In accordance with the Data Protection Acts 1988 to 2003 (“the Data Protection Acts”) individuals are entitled to obtain information about the kind of data organisations possess about them, and to verify that information is correct and up to date. Individuals generally exercise these rights by submitting a data access request to organisations seeking a copy of the personal data the organisation holds about them. This includes employees who are entitled, and frequently do, request a copy of all the data that their employers hold about them.
There can be uncertainty as to what exactly the requirements are when an organisation receives an access request from an individual. This uncertainty is reflected in the case study in the panel, taken from the Data Protection Commissioner’s (“DPC”) 2016 Annual Report. The DPC notes in the Annual Report that “Disappointingly, compliance with individuals’ access rights to their personal data remains low and, accordingly, the DPC has recently run a targeted campaign highlighting organisations’ obligations in this area”.
As part of that campaign the DPC has now issued guidance on dealing with access requests and looking at how the pending EU General Data Protection Regulation will alter the obligations associated with access requests.
Case Study – Uncertainty regarding processing of Access Requests
The DPC received a complaint from a former employee of a private company who said that details of their redundancy package had been disclosed to a colleague in the company, when that colleague had made an access request.
The company compounded these issues by subsequently disclosing the financial information of a third party when the original complainant later submitted their own access request to the company. The company then identified a number of individuals affected by this later breach, however, when notifying those individuals of the breach, the company again disclosed the complainant’s data by divulging that the complainant was the recipient of those individuals’ personal data.
In its defence the company cited:
- ignorance of the duty to report disclosures to the data subjects involved; and
- Inadequate safeguards and training around data protection in place within the company.
The guidance covers requests both under section 3 and section 4 of the Data Protection Acts.
Under Section 3 an individual has a right to find out if an organisation holds information about them and to be a description of the information and to be told the purpose(s) for holding that information. The request must be put in writing, is free of charge, and an organisation must respond within 21 days.
Under Section 4 individuals have a right to obtain a copy of any information relating to them kept on computer or in a structured manual filing system by an organisation. The request must be put in writing and an organisation may charge a nominal processing fee of €6.35. The organisation must respond within 40 days.
Exemptions and Exceptions to the Right of Access
The guidance sets out the permitted exemptions whereby access to personal data can be legitimately refused. These grounds include data subject to legal privilege, where an individual is involved in a claim against an organisation, where information relating to third parties would be disclosed and where the data being sought involves personal opinions expressed by another individual and given in confidence.
It is important to note that these exemptions are interpreted narrowly by the DPC. This is evident from another case study included in the 2016 Annual Report and involving the online accommodation company Airbnb. An individual, who had been an Airbnb guest, submitted an access request to Airbnb relating to their stay, and in particular relating to a complaint the host of the accommodation had made about them. Airbnb had withheld an email sent by the host regarding the complaint on the basis that it constituted an expression of opinion given in confidence.
The DPC regarded the email in question as predominantly factual in nature. While one aspect of the email constituted an expression of opinion, there was no indication in the email of any expectation of the email being kept confidential or not being disclosed to the guest. The DPC noted in this context that an opinion given in confidence must satisfy a high threshold of confidentiality.
Applying to have Personal Data Removed or Corrected
The guidance outlines the right of individuals, once they have received a copy of their personal data, to change or delete data, or restrict the use of the personal data. Similarly to an access request, an organisation has 40 days in which to respond, either acceding to the request or setting out reasons for refusing to do so.
Individuals can apply to have their information changed or deleted where that information:
- is factually incorrect;
- was obtained or processed in an unfair way;
- is not accurate, complete or up to date;
- is being used in a manner incompatible with the reason for which it was originally collected.;
- is being stored in an unsafe way, or where storage security measures are inappropriate; or
- the organisation cannot provide a valid reason for retaining it.
An individual can request to restrict the use of their personal data to the main purpose for which they originally supplied it where they believe that the data is being used for a purpose of which they are not aware or did not consent to.
Impact of the GDPR
The new EU General Data Protection Regulation or GDPR will come into force on 25 May 2018 and is set to radically change the rules attaching to data protection. The rules for dealing with subject access requests are set to change under the GDPR in a number of ways:
- Fee: Organisations will no longer be able to charge a processing fee, unless it can be demonstrated that the cost associated with processing a request will be “excessive”.
- Timeline: The timescale for processing an access request will decrease significantly from the current 40 days permitted. Requests will need to be processed “as quickly as possible” and must be completed within a period of one month.
- Refusal Policies: Organisations will be allowed some leeway in refusing access requests where such requests can be deemed manifestly unfounded or excessive. However, to avail of these grounds, organisations must have “clear refusal policies and procedures” in place outlining what the organisation deems to be manifestly unfounded or excessive, and must be able to demonstrate how a particular request meets these criteria.
- Additional Information: Organisations will be required to provide information about their data retention periods, and the right to have inaccurate data corrected, to individuals making access requests.
- Data Portability: Where controllers process personal data through “automated means”, individuals will have the right under the GDPR to require an organisation to transmit their data to another organisation.
Given the heightened consciousness and concerns around “big data” and issues of individual privacy, people are becoming more aware of, and willing to, employ access requests as a mechanism to assess what personal data organisations hold about them. In turn the GDPR is set to have logistical implications for the processing of such requests, where additional information will need to be provided within a shorter timeframe.
Organisations need to ensure that they have mechanisms in place now to deal with such requests, and have made adequate preparations to ensure a seamless switch to the increased obligations that will come into force with the GDPR next year, or face the increased fines and penalties for breaches that are set to be introduced as part of the new regime.