Handling GDPR Subject Access Requests
A recent survey undertaken by entity resolution company Senzing has predicted that businesses in Europe could face a deluge of requests from customers and clients for details of the personal information held about them.
With around 60% of businesses still unprepared for compliance with the General Data Protection Regulation (GDPR), it is predicted that many businesses will struggle to deal with the requests for information – known as Subject Access Requests – not simply because they do not have in place the processes necessary for dealing with them but because they are not aware, completely, of the data they currently hold or how to correlate it. UK and European businesses – law firms included – could, as a result, spend literally hundreds of hours each year dealing with Subject Access Requests (SARs) – time which they could have saved had they taken a few steps at the outset to organise themselves and their data to meet the new requirements that are now less than three months away.
The survey, which was carried out by Populus on behalf of Senzing, questioned 1,015 companies in the UK, Germany, France, Spain and Italy and asked them if they were aware of where data was kept, the steps that they were taking to prepare for GDPR, the impact in terms of fines and reputation non-compliance would have upon them and their confidence in their ability to be able to respond to SARs within the time limits set down by the GDPR. Needless to say, the answers were not encouraging. Less than half (47%) were very confident that they knew where their data was stored whilst only one third were very confident that they even knew what data they held. Jeff Jonas, founder and CEO, Senzing, commented that the findings “reveal the true extent of the GDPR compliance challenge. Businesses will be faced with a mountain of data to trawl through – the end result will be a significant time and personnel cost and a great risk of missing records or worse, including the wrong records.”
One of the key provisions of GDPR (Article 15), which is set to come into force in May 2018, is the right of all individuals to know what data is held about them by businesses and other organisation and how that data will be used. It is essential that all businesses, law firms included, understand what those rights are and how they can be dealt with as and when they arise. The implications for getting it wrong can be serious ranging from fines for not providing information to claims for negligence and regulatory proceedings by the ICO, the SRA or other regulators in the event that the wrong information is provided, or that information is given to the wrong person.
What Does Article 15 Say?
Article 15 of the GDPR states that individuals have a right to know what personal data is being held about them and how that data is used. These are known as Subject Access Requests. The intention behind this is so that the individual can be aware of, and verify the lawfulness of, any processing of the their data which is taking place (GDPR Recital 63).
This is not an entirely new concept. The right is very similar to that contained in section 7 of the Data Protection Act (DPA). However, there are certain key differences including the abolition of the right to make a charge in all cases, the time limits for dealing with the request, the content of the response and provisions relating to electronic access. We will look at these shortly.
Specifically, Article 15 provides that the individual (referred to in the GDPR as the data subject) has a right to obtain confirmation as to whether or not personal their personal data is being processed, and to access that data if it is. In addition, the data subject is entitled to know:
- why their data is being processed;
- the categories of personal data concerned;
- to whom the data has been disclosed, especially if that data has been shared with someone in another country or to an international organisation;
- where possible, for how long the data will be stored or, if the precise period is not known, how the period can be calculated;
- that they have the right to request rectification or erasure of their personal data or request that the processing be restricted or stopped;
- that they have the right to lodge a complaint with a supervisory authority (in the UK this would be the ICO);
- the source of the data where the they have not supplied it;
- whether their data is used in any automated decision-making (including profiling) process and if so the logic involved, significance and envisaged consequences to them of that processing.
In addition, the data subject will be entitled to information about the appropriate safeguards relating to the transfer of their personal data to a third country or to an international organisation and a copy of their personal data which is undergoing processing.
So far as fees are concerned, the GDPR (unlike the DPA which permitted a charge of £10 for a SAR) is clear in stating that a fee may NOT be charged in most cases. This represents a significant change and those organisation who receive large numbers of requests, or where the requests are complex, will find that there is a substantial knock-on financial implication to this.
Whether this will continue to be the case after the Data Protection Bill comes into force is not yet clear (the Bill currently provides for the Secretary of State to set a fee payable for disclosures of data). For now it would be safer for firms to assume that a charge will not be permitted which, given the complexity of the requests that could be made by clients, could be a significant budgeting factor for them. For this reason, if for no other, firms must therefore make sure that they know what data they hold and are able to access that data relatively easily.
There will, of course, be exceptions to the rule that a charge may not be made. This, however, will only be where the request is either “manifestly unfounded or excessive, in particular because of their repetitive character” (Article 12(5)) or for further copies of information already supplied (i.e. the same information as has already been supplied). However, only a reasonable fee may be charged and in this contact “reasonable” means based on the administrative cost of providing the information. It is unlikely that a charge equivalent to a partner’s charge out rate would be recoverable, even if the data had to be obtained by a partner.
