Not long ago, we distilled a series of recent cases and produced practical guidance for employers on dealing with subject access requests under the Data Protection Act 1998 (“SARs”) in the form of two blogs:
- Data Protection – practical guidance from recent case law on subject access requests
- Data Protection – even MORE practical guidance from recent case law on subject access requests
These blogs were intended to complement our earlier blog “Top 10 tips for responding to a subject access request”, which was prepared with the Information Commissioner’s (“ICO”) original code of practice in mind.
That code of practice has now been re-issued in light of the recent guidance from the courts, which can be found on the ICO’s website here. The code itself is lengthy and detailed, but we have picked out a further top 10 tips from the most useful and practical additions to the revised code:
- Don’t assume you can rely on litigation as a reason not to comply with a SAR - The ICO will not accept an argument that an applicant has a ‘collateral’ purpose (e.g. obtaining documentation relevant to the litigation earlier than they otherwise would) for refusal to comply with a SAR. The courts agree that the regime is ‘purpose blind’.
- Do engage in an open conversation with the applicant about their SAR - The ICO considers this good practice – the employee benefits because they get their desired information and the employer benefits because it is a way of reducing costs and effort that would otherwise be incurred in locating the information.
- Don’t blindly rely on the ‘disproportionate effort’ exemption - The courts have more readily embraced the concept of proportionality of searches in recent cases, but the ICO is clear that it is not a panacea. The code says, “the burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the SAR, and that it would be disproportionate in all the circumstances of the cases for you to take further steps”.
- Do search relevant email accounts - This should almost go without saying in any modern business environment. Remember to include in your search anything moved to a user’s local ‘Deleted Items’ folder.
- Don’t ignore information which may have been archived or otherwise backed up - It is likely that your business has back up servers to preserve any information deleted from the ‘live’ system. It will likely involve additional steps to recover it, but that doesn’t mean it is automatically disproportionate to do so. However, it may be reasonable to ask the requester to provide additional context in order to locate the information.
- Do consider whether you need to go to great lengths to retrieve ‘permanently’ deleted information - It is unlikely you will need to if it will require significant time and additional resources to reconstitute the data, e.g. by engaging an external forensic expert.
- Don’t automatically exclude an employee’s personal equipment or private email accounts from searches - There is a chance they may be deemed to be processing information on your behalf, which could fall within the SAR. However, there should be a good reason to believe that they hold the relevant personal data before such intrusive searches need to be carried out. If you do not do so already, it is advisable to ensure policies are clear as to whether staff are permitted to hold personal data on their own devices on the business’ behalf.
- Do remember that you don’t necessarily need to provide copy documents in all cases - Although the ICO notes that it will usually be easier to do so, it recognises that they are not a strict requirement. Instead a description of the data and how/where it is recorded may be sufficient and give a tactical advantage to employers (see more here).
- Don’t disregard SARs made via social media - This may be a little surprising, but requests made through your Facebook, Twitter or LinkedIn pages are still valid in principle (although it may be legitimate to resist responding to the SAR through such mediums), for example if you are not satisfied as to their identity, or you require a fee and this has not been paid.
- Do remember the power of the courts - While the ICO’s power to enforce compliance with SARs may be limited, this is not the case for the courts. For details on what the courts will consider relevant, see our blogs above and page 65 of the code.
The future of SARs
As useful as the ICO’s code of practice is for the time being, it does not take account of the EU’s General Data Protection Regulation (“GDPR”), which is due to come into force on 25 May 2018. Whatever may happen with Brexit, employers should of course have one eye on these upcoming changes.
We would expect the ICO to publish a further revised code on SARs in due course to take account of the GDPR, but in the meantime employers can read our thoughts here on what they need to be doing now in order to prepare for GDPR.