Every data subject can request access to supplementary information and a copy of the stored personal data from the controller. Only based on this information can control over one’s own data be maintained and, if necessary, further rights be exercised.
The Information Commissioner’s Office (ICO) has published comprehensive guidance on the scope of the right of access and the information to be provided, which we would like to present here in essence.
Content of the access right
Among many other legal aspects, an essential consequence of the human rights of every person is the constant power of action over one’s own personal data. Privacy laws take this into account by granting the data subjects corresponding rights. The United Kingdom General Data Protection Regulation (UK GDPR), for example, provides for corresponding data subject rights in Chapter III. One of these is the right to access.
The right to access, exercised through a subject access request (SAR), is described in Art. 15 UK GDPR. This right contains different steps to receive access to one’s data. Controllers are obliged:
- to confirm the processing of personal data to a data subject, and if personal data from the data subject is processed,
- to hand over a copy of the data stored and processed by the controller of the data subject, and
- to give any other supplementary information concerning the processing of personal data.
The content of information to provide in such a case aligns with Art. 13 and 14 UK GDPR, therefore you can, if sufficient, provide a link to your privacy policies and notices in some cases.
Generally, a controller can confirm whether personal data of the data subject is processed. If the provision of a copy or supplementary information is necessary depends on the circumstances and requests made in the specific SAR. It can be necessary to provide a copy of all personal data, i.e., e-mails, notes, minutes, or agreements.
In addition, it is important to note that only the data subject has the right to access to his or her data. There are a few exceptions to this rule, such as the care of a data subject without mental capacity to manage their own affairs or personal data of third parties which significantly affect the data of the data subject.
How to recognise a SAR
SARs usually come to you via different routes and channels. Due to the UK GDPR, there is no requirement for SARs to be made in a certain way. Accordingly, they can be made in writing, electronically, orally or even via social media.
There is also no requirement that data subjects only contact specific person at the data controller when requesting access to data. Rather, any contact with the data controller can be used. Accordingly, data controllers should publish clear guidelines on how to deal with access rights and how to handle and recognise such requests, and regularly train employees with customer contact on the topic.
In addition, SARs do not have to comply with any requirements in terms of content. References such as request in accordance with Art. 15 UK GDPR, subject access right or further specifications are not necessary. SARs can also be made with reference to other laws such as the Freedom of Information Act 2000 (FOIA). It is therefore important that your staff understand the purpose of the request. If access to (one’s own) personal data is requested, the request should be treated as a SAR. Only in the case of public bodies are there a few exceptions explained further in the guidance.
How to deal with a SAR
The ICO also advises to use contact forms where data subjects can enter their request. This enables you to allocate the request directly to the responsible department for handling such requests and give data subjects the opportunity to claim their right in an easily manageable manner.
If a SAR is made via phone or channels where it is uncertain if the data subject claims their own right, you can ask for further information, however, only to the extent necessary and only for the purpose of identification. To do so, not you would not always need a copy of the ID, usernames or else can be sufficient in some cases.
As the UK GDPR allows data subjects to claim their right orally, the ICO and we still recommend asking, if possible, to make a written request. Therefore, the scope of the SAR is set clearly by the data subject and will not lead to misunderstandings.
The UK GDPR also mandates controllers to comply with any data subject right within a one-month period. To ensure responding on time, the ICO advocates a 28-day period from the day your company receives the SAR. You can only extend this period by another month if the claim is complex, or you received numerous requests by the same data subject. The bar to complexity is set very high and would need sufficient documentation.
Exemptions to a SAR
Even though the access right is fundamental for data subjects, controllers do not need to hand over all data in every case. The law acknowledges several exemptions, where businesses withhold information and personal data. Such cases are, for instance:
- Criminal and taxation cases
- Legal professional privilege
- Regulatory functions relating to legal services, health or children’s services
- Judicial appointments, independence and proceedings
- Journalism, academia, art and culture
- Management information
- Exam scripts and marks
This list is not exhaustive, there are other exceptions as well. However, you cannot blindly rely on those exemptions. Moreover, as a controller you should conduct documented assessments if such exemptions are met and provide your reasoning and decision. For example, if one data set would not have any impact on a criminal proceeding, a second data set of the same person however would prejudice your case, you still would need to give access to the first data set, but not the second.
Such an assessment should be carried out for each exemption you wish to rely on.
Best approach to the right of access
As SARs can take up internal resources, companies should have a strong and well-prepared process for handling these requests. Next to well-trained staff, an up-to-date record of processing activities (ROPA), as required by Art. 30 UK GDPR, can be a helpful tool. Within such ROPA, you have all the information on the data processing and can track down where you may hold data of a requestor. Additionally, mapping the process and the data flows can help to handle SARs in a timely manner.