For many organisations one of their key problems with data protection legislation is handling requests from individuals for access to the information held on them.
This problem is exacerbated when, as now, we enter a financial crisis and organisations start to make redundancies, freeze pay levels or delay promotions. We have seen a marked increase in the use of access requests by employees who are in dispute with their employers.
In the UK, there have also been a large number of requests made by customers of retail banks (related to disputes over bank charges), although, of course any individual customer could make a request of any retailer or service provider which he/she uses.
Under the Data Protection Act 1998 (DPA) individuals are entitled to access the information which an organisation holds about them. This is an important right in data protection legislation, but can have a significant impact on businesses. Businesses must carry out detailed searches quickly within a deadline of 40 days from receipt of the request. In addition, businesses must provide the information for a very low charge, when compared to the cost of searching. (In general the maximum charge paid by the individual is £10, with the cost of searching vastly exceeding this. In some cases we have seen the cost of searching running to tens of thousands of pounds). Although there are some exceptions to the right of access, businesses are often concerned as often embarrassing information must be disclosed, against the wishes of the business.
In this short article we briefly describe some of the key actions which an organisation should take when receiving a request for access, in order to comply with the DPA and minimise the considerable impact on the business.
What to do when a request is received
- Ensure a request is logged and complied with promptly
Individuals do not have to say that they are making an access request or quote the relevant legislation for it to be a valid request. Consequently, personnel who might receive such requests should be trained in data protection compliance so they can recognise a request for what it is and ensure it is dealt with promptly, and within the 40 day deadline (as required by the DPA). If the organisation does not comply with a request either promptly or fully, an individual can complain to the Information Commissioner and the Commissioner can take enforcement action.
- The organisation must check that it has sufficient information to respond to the request
The organisation does not have to respond to a request until it has all the information which it could reasonably require to locate the information sought. The 40 days time limit for responding to the request will not start until this information has been obtained. If the request is not clear, the organisation is entitled to go back to the individual for more information.
- Ensure that the individual making the request is entitled to the requested information
If the organisation is not sure about the identity of the requestor, it can ask them to provide evidence of their identity. If an individual is writing on behalf of a spouse, or a legal representative on behalf of their client, an organisation should not assume that they have authority to act on behalf of the client/individual. (So the organisation should ask for written evidence of authority).
How extensive should the search be?
The first step after receiving a request for information is to search for any information which the organisation may hold. A helpful court of first instance decision (Ezsias v. Welsh Ministers) has suggested that any searches made in response to subject access requests must be reasonable and proportionate. To work out what is necessary and proportionate, the court in Ezsias considered that the following factors could be relevant:
- the cost of providing the information;
- the length of time it may take to provide the information;
- how difficult it would be to provide the information; and
- the size of the organisation.
All these factors will have to be balanced against the effect of not disclosing the information on the individual making the request.
This guidance is helpful if it is difficult and costly for an organisation to retrieve archived information, or if the information is held on many sites. It should be noted that the Ezsias case has been criticised for applying guidance and legislation out of context. However, the Ezsias case is the leading case in this area so despite the criticism it remains a good test to follow in the UK.
Does the information held fall under the DPA?
- Is it in a relevant filing system?
The DPA only applies to information contained in electronic form, or information held in a relevant filing system. The Information Commissioner’s guidance suggests that in most cases, information held on a manual file would not amount to a “relevant filing system” for the purposes of the DPA. If an organisation does not have an organised system for holding personal data, then it should consider whether the information falls under the DPA.
- Does the organisation process personal data?
The fact that an individual is named in a document does not mean that that document contains personal data. The leading case relating to subject access requests and personal data is Durant. Durant stated that for information to be personal data it had to be ‘biographical in a significant sense’ and the individual making the request has to be the focus of the information. In the Durant case, information about the FSA’s enquiry into Mr Durant’s complaint against Barclays bank was not Mr Durant’s personal data. This case has been followed by a number of freedom of information cases in the Information Tribunal. In addition the House of Lords in the CSA case confirmed that the Durant definition of personal data was appropriate for access request cases.
What exemptions could the organisation rely upon?
If the organisation is processing personal data, not all this information must be disclosed under the DPA. The DPA lists a number of exemptions. We have set out a summary of the most relevant exemptions below:
Legal Privilege - Documents that are subject to legal professional privilege do not have to be disclosed.
Third Party Information - If the information refers to other individuals the information does not always have to be disclosed. The organisation can disclose the information if it has the other individual’s consent to disclose the information.
Prevention or detection of crime - If personal data is processed for the:
(a) prevention or detection of crime;
(b) apprehension or prosecution of offenders; or
(c) assessment or collection of any tax or duty or of any imposition of a similar nature;
the organisation does not have to respond to a request for access to the information.
Negotiations - Information which relates to ongoing negotiations between the organisation and the individual does not need to be disclosed.
What to include in the response letter?
There is no set wording for a response letter, however it is important to ensure that the letter provides all the information that must be provided under the DPA. Particularly the response should set out:
- what information is processed;
- how it is used; and
- who it is shared with.
A note on automated decision-taking
If the organisation is engaged in automated decision-taking, it has additional obligations under the DPA. If an organisation has decisions that are made electronically without human intervention (e.g. automatic scoring after biometric testing in graduate recruitment), an individual has a right to ask for information about any automated processing that has taken place. Additionally they can ask that the decision is retaken without the use of electronic means.
If an individual does not ask for information about automated processing, the organisation is not obliged to provide the information.
Organisations should have in place a process for handing access requests, to minimise the impact on the business and to ensure all relevant steps are followed. Without planning, we have seen considerable expenditure on compliance in this area and, in some cases, disclosure of too much information or information to the wrong recipient. With some foresight, it is possible to ensure that the organisation complies with the DPA, where relevant taking advantage of any exemptions and limits on searching or disclosure of data, and at the same time reducing the effort required to comply.