Data discovery tools vendor Exonar has warned that data requests under GDPR could cost the public sector millions. The claim is made in a report entitled The Impact of Privacy on the Public Sector. The basis for the claim is that pre GDPR, public sector bodies could charge processing a Subject Access Request (SAR). At £10 it did not cover the costs of a SAR. However, it did provide some income and potentially limited the number of requests.
The organisation expected to be hit the hardest is the NHS. This is because the data requested is often complex and not always kept in the same place. In addition, the data needs to be reviewed to make sure it meets the requests. Under GDPR there are other requirements such as making sure the information is readily understandable to the requestor.
The results from Exonar’s Freedom of Information (FOI) request
Exonar made FOI requests to 458 organisations, including NHS Trusts (206), local government (125), central government (61) and emergency services (66) from across the UK. It wanted to know the number of SARs received by each organisation in 2014, 2015, and 2016 and the cost of processing each SAR.
The results showed:
- The average cost of a SAR across the public sector was £145.46
- The NHS average is £106.85 with some reporting costs as high as £1,800 or more
- NHS Trusts average 800 SARs per year giving an average cost of £85,480 per Trust
- There are 241 Trusts in the UK making an annual cost of £20,600,680
- For local government bodies the average cost of a SAR is 136.95
- Local government bodies averages 138 SARs per year giving a yearly cost of £18,899
- There are 418 local government bodies making an annual cost of £7,899,823 million
It is important to note that these are based on 2016 figures. GDPR is expect to create a surge in SAR requests given increased awareness and no charges. As a result, the costs to the NHS, in particular, are likely to be much higher when the numbers for 2018 are available.
GDPR doesn’t always mean no charge
The general principal of GDPR is that organisations have to absorb all the costs for providing the data. One example given by Exonar is:
“For example, Calderdale and Huddersfield NHS Foundation Trust estimated that the cost would include 3 WTE band 2 staff (approx. £16,500 pa), plus costs such as discs (annual cost of £1,044), envelopes (annual cost of £40) and postage costs (£1.48 per patient).
“The Trust added that this would be a minimum cost and there are other costs that “cannot be quantified”, such as involvement of management, clinicians, physio and health visitors, finance and even X-ray costs.”
However, there are times when charges can be made but they must be reasonable and proportionate. For example, when repeat requests are being made or an individual is making excessive requests. There is, however, no real definition of what excessive is. Is a patient asking for 50 years of medical records excessive? This is likely to be one of those times when the ICO response on large amounts of personal data is valid.
Dr Paul Cundy, GPC IT policy lead recently wrote: “GPs can also either refuse to comply with requests that are ‘manifestly unfounded or excessive’, or comply but charge for the inconvenience. However, ‘unfounded’ and ‘excessive’ are not defined, either in the GDPR itself or in related guidance, so this will depend on an interpretation of how reasonable the request is.
“GDPR does provide some clue in describing ‘repetitive character’ as being a qualifying criterion. If you decide to comply with the request, you may then charge for: ‘the administrative costs’; ‘providing the information’; ‘communicating the data’; or ‘taking the action requested.’
“So, the fee might involve the cost of professional time to redact records, for example.”
Do you have to provide everything you have?
In principle yes you do. Cundy says you can negotiate and this is something that the NHS may well consider as a policy decision. As Cundy writes: “A SAR was defined under the Data Protection Act as the entire contents of the patient record and under GDPR that is the same basic default assumption, but it has now been recognised that over 20 years on we hold masses of data on our patients, so a new option has been introduced: you can supply less than the entire record by mutual agreement.
“This means you can agree with the patient (within the one-month period) to narrow down the data required to satisfy their request, provided they agree voluntarily and freely. You must not coerce people into asking for less than they want or need. In these circumstances clearly document what is agreed within a first SAR – for example, only the records of a hip operation. Subsequent SARs could then be chargeable, although you should take a reasonable approach. If the patient asks for one additional letter it would in my opinion be unreasonable to charge a fee, but if they ask for hundreds more pages, then a charge would be reasonable.”
The ICO also has advice about how to deal with requests for excessive amounts of data.
What about requests for large amounts of personal data?
“If you process a large amount of information about an individual you can ask them for more information to clarify their request. You should only ask for information that you reasonably need to find the personal data covered by the request.
“You need to let the individual know as soon as possible that you need more information from them before responding to their request. The period for responding to the request begins when you receive the additional information. However, if an individual refuses to provide any additional information, you must still endeavour to comply with their request ie by making reasonable searches for the information covered by the request.”
Failure to respond in time could lead to fines
The time limit to respond to a SAR has come down from 40 days to just 28 days. Exonar says that using the responses to its FOI requests show that organisations will struggle to meet these deadlines. FOI requests have a 20 day response time. One organisation took 159 days to respond. However, the average was 24 days with the NHS being 27.
Adrian Barrett, CEO and founder of Exonar, said that the variance in time taken to respond demonstrates how complex a task SARs are in the public sector: “The good news is the public sector is taking its responsibility to do a thorough job and find all the data pertaining to a person seriously. However, there’s a heavy process burden, especially when multiple bodies are involved, and the NHS in particular needs an alternative to manpower to trace data if it is to avoid penalties of non-compliance.”
With GDPR, failure to respond in the right time limit can result in fines from the ICO. However, the 28 days is not as set in stone as people think. As with the older Data Protection Act, organisations can ask for extra time based on the complexity of the data search. Where paper records are involved, this is not unusual. In addition, if the request seems overly broad, the organisation can go back to the requester to see if there is an opportunity to refine the data being requested.
There is plenty of advice on this on the ICO website. For example:
Can we extend the time for a response?
“You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
“However, it is the ICO’s view that it is unlikely to be reasonable to extend the time limit if:
- it is manifestly unfounded or excessive;
- an exemption applies; or
- you are requesting proof of identity before considering the request.”
What does this mean
The examples here are around local government and the NHS and show how quickly the impact of GDPR can become a financial issue. Barrett says the total number of SARs could cost UK PLC billions: “We expect 30 million requests to be made this year to private businesses of all sizes and the public sector. If we assume the cost to process a SAR is the same in public and private sectors, then the cost to UK PLC stands at £4.5bn. That’s an extraordinary sum to set against admin that has no value to a company.”
For SMEs the financial cost is likely to be much larger. Many will not have done a full data map of everything they have in terms of data. Respondents to the recent ICSA report on the costs of implementing GDPR highlighted data mapping as a major challenge. Many are also worried about the problem of data in legacy systems.
Organisations were worried about a surge of GDPR data requests on May 25. So far, there have been no credible reports of organisations receiving hundreds of emails or extra bags of mail. That may change. Organisations that suffer data breaches could find a lot of affected customers demanding to see what data they held. The costs for this are likely to compound the costs of dealing with a breach.
It is also trite to say that better IT systems and AI are the solution. They are a possible solution and to just part of the problem. It will take months even a year or two before the full implications of GDPR data access requests are felt.