02 September, 2020
The UK General Data Protection Regulation (UKGDPR) is the same after Brexit as it was before, but it would appear that many organisations are still coming to terms with the impact it can have on their day-to-day practice, not least the colossal increase in volume of subject access requests (SARs) which appear to be creating as much pressure and confusion as the threat of a data breach.
According to the Information Commissioners Office's own official statistics, mishandling of SARs is by far, the number one data protection issue complained about by the public. In 2019 more than half of the 18,000 data protection-related complaints lodged with the ICO concerned individuals' rights to access their personal data held by organisations. As a result the Information Commissioner's Office (ICO) has recently updated its published guidance to assist organisations in dealing with requests from individuals for their data. The guidance is available at here.
A subject access request (SAR) is a request made by or on behalf of an individual for information. The request does not have to be in any particular format. It entitles an individual to find out what personal data is being held about them by an organisation, and more importantly why that organisation is holding it, and to whom that organisation may disclose that information as well as other information. Any individual is entitled to ask for this under section 7 of the Data Protection Act 1998 (DPA). A right that now continues under the new General Data Protection Regulations.
Under the new GDPR, the request can be made verbally, in writing or via social media. The request can be sent to any part of the organisation, and as long as it makes clear what the individual is asking for then it will be deemed as a valid request and should be treated as such. Once received, the requests should be handled in accordance with the requirements of the Data Protection Act 2018 / UKGDPR.
In the majority of cases no fee will be charged, unless the organisation can show that the request is either manifestly unfounded in its nature, or is so excessive or complex it will require additional time and administrative resources to produce it. If that is the case, the organisation concerned should advise you of those charges before dealing with the request. They should do this within 1 month of receiving your request.
Under Article 12 of UKGDPR, a data controller must respond to a SAR without undue delay, and in any event within 1 month of receipt of the request. This can be extended by a further 2 months if the request is complex or a series of requests have been made by the data subject. The rules stipulate that requests must be dealt with promptly. If the request is complex or excessive, the data controller must inform you if it wants to extend the time to respond within that 1-month time period. The responsibility for complying with a SAR lies with the data controller and its Data Protection Officer (DPO) is in charge of compliance internally.
If there is a good reason not to comply with the request then you should be informed about those reasons. If you are not happy with the response given, or the organisation has simply failed to respond to your request within 1 month, then you have a right to complain to the ICO, which has the ability to seek to enforce your rights.
The ICO has powers to issue the organisation with warnings, reprimands, compliance orders, and in extreme circumstances can impose large fines on organisations who have breached the UKGDPR. If a fine is deemed appropriate the ICO will have considerable discretion to set the level. There are no fixed penalties or minimum fines. The ICO will also take into account past conduct of the organisation concerned. The Data Protection Act 2018 also makes it a criminal offence to alter, deface, block, erase, destroy or conceal personal data to prevent disclosure to a data subject.
The organisation must inform you immediately if they have mishandled your SAR, and as a result infringed your rights (for example by sending the response to your request to the wrong person and creating a data breach). In such cases, if you can show that you have suffered substantial damage as a result, you may have a claim for compensation.
If you believe you may have suffered a data breach, or have any enquiries relating to the mishandling of a SAR which may give rise to a possible civil claim, please contact The Data Breach Claims Team at Forbes Solicitors on 01254 872 111.
It is clear since the introduction of the GDPR in 2018 that Claimant Solicitors are noticing a significant increase in enquiries from individuals seeking to bring civil claims against organisations for breaches of data protection law. For data controllers, time spent getting robust policies and procedures in place now may therefore pay dividends in the long run by reducing the right of breaches and claims as well as enforcement by the ICO.
If you believe you may have suffered a data breach, or have any enquiries relating to the mishandling of a SAR which may give rise to a possible civil claim, please contact Lisa Atkinson, Associate at Forbes Solicitors on 01254 222 448 or email at firstname.lastname@example.org for a free initial consultation, or to receive further information and guidance.
If your organisation needs training or help with handling SARs or GDPR compliance generally please contact our Government, Procurement & Information team here.