Give me my data! Subject Access and the GDPR

Subject Access Rights

The right of individuals to access personal data organisations hold about them is not new, however, with the implementation of the General Data Protection Regulation and the UK Data Protection Act earlier this year, it is once again a hot topic for discussion. This short article discusses how to deal with data subject access requests and what exemptions may be applied. 

Understand the request

Given the level of personal data you are is likely to hold about a data subject, it is not usually beneficial to anyone to disclose all personal data you hold in response to a subject access request. Although data subjects are entitled to request access to all personal data held about them, generally, they will know what they are looking for and will be able to assist you by narrowing the scope of the request.  Indeed, you may ask data subjects what the request specifically relates to in order to limit the extent of the required disclosure.  Narrowing the scope of a data subject access request at the outset will save you time, whilst providing data subjects with personal data specific to their request.

Personal Data relating to more than one person

Since Individuals are only entitled to their own personal data, you may not have to comply with a data subject access request if it would involve disclosing personal data about another individual. However, where personal data can be redacted to grant the other individual anonymity, where the other individual has consented to its disclosure or where the disclosure is reasonable in the circumstances, disclosure should be made in accordance with the data subject's request. Even if you conclude that it would not be reasonable to disclose personal data relating to the other individual without consent, an attempt should still be made to comply with the data subject access request as far as possible. 

UK Data Protection Act 2018 Exemptions

The UK Data Protection Act 2018 provides a number of exemptions in respect of data subject access requests.  Some key exemptions to bear in mind are:

• Confidential References - references given in confidence for certain purposes, such as checking the data subject's education, training or employment history.
• Corporate Finance - where compliance would be likely to affect the price of corporate finance instruments, or, would prejudicially affect a person's decision in relation to corporate finance. This exemption would apply in situations where personal data is processed for corporate finance services and its disclosure would include price sensitive information.
• Management Forecasting or Management Planning - where the subject access request relates to the management forecasting or management planning of an organisation.
• Negotiations with the Data Subject - where compliance with the subject access request is likely to prejudice certain negotiations between you and the data subject. This exemption relates only to the negotiations themselves and not the underlying claims to which the negotiations relate. Once negotiations are concluded this exemption no longer applies.

• Legal Professional Privilege - where processing relates to the creation of documents for use in current or potential litigation, or in relation to the obtaining of legal advice. However, personal data which is not given in the context of giving or receiving legal advice is covered by this exemption.

Criminal Offences

It is a criminal offence under the UK Data Protection Act 2018 to alter, destroy or conceal information with the intention of preventing disclosure of information to which the data subject is entitled. For example, this means if you redact documents to conceal or  avoid disclosing embarrassing content you could be committing a criminal offence. Once you have received an access request from a data subject, you should ensure that no personal data relating to that request is altered, deleted or redacted (except where it falls properly within the exemptions described above).

Tight Deadlines

You must respond to subject access requests without delay and at least within one month of receiving the request.  Where requests are complex or numerous, you may explain to the data subject that an extension is necessary and extend the one month deadline to three months. You must tell the data subject your reasons for seeking to extend the deadline without delay and at least within one month of the data subject making the request.  In general, you should provide the personal data requested free of charge. However, where a request is "manifestly unfounded, excessive or repetitive" a fee may be charged to cover administration costs, although requiring a data subject to cover your administration costs is not expected to be the norm.

Given the tight deadlines you have to respond to data subject access requests, it is important for you to act quickly to ascertain the scope of the request, so that you can determine as soon as possible what should be disclosed, what is exempt from disclosure and whether redactions are necessary. Ensuring that your processors (particularly those who may host or store your data for you) are required to provide you with all necessary assistance to meet your subject access requests will also help.

Responding to subject access requests is not always straightforward. But by making sure you have the right processes in place and you know where to get expert advice if needed, you can cut through the complexity involved and put yourself in the best position to responding subject access requests in a timely and fully compliant manner.

Byte-sized news

Government launches call for evidence on geospatial data. The Government has recently launched a call for evidence on the use of geospatial data by the public and private sector. As defined, in the call for evidence, Geospatial data is data concerning where people and objects are positioned in relation to a particular geographic location. The integration of geospatial data with other data sets could result in the identification of individuals and therefore use of the data sets would be subject to compliance with the data protection legal framework. The introduction of centralised standards for the interoperability of geospatial data and other options for increasing the integration of third party data sets with existing data could assist organisations to navigate the complex data protection obligations around transparency and assisting with Data Subject rights such as deletion. Examples of private sector use cases include location based advertising, optimising retail footprints and autonomous vehicles. Guidance on data sharing would be a welcome clarification for‎ many business looking to leverage big data this way. The call for evidence closes on 24th October 2018. 

Automated and Electric Vehicles Act 2018 receives royal assent. The Automated and Electric Vehicles Act 2018 (the "Act") has received royal assent and puts in place a framework to allow insurers to insure automated vehicles. It also introduces changes to electric vehicle charge point infrastructure requirements. The Act is part of the Government's commitment to review the UK legislative landscape for automated vehicles. Given the complex legal issues automated vehicles create, the Law Commission has been engaged to propose an effective legal framework to govern such new automated driving systems. However, data protection is expressly carved out from the Law Commission's review. This seems a little short-sighted given how central data protection will be. For example, charge point data will include information about individual’s energy consumption and geolocation, and so ensuring operators’ reporting obligations of that data complies with data protection law will be important.

International data standards for automated vehicle insurers. Separately, the Association of British Insurers is leading the effort to develop an international standard set of data available in the event of an accident involving an automated vehicle such as the time of a crash and whether the vehicle was being operated autonomously or not. The intention is that this data would be used by insurers in order to establish liability and process claims quickly. Whilst such data sets have the potential to be a useful method of expediting claims handling, insurers must ensure that the use of these standards does not fall foul of data protection law - for example insurers will need appropriate notices and governance controls in place to enable compliance. 

With special thanks to Helena Brackenridge and Tom Brookes for their contribution.