs and if so whether they were for a similar set of information. If so, is the interval between SARs reasonable, have there been any changes to the data and would it be sufficient to respond merely with any changes that have occurred since the previous SAR?

The DPA provides that an organisation does not have to respond to an SAR if a similar or identical request has previously been responded to within a reasonable interval. The interpretation of reasonable interval will depend on the nature of the data that is held and the frequency with which it is normally updated.

j) Search for the information as follows:

i. Search designated filing indices to determine the location of information related to the Subject using the personal details of the Subject (such as name, address, relevant ID number);

ii. Search computer files and manual files using the results of the index searches.

Searches should be made of all relevant computer drives, email servers database systems and manual systems, using the personal details of the subject as a key and taking into account any additional information provided by the Subject. If the surname alone is used as a search key, then you should be aware that information may be returned relating to anyone with the same surname as the Subject so the response will need to be filtered to ensure that only the information relating to the

Subject is returned.

k) Mark the files to denote that an SAR has been received such that any changes or deletions that are made during the currency of the SAR are recorded.

The personal data returned should be all that which is held at the time that the

SAR is received. However, routine amendments and deletions may continue to be made, but clearly, no special amendment or deletion must be made as a consequence of the receipt of an SAR. Specifically, the data must not be tampered with to remove any embarrassing entries or to make it "more acceptable" to the subject.

l) Examine the information that results from the searches to see if it includes personal data and remove any information that does not satisfy any of the criteria of being related to the Subject.

Often it is convenient to respond with copies of documents that include information relating to the Subject. However, only data specifically relating to the subject needs to be included in the response to the SAR. For example any communications sent to or received from the subject that do not include any personal data relating to the Subject may not need to be provided. However, if those documents relate to decisions made about the Subject or that affect the Subject then these should be included in the response, unless an exemption from disclosure applies.

m) Examine the resulting information to see if it includes information relating to others - there should be a policy as to obtaining consent for disclosure from third parties and/or the circumstances where such consent may or may not be presumed.

Information relating to a third party acting in a private capacity should not be disclosed unless the third party has consented or it is reasonable to assume that they would consent to its disclosure. Normally, if the third party is acting in a professional capacity then information relating to them (e.g. a professional opinion) would be eligible for disclosure.

n) Redact any data which should not be disclosed (including any information that is covered by any exemptions).

Exemptions to disclosure apply to any information that is processed for purposes concerned with:

i. Crime and taxation, where the disclosure might prejudice those purposes,

ii. Negotiations, where the data comprise records of the intentions of an organisation that is negotiating with the Subject;

iii. Health, where in the opinion of a health professional disclosure might cause harm to the Subject;

iv. Adoption records relating to the Subject;

v. Legal professional privilege;

vi. Any matter where there is a substantial public interest in not disclosing the information.

o) Advise the Subject that the information is available and make arrangements for the provision of access; normally this would involve the provision of a hard copy of the information, but if there are particular operational difficulties with the provision of hard copy other arrangements may need to be made.

The Subject is normally entitled to a copy of the information in permanent form, together with an explanation of any codes used. If the provision of the information in this form would involve disproportionate effort, or if the subject has a disability, then other arrangements must be made, such as provision in other media such as on tape or CD.

p) Stop the clock and note the outcome.

Record the time taken to respond to the SAR, in case any complaint is received or any follow-up action is required.

q) Retain the information relating to the SAR for a defined period of time, in case any follow up actions are required.

The organisation should have a policy as to the retention period of information supplied in response to an SAR. This should be long enough to be able to respond to any complaints or deal with any follow-up actions and in any case longer than the "reasonable interval" identified for repeat SARs in paragraph (i) above.