A long list Of GDPR Subject Access Request Is In Store For OrganisationsSeptember 26, 2018GDPR
Organisations are worried that a flood of data subject access requests is going to cause some headaches. The primary concern is that of SAR (Subject Access Request), where an individual can request that an organisation divulge all the information held on that particular individual. Organisations are worried that a flood of data subject access requests is going to cause some headaches. The primary concern is that of SAR (Subject Access Request), where an individual can request that an organisation divulge all the information held on that particular individual. The main difference between the old Data Protection Act is:
- the actual nature of the data,
- the reason for its storage,
- the accuracy of that data,
- and the method of divulging.
Also, the cost, under the old act there was a charge to request data, but the GDPR stipulates that any SARs must be “provided free of charge” (Article 12.5). Of course, there has to be some limit on the power provided to an individual. The request must be legal, and for a specific purpose; frivolous or repeated applications will be rejected as in the words of the ICO, where a SAR is “manifestly unfounded or excessive”, it can be refused.
Besides, some information is not privy to the individual, such as legal professional privilege, i.e. documents for use in ongoing or possible future litigation including professional documents created by third parties with the aim to provide legal advice. A further exemption to SARs are data concerning “national security and the prevention or detection of crime”, or the “apprehension or prosecution of offenders”.
Organisations need to take extra care
Organisations will need to tread carefully also where personal data requests contain sensitive health information.
It is necessary for the data controller in this instance to liaise with an appropriate medical professional before releasing any information. This exemption would not apply however if the data subject themselves supplied the medical data. The newly implemented Regulation may well open the floodgates for SARs, the primary recipients of requests likely to be the NHS and other public authorities such as educational establishments, local government offices.
However, the fact that this service is now free may cause a problem for businesses with disgruntled ex-employees for example, and there is very little that can prevent this type of unwarranted and bureaucratic nightmare!
Organisations will just have to be prepared to deal with these requests methodically and professionally, bearing in mind any subsequent requests can occur by the same data subject and, if dealt with correctly the first time around, can legitimately (and politely) knocked back.
Ensure a good strategy is in place
The good idea is to have in place a strategy from the outset, with policies and procedures for dealing in the first instance a SAR, with clear refusal guidelines in place across the floor of the organisation. To prevent any issues with GDPR compliance, an organisation will need precise definitions of what constitutes refusals.
GDPR states clearly, “the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.” (Article 12.5). The Article goes on to ensure that the data being asked to provide passes to the correct party. An organisation is correct to ask for validation as to the identity of the requesting individual if there is any reasonable doubt as to the identity.
For example a Gmail account or a telephone request. How would an organisation be 100% sure the recipient is whom they are saying they are? Such as
- driving licence,
- or other ids.
Again, this is something to embed into the organisation policies and procedures and have bulletproof identification measures in place.