For many firms, the time limits within which a SAR must be responded to are likely to be one of the most difficult aspects. The GDPR provides that any information must be provided without delay and, at the very latest, within one month of the date of the request – substantially less time than the 40 days which was previously allowed under the DPA. This will have clear implications for firms who will need to ensure that their systems are sufficiently robust that a SAR can be dealt with inside the time limit.
For those who hold even a reasonable amount of data, this is not simply a question of knowing where the information is. It is about everyone in the firm realising when an SAR has been made, knowing what to do with it, being willing and able to deal with it promptly and then being able to provide the data in a suitable format. For the firm already struggling to keep up with client work that may not prove easy.
There is a provision extending time limits by a further two months where request are complex or unusually numerous. However, the Data Subject must still receive some form of a reply within the month together with an explanation as to why the extension is needed. There is also a provision to allow the firm to refuse to respond where the SAR is manifestly unfounded or excessive but that refusal still needs to be in writing and must contain not only reasons for the refusal but also information about the data subjects right to complain to the supervisory authority and to seek a judicial remedy.
Providing the Information
The next issue to be considered is the actual provision of the information.
The first point to be aware of here is possibly quite an obvious one, but nevertheless one that can be overlooked. Not all data subjects are clients. The provisions of the GDPR apply to everyone about whom personal data is held and that includes not just clients but also employees, agents and contractors, third parties and those to whom the firm is marketing itself. Therefore, the firm needs to ensure that all of the personal data it holds – not just that relating to clients – is able to be accessed quickly and easily.
It is also vital to bear in mind that the confidentiality of the data you hold remains your most important consideration and you must not lose sight of this in your haste to deal with a SAR within the allotted time scale. It is essential, therefore, that the identity of the person making the request is verified and that you make sure that the data being disclosed is the correct data and not data about a different person – for example data that has been misfiled or data about someone with the same, or a very similar, name. Wrongly disclosing confidential data to a third party would not only be a data breach for the purposes of the GDPR but would also be a breach of the provisions in Chapter 4 of the SRA Code of Conduct and a cause for a potential claim in negligence from the person whose data was disclosed.
A further complication lies in the fact that, where the SAR is made by electronic means (and that could include via services such as Facebook or Twitter) then, the response from you should ideally also be in a commonly used electronic format (unless otherwise requested by the data subject). Article 15(3) provides that “where the data subject makes the request by electronic means, … unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.” It is perhaps worth noting that it does not say “the same electronic form”, simply “a commonly used electronic format”, so you may be able to argue that an email is a satisfactory way to reply to a request made via Facebook. Indeed you may feel that the security implications of using Facebook preclude it being able to be used safely.
Whilst on the subject of electronic formats, there is even a best practice recommendation in the GDPR that organisations should, where possible, provide remote access to a secure self-service system from which the data subject could access to his or her information (Recital 63). Whilst this is something that would appeal most to organisations that retain relatively straightforward data, an increasing number of law firms are giving clients access to case management portals through which they can access their data. Do however make sure that any secure system which allows the data subject to access their own data should not adversely affect the rights and freedoms of others. For that reason careful consideration must be given as to how that disclosure takes place and as to whether any third party personal data should be redacted prior to the disclosure.
A further factor you may wish to consider when making the response is the effect of the provisions of the Equality Act. Although the GDPR does not itself refer top equality legislation, providing a response to those, for example, with a disability may require a reasonable adjustment under the Equality Act 2010 (in Northern Ireland this falls under the Disability Discrimination Act 1995) such as Braille, large print, email or audio formats. If an individual thinks you have failed to make a reasonable adjustment, they may make a claim under the Equality Act (or Disability Discrimination Act 1995 in Northern Ireland) or may make a report to ICO that you have failed to provide the information “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)).
Finally, you must make sure that the firm keeps a Subject Access Request Log to record those cases were a SAR has been made, how and when it was complied with and whether there are any relevant issues that need to be recorded in relation to the SAR.
Already highlighted as a potential issue is that of verifying the identity of the person making the SAR before providing any information to them. The GDPR provides that this should be done using what it describes as “reasonable means” (Article 64).
As you will no doubt appreciate, a common method employed by fraudsters wanting to steal identities is to be someone else and persuading organisations to release personal data. It is vital your firm does not fall victim to this particular scam. Thus you should ask for enough information to judge whether the person making the request is the individual to whom the personal data relates whilst at the same time being reasonable and not simply requesting large amounts of information just “because that’s what your system requires”.
