In the third of our series of articles tackling common IP personal data concerns, we’re looking at how IPs should handle data subject access requests (SAR).
Late last year, the ICO’s new guidance emphasised the significance of the right of access to individuals in an increasingly digital world (particularly during the Covid-19 pandemic). It also highlighted the importance for organisations to have effective and efficient policies and procedures for handling SARs. This is relevant to all organisations that process personal data (controllers that must comply with the SAR requirements in the GDPR and DPA 2018, and processors that may have to help their controller customers comply).
An individual data subject has the right to find out whether a data controller is processing their personal data. If the answer is ‘yes’, that individual has a right to access the personal data and other comprehensive information regarding the processing conducted by the data controller. Data processors that process personal data on behalf of data controllers may need to assist data controllers in complying with SARs.
IPs handle significant quantities of personal data. Some of this data will have been retained by the insolvent company before liquidation (such as employee and customer databases). In this situation, a liquidator is the company's agent and does not become the principal in the company’s place (and is therefore classed as the data processor).
However, the position is different for data processed by a liquidator itself. This could be data arising from the employment of staff post liquidation, for example, which would make the liquidator the data controller. This also includes data relating to an IP’s office (for example, creditor and debtor information).
So, depending on the circumstances, IPs may be controllers or processors of personal data under data protection law. For this reason, it is important that IPs are aware of the requirements relating to SARs and, in particular, the latest guidance from the ICO.
On 21 October 2020, the ICO published new detailed SARs guidance with the aim of simplifying and clarifying various elements of subject access requests.
The new guidance discusses the right of access in detail and looks to give practical examples and advice.
As identified during the consultation process, the following areas of SARs were given particular focus by the ICO:
If you hold a large amount of information and it is not clear what specific information the individual is requesting, or if it is genuinely unclear whether an individual is making a SAR, you can seek clarification from the data subject. The time limit for responding to the request is paused until you receive clarification. This is referred to as ‘stopping the clock’. However, do be aware that if clarification is provided on the same day as the request, this does not stop the clock.
Here is an example:
If you receive a request on 14 May, the time limit starts from the same day. You will have one month to reply, which means you should respond by or on 14 June.
However, if you ask for clarification on 15 May, the clock stops from 15 May until the date the requester responds. If the requester provides you with clarification on 18 May, the timing will resume on that date.
In this instance, the clock stopped from 15 May until 18 May. This means that you can extend the original one-month deadline by three days and you should provide a response by or on 17 June.
This process will effectively give you longer to respond to SARs if the requester is not being responsive to your requests for further information. Nonetheless, the emphasis is still on you to act diligently, and if a requester responds and either repeats their request or refuses to provide any additional information, you must still comply with their request by making reasonable searches for the information. If you do not receive any response, you may ‘close’ the request after a reasonable period.
In cases where you need ID to verify the identity of the requester, the timescale for responding to a SAR does not begin until you have received the information you’ve asked for.
This concept has been broadened. It now gives organisations greater scope to refuse to respond to such requests.
Each request must be dealt with individually and consider:
The ICO has made it clear that organisations can take into consideration the cost of staff time to respond to these requests. As such, it has provided high level guidance on how to quantify these costs, stating that you can take the administrative costs of the following into consideration:
You cannot ‘double-charge’ if these activities overlap.
The ICO also suggests that a reasonable fee may include the costs of:
As of yet, there is no regulatory guidance on the limits to any fees that you charge, but you should act responsibly and charge a reasonable, proportionate and consistent rate.
If you choose to charge a fee, you do not need to comply with the request until you have received the fee.
In addition to the above clarifications, here are a few other points from the guidance worth flagging:
Although a lot of the guidance in this newest version will be familiar to IPs, the ICO was keen to highlight that it has taken on board calls from organisations during the consultation period to provide more clarification on some of the more ambiguous aspects of the SAR requirements.
The ICO also confirmed that it is looking to provide extra support by planning a suite of resources. One of these will be a simplified SAR guide for small businesses, which aims to set out the key ‘need-to-knows’ from the detailed guidance.
For legal assistance in meeting your data compliance requirements, contact Ed Hayes.
HR Horizon tracker Spring 2021Read more
TLT forms new partnership to support employee ownership growthRead more
Flexible working beyond the pandemicRead more
TLT expands role on national legal services framework for policeRead more
Automatically unfair dismissal and Covid safety concernsRead more
Failure to enhance Adoption Leave Pay not discriminatoryRead more
Employment Law Focus: TechnologyRead more
TLT appointed to Vodafone's global legal panelRead more
TLT appointed to sports and arts legal services panelRead more
Watch our video series for information on the legal issues that are affecting the real estate sector. Each...Read more
Helping you navigate your business through the risks and opportunities that Brexit will bring.Read more
The way people shop is constantly evolving, from the growth of online and the changing use of stores...Read more
The widespread disruption and closure of businesses caused by the Covid-19 pandemic and the subsequent national and local lockdowns has brought into sharp focus the question of available insurance cover for losses under...Read more
The pandemic has had a deep and long-lasting effect on the leisure, food & drink sector, forcing operators to embrace new ways of attracting and servicing customers.Read more
The pandemic has forced the majority of the workforce into a world of remote working. As a result, our cities are evolving.Read more
There's a growing demand for retailers to do more to attract the Purple Pound – the collective spending power of disabled shoppers, estimated to be worth around £274bn. We look at the opportunities, the legal issues and...Read more
Green finance is gaining speed, driven by global climate change pressures and the recognition of the vital role which sustainability plays in a resilient financial services sector.Read more
Keep on top of the employment law issues that matter most to you and your business with our new podcast.Read more
Acting on all sizes of instructions, from large restructurings to individual creditors.Read more
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.Read more
We can work side by side with your IT security provider to deliver a robust cybersecurity programme.Read more
We can help your organisation build resilience against breaches by coordinating baseline certifications, third party contracts, policies and testing. We offer CPD-accredited bespoke training and rehearsals for responding to incidents, meaning you’ll be equipped and know exactly how to act should a breach arise.Read more
Our expertise and resources are regularly called upon by clients to deal with a variety of investigations including cyber security issues, whistleblowing reports, internal investigations, investigations by external agencies and advising on the remedial steps and the redress exercises that arise as a result .Read more
Our litigation team can deal with cyber or data protection litigation matters including claims by third parties and data subjects.Read more
We have a sophisticated understanding of the technology underpinning the payments process, borne out of working with leading UK acquirers and issuers to procure IT systems, outsourced card processing services and online payment gateways.Read more