Organizations are worried that a flood of data subject access requests is going to cause some headaches. The primary concern is that of SAR (Subject Access Request), where an individual can request that an organization divulge all the information held on that particular individual. Organizations are worried that a flood of data subject access requests is going to cause some headaches. The primary concern is that of SAR (Subject Access Request), where an individual can request that an organization divulge all the information held on that particular individual. The main difference between the old Data Protection Act is:
- the actual nature of the data,
- the reason for its storage,
- the accuracy of that data,
- and the method of divulging.
Also, the cost, under the old act there was a charge to request data, but the GDPR stipulates that any SARs must be “provided free of charge” (Article 12.5). Of course, there has to be some limit on the power provided to an individual. The request must be legal, and for a specific purpose; frivolous or repeated applications will be rejected as in the words of the ICO, where a SAR is “manifestly unfounded or excessive”, it can be refused.
Besides, some information is not privy to the individual, such as legal professional privilege, i.e. documents for use in ongoing or possible future litigation including professional documents created by third parties with the aim to provide legal advice. A further exemption to SARs are data concerning “national security and the prevention or detection of crime”, or the “apprehension or prosecution of offenders”.
Organizations need to take extra care
Organizations will need to tread carefully also where personal data requests contain sensitive health information.
However, it is necessary for the data controller in this instance to liaise with an appropriate medical professional before releasing any information. Consequently, this exemption would not apply however if the data subject themselves supplied the medical data. The newly implemented Regulation may well open the floodgates for SARs. The primary recipients of requests likely to be the NHS and other public authorities such as educational establishments, local government offices.
However, the fact that this service is now free may cause a problem for businesses with disgruntled ex-employees. For example, and there is very little that can prevent this type of unwarranted and bureaucratic nightmare!
Organizations will just have to be prepared to deal with these requests professionally. Tough, bear in mind that any subsequent requests can occur by the same data subject. And, if dealt with correctly the first time around, can legitimately (and politely) knocked back.
Ensure a good strategy is in place
Above all, the good idea is to have in place a strategy from the outset, with policies and procedures for dealing. In the first instance a SAR, with clear refusal guidelines in place across the floor of the organization. Hence, to prevent any issues with GDPR compliance, an organization will need precise definitions of what constitutes refusals.
GDPR states clearly, “the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.” (Article 12.5). The article goes on to ensure that the data being asked to provide passes to the correct party. An organization can ask for identity validation of the requesting individual in case of reasonable doubt to the identity.
For example, a Gmail account or a telephone request. How would an organization be 100% sure the recipient is whom they are saying they are? Such as
- driving license,
- or other ids.
Again, this is something to embed into the organization’s policies and procedures and have bulletproof identification measures in place.