Thus, if the identity of the person making the request is obvious or you have an ongoing relationship with them (for example as an existing client, employee or currently used contractor) then simpler checks would be more appropriate than if the person had not been in contact with your firm for some time. On the other hand not asking for verification when there is scope for fraud or misuse would be unwise. Thus, for example, if you receive an email which purports to come from a client seeking data, and the client has not been in touch for a while, simply sending the information back, without taking steps to verify that the email is genuine, would be negligent.
Further, the extent to which you make checks may be dictated by the potential levels of harm and distress which inappropriate disclosure of the information could cause to the individual concerned. Do bear in mind, however, that simply admitting to holding personal data could in itself be a breach of confidentiality – especially if your firm only handles a particular type of work (for example divorce work or corporate takeovers) and the query is coming from someone who is simply trying to find out if a particular individual has instructed you. You may, therefore, need to make the request in terms that are neutral – for example “in the event that we do act/have acted for you then …..” – so that the request for verification does not itself breach confidentiality.
There are a number of ways to verify the identity – some more intrusive than others. These include requesting proof of identity in the form of passports, driving licences, birth certificates and utilities letters (as you would for example in relation to money laundering checks) through to phoning the person to ask them questions based on the data which you hold – questions to which only the real subject would know the answer. You might even feel that the use of a specific form would be helpful – either on your website or that you can post/email to the person making the SAR. However, you cannot insist that such a form is completed.
It is worth being aware, however, that on a balance of rights versus obligations, annoying someone by asking them to provide additional information is preferable to disclosing confidential data to the wrong person.
Information to Help Your Firm Deal With a Request
Recital 63 of the GDPR provides that your firm may “request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates”. This might apply in those cases where you process a large quantity of information about a data subject or where your firm believes it has supplied all of the data requested but the data subject is claiming that not all data has been disclosed. Whilst this does not allow you to refuse to supply the data it is a way of helping you identify precisely which data you need to supply if the person making the SAR does not require all of it.
The fact that you are seeking more information does not, in itself, extend the period that you have for dealing with the request – unless of course the complexity of dealing with it is such that the firm decides it needs more time, in which case the data subject will need to be contacted by the firm within the month with that information.
What Constitutes a valid SAR?
Under the DPA, for a SAR to be valid it needed to be made in writing and a data controller did not need to respond to a verbal request. This would not appear to be the case under the GDPR which is silent as to the form the request should take – either as to method of contact or the content or wording of the request. Indeed, the request does not even need to state that it is a SAR or that it is a request made under the provisions of the GDPR.
For this reason, therefore, any request by an individual asking for access to their personal information, or the information of someone else if they are acting for a third party, could potentially be a SAR. You could, if it is a simple request, simply deal with it informally and in the normal course of business. Thus, if the person making the request did not mention the GDPR, Data Protection Act or the words subject access request, then they are likely to be content with receiving the right information. However, if there is any indication that it is a formal request, or if the request comes from a third party such as another solicitor, then it should be treated as formal SAR request.
Do bear in mind also that the information needs to be in respect of personal data relating to the data subject. General information about how the firm deals with matters, information about the actual workings of a case or the stage that litigation has reached in a matter, questions about who the partners are and so forth is not personal data for these purposes.
Finally, factor in to any processes that you implement that a request might not be sent to the right person in the firm. Consequently it is vital that everyone in the firm knows what a SAR looks like and knows what to do when they receive it – even if that is only passing it to the most appropriate person.
Although the DPA contained a list of exemptions (set out in Part 4 and Schedule 7) which gave a data controller the right to refuse a SAR, no such exemptions exist in the GDPR. There is provision at Article 23 for the EU or a member state to make laws restricting the scope of the obligations and rights.
In this country the Data Protection Bill, which will hopefully come into effect in May 2018, provides at section 45(4) & (5) that a data controller may restrict the extent to which data is disclosed so as to avoid obstructing an official or legal inquiry, investigation or procedure; avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; protect public security; protect national security; and protect the rights and freedoms of others. However, until there is more progress it cannot be stated categorically that such provisions will definitely apply and in any event they will be hedged with certain caveats such as informing the data subject as to why their rights have been restricted and of their right to seek legal redress for this.
Requests made on behalf of others
As was with the DPA, the GDPR does not prevent an individual making a subject access request via a third party, and if such a request is received you will need to make sure that the third party making the request is entitled to act on behalf of the individual. So far as providing the information to a third party is concerned the GDPR is largely silent and your firm must make sure that basic concepts of confidentiality, and care for the affairs of the client, are observed.
