In this last week we consider the risks of failing to comply with a Subject Access Request and answer some Frequentlly Asked Questions.
Frequently Asked Questions
Q: Can I require individuals to use a specifically designed form to make Subject Access Requests on?
A: Whilst you can have a form and encourage people to use it to make your life easier, it doesn’t stop people from making a request in their own way and you certainly can’t extend the 40 day time limit by refusing to comply until somebody has completed your form. The form can be a good idea to guide people through including all the information that you will need and the details that you might want to locate what they are looking for.
Q: Do we have to disclose a reference that we obtained from a third party?
A: Yes. It is still data that you are holding relating to that individual. Just because you obtained it from a third party does not give you the ability to refuse to disclose it.
What are the risks around failure to get a Subject Access Request right? Watch Anna’s video here to find the answers.
Can we rely on Section 82 of the Act to not supply a copy of information because we think it’s going to involve disproportionate effort for us to do so?
It is pretty clear from the case law that the Information Commissioner regards very few cases as falling within the ‘disproportionate effort’ exemption so you would want to rely on this very very sparingly. The other thing is that the section only applies to supplying copies of the relevant information, it does not mean you can refuse to deal with the Subject Access Request in the first place just because you think locating that information could involve disproportionate effort. The Information Commissioner’s attitude is always that if you can show that supplying a copy of information in permanent form would involve disproportionate effort you should still try to comply with the request in some other way, for example you might arrange for the person to come and have access to the original documents so they can flag particular documents they would like copies of, or you might make an arrangement to send the documents in electronic form. To give you an example of a case in which the High Court refused to make an order for compliance, there was a case where a law firm were being asked to make a search back through 30 years worth of files relating to some clients in the Bahamas. It was found that going back through the sheer volume of files involved wasn’t a reasonable or proportionate thing for the firm to have to do when the lawyers would have to go through each document to decide whether or not it was covered by legal professional privilege or not. As that could only be done by relevant lawyers then it would be very costly. However, it is worth noting that the judges expressed their disdain that the parties involved were after the documents concerned for the purpose of legal proceedings – there was no suggestion they were using a Subject Access Request to check the accuracy or to have it corrected if they found any mistakes. Context is clearly everything. This case could certainly be useful to argue with those who are making requests if you feel they are not making the request for proper purposes.
Have you ever thought about undertaking a mock Subject Access Request exercise?
We can assist you with a training exercise to help line managers understand the extent of their duties and ensure those who will be dealing with requests know how to answer them. For more information email Anna