A candidate interviewing for pupillage with a dozen barristers’ chambers used the GDPR to gain access to his interview notes. Some of the barristers’ chambers that should not be oblivious to the workings of the law, accidentally revealed sensitive information when complying with the request. Even those practising the law are not immune to its reach. It serves as a stark reminder for all employers or potential employers, to ensure they know the law around data subject access requests (DSAR). It is always advised that when in doubt, you contact a legal professional to provide expert advice.
The concept of a DSAR has been around for a long time. A person’s right to make a DSAR is a protection enshrined in the General Data Protection Regulation (GDPR). This was implemented into UK legal systems by the Data Protection Act 2018. It is also a fundamental right under the Charter of Fundamental Rights of the European Union (2012/C 326/02).
Article 8(2) says that: Everyone has the right to the protection of personal data concerning him or her.
Such data must be processed fairly for specified purposes and based on the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her. They also have the right to have it rectified if it is inaccurate.
Compliance with these rules shall be subject to control by an independent authority.
What should an employer do when they receive a request?
It can be a difficult, time-consuming and financially draining task to respond effectively to a DSAR. Businesses should have an internal procedure and a subject access request policy in place to deal with the requests as efficiently as possible. This policy should be circulated to all staff and include key contacts who can assist in dealing with the DSAR. Remember, the deadline under the GDPR for dealing with a DSAR is normally one month. It can be extended if the DSAR is complex or more time is needed to respond. You must act quickly to ensure this deadline can be met.
It is also important to understand the information that is being requested. Do not be afraid to converse with the individual issuing the DSAR. More often than not, the actual data the individual is looking for will be a lot less than you expect. However, you will have a duty to disclose all you can tactically and reasonably.
The extent of information to collect
Much of the data you hold about an individual may also relate to others. Such data will almost inevitably require redaction. Article 15 of the GDPR contains no limit on the personal data that an individual can ask for, but EU law provides some good guidance. The principle of proportionality requires that measures adopted should not exceed the limits of what is appropriate and necessary to achieve the objectives pursued by the legislation in question. The subject Access Code also confirms that an employer is not required to do things that would be unreasonable or disproportionate to the importance of providing subject access.
The general consensus is that you should try to find as much information as possible in line with the request. However, you do not have to employ any unreasonable methods in your search. There is also GDPR technology that you can investigate to assist you in conducting your search on your servers.
Be wary of data breaches
It is paramount that the privacy of third-party data is protected when responding to a DSAR. Such data should be redacted or removed.
However, there is an exception. If the third party has provided their consent to disclose the data, or the employer determines that it would be reasonable to disclose the data without consent upon the basis of legitimate interest, it is possible to provide the data. If you believe a breach has occurred, you should make a report to the ICO as soon as possible. It would aid in rectifying the breach and protecting yourself if the data lost causes significant harm to individuals. Data breaches must be reported within 72 hours. It is good practice to have a data breach policy in place.
Document the process
If the person issuing the DSAR does not believe you have complied with your obligations, they may either apply to the court for a compliance order or make a complaint to the ICO. It this happens, having a well-documented record of what you looked for and why you did this is useful. It should also include why you did not do something.
Data protection is an extremely important and vast area of the law that is regularly updating. The introduction of more and more technology into everyday life is going to see a huge increase in DSARs and people asserting their privacy rights. If you need any advice or assistance in implementing policies or responding appropriately, please get in touch with our experienced team at A City Law Firm who will be able to advise you on compliance.
Karen Holden is the Managing Director & Founder of A City Law Firm who practise both commercial law and litigation, having been admitted to the roll in 2005. If you require further advice or assistance, please do not hesitate to contact [email protected]
A City Law Firm Limited is a leading entrepreneurial law firm in the city of London, with a dynamic and diverse team of lawyers. It was awarded most innovative law firm, London 2016 and Business Law firm 2017. They specialise in start-up business law, the tech industry, IP and investment.