We look at changes to the procedure for handling subject access requests under the new rules.

In our last Charity E-News, we provided an overview of how charities will need to modify their handling of the personal data of their staff or volunteers (HR data) in light of the changed data protection rules that come into effect on 25 May 2018.

This article focuses on changes to the procedure for handling subject access requests under the new rules. These changes will apply not only when a staff member or volunteer invokes their right for information that the charity holds about them, but also where the right is invoked by other data subjects of a charity, including but not limited to its donors, service users or fundraisers.

What is a subject access request (SAR)?

In its most basic form, this is a request by an individual to see what personal data an organisation holds about them and for certain information in connection with that data.

The right is currently conferred under the existing Data Protection Act but will be amended by Article 15 of the General Data Protection Regulation (“GDPR”).

How will the SAR rules be amended?

Under Article 15, a data subject will have the right to obtain from a data controller, confirmation as to whether or not personal data related to them is being processed and, where this is the case, the GDPR provides that additional information must also be given including: (1) the purposes of the processing, (2) the categories of personal data concerned, (3) who the data has or will be transferred or disclosed to, (4) the envisaged retention periods and (5) the existence of certain rights in relation to that data, such as the right to have inaccuracies corrected (and in certain cases, deleted).

The GDPR also provides that where personal data is used in automated decision-making and profiling, that the data subject must be told about this and provided with meaningful information about this process and the impact on them.

What else will change?

It is important for data controllers to be aware of the new timescales for responding to SARs. Currently, such requests must be dealt with within 40 days. Under the GDPR the starting position will be that data controllers must respond without undue delay and at the very latest, within one month of receiving the request.

The ability to charge a fee for dealing with such requests will be significantly curtailed. Going forward, a fee may only be charged, where the request is manifestly unfounded or excessive. For example, where a data subject makes repetitive requests or seeks further copies of the same information.

Action Steps

  • It will be important to consider and update relevant policies and procedures to ensure that they reflect the new regime.
  • Training about the new rules should be given to those individuals within the organisation (including employees, volunteers, trustees) who may potentially come into contact with SARs. SARs should be referred to the appropriate person within the organisation so that they are dealt with consistently and correctly.
  • At the point that personal data is obtained from data subjects, they should also be given information about their ability to make a SAR, amongst other rights they have in connection with their data. This information should either be set out in a Privacy Notice or Privacy Policy.
  • If, as a result of the GDPR the organisation considers that it is likely to receive more SARs in the future, it may wish to consider whether it is possible to have more information readily available to data subjects, for example, via a secure online portal.
  • We anticipate further guidance from the Information Commissioner’s Office with regards to SARs, to be published in due course. We recommend that you watch out for this.

The information above summarises the changes applicable to the SAR regime. Of course, the GDPR will also impact on a number of other areas and will confer other new rights on data subjects, be these staff, volunteers, donors, supporters, service users, alumni, suppliers or others.