Thus, for example, if you think that an individual may not have understood what information would be disclosed to a third party who has made a SAR on their behalf, then you may feel that making the disclosure to the third party is not in the individual’s interests. If that situation arises you would probably be justified in sending the response directly to the individual rather than to the third party. It is then up to the individual if they choose to share the information with the third party after having had a chance to review it. If you take this step, make sure that you record what you have done and the reasons for having done so on the Subject Access Request Log that your firm keeps.
There may also be cases where an individual does not have the mental capacity to manage their own affairs. Again, the GDPR is silent on the topic of enabling a third party to exercise subject access rights on such a person’s behalf. It would be reasonable to assume, however, that an attorney with authority to manage the individual’s property and affairs, or a person appointed by the Court of Protection to make decisions about such matters, will have the appropriate authority. Again, if you are aware that this situation exists you are advised to make a specific note in the firm’s Subject Access Request Log.
Requests for information about children
The GDPR acknowledges that “children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data”. Do be aware that even if a child is too young to understand the implications of subject access rights, data about them is still their personal data and does not belong to anyone else, such as a parent or guardian. So it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.
Before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights. If you are confident that the child can understand their rights, then you should respond to the child rather than the parent. However, it is vital that the child is able to understand (in broad terms) what it means to make a SAR and how to interpret the information they receive as a result of doing so. The need for information to be presented in an accessible format, usable by children, is something which is specifically referred to in the GDPR at Article 12(1).
If there is doubt about the child’s ability to interpret the data provided then the firm should take account of:
- where possible, the child’s level of maturity and their ability to make decisions like this;
- the nature of the personal data;
- any court orders relating to parental access or responsibility that may apply;
- any duty of confidence owed to the child or young person;
- any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This point is particularly important if there have been allegations of abuse or ill treatment;
- any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
- any views the child or young person has on whether their parents should have access to information about them.
Data that includes information about other people
Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual. The GDPR provides that the right to obtain information “shall not adversely affect the rights and freedoms of others”. Thus you may not have to comply with a request if to do so would mean disclosing information about another individual who can be identified from that information, unless the other individual has consented to the disclosure or it is reasonable in all the circumstances to comply with the request without that individual’s consent.
So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights in respect of their own personal data, always bearing in mind the overriding duty of confidentiality owed by a solicitor to all of his or her clients and bearing in mind that the SRA Code of Conduct specifically states that a solicitors duty of confidentiality should override his or her duty to disclose. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.
For the avoidance of doubt, you cannot refuse to provide subject access to personal data about an individual simply because you obtained that data from a third party. The rules about third party data apply only to personal data which includes both information about the individual who is the subject of the request and information about someone else.
Subject Access Requests form a fundamental part of the GDPR process and, given the ever increasing awareness of the public regarding their data rights and the high profile that information about GDPR seems to be gaining, it is ever more likely that your firm will receive more subject data requests than it has in the past.
There is no getting away from the fact that GDPR is a ‘big deal’ when it comes to handling and processing data – it is going to affect all businesses and no matter what happens in terms of Brexit, the UK will, by May 2018, have a data protection regime based on the GDPR. The risks of not complying with it are sufficiently great that firms would be foolish to ignore the regulations – especially as doing so will not only put them in breach of the GDPR but the SRA Code of Conduct as well. Given that firms should already be compliant with the DPA, the incremental demands of the GDPR should be attainable provided that firms make the necessary adjustments. As the ICO have pointed out, any new regulation will have some sort of impact on an organisation’s resources, in which respect the GDPR is no different to any other new legislative or regulatory requirements.
To an extent, thinking about GDPR purely as a burden indicates the wrong mind-set. GDPR is intended to be an evolution in data protection requiring more of organisations in terms of accountability for their use of personal data and enhancing the existing rights of individuals. Many of the fundamentals of GDPR have been around for some time – fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process – these are all things you should already be doing with data and GDPR seeks only to build on those principles.
Properly implemented, GDPR should be able to help your firm manage data efficiently, reduce the risk you face from data breach (which itself could involve you in huge amounts of unproductive and wasted time) and improve the client experience. Failing to get data protection right is likely to damage your firm’s reputation, your client relationships and, ultimately, your financial performance. These risks could prove to be more significant than the increased fines that have made the headlines. No law firm will wish to risk the reputational damage of being non-compliant with the law of the land and the doubts that would then arise as to its reliability for its advice and services.