the proposed reforms to record keeping, breach reporting requirements and data protection officers?
2.3 Subject Access Requests 185. The right of access is one of the fundamental rights in data protection legislation and the government will protect it. Subject access requests are a critical transparency mechanism under this right, allowing individuals to check the accuracy of their personal data, learn more about how their data is being used and with whom their data is being shared, and obtain a copy of the data held about them. 41 Individuals have a right to appoint a third party to act on their behalf, if they wish. 186. The government and the ICO are aware that some organisations have experienced a number of issues with the ways that subject access requests are submitted and handled. These issues fall into two broad categories: a. Organisations’ capacity to process requests: processing subject access requests can be time-consuming for organisations, taking up significant levels of resource. This is exacerbated in circumstances where the volume of requests is high (‘bulk requests’). Smaller organisations might have fewer resources available to respond to these requests. b. Threshold for responding to a request: Recital 63 to the UK GDPR states that the purpose of a subject access request is to allow a data subject to ‘be aware of, and verify, the lawfulness of the processing’ of personal data. In some cases, subject access requests may be used in ways whereby the processing of personal data does not appear to be the sole or primary reason for exercising the right of access. For example, there is a risk that subject access requests may be used as a means of circumventing strict disclosure (of information and inspection of documents) protocols that would otherwise need to be followed under the Civil Procedural Rules in the context of actual or prospective litigation. 42 As set out in guidance by the ICO, the general position under current law is that a controller cannot consider the purpose of a subject access request unless it seems apparent that the request is ‘manifestly unfounded’, whereby the data subject has no intention of exercising their right of access, or where the subject access request is ‘malicious in intent’ and is ‘being used to harass an organisation with no real purpose other than to cause disruption’. 43 The government is aware that some organisations believe that the threshold of ‘manifestly unfounded’ makes it difficult for data controllers either to navigate instances in which it would be appropriate to enquire about the purpose of the request, or to provide sufficient grounds for a refusal to comply with a request. 187. Under the Data Protection Act 1998, individuals had the right to access any of their personal data held by third parties on payment of a nominal fee, set at a maximum of £10, provided the request satisfied certain requirements. 44 With the introduction of the EU GDPR, the charging of a nominal 41
UK GDPR Article 15 See part 31 of the Civil Procedure Rules which govern the rules of disclosure and inspection of documents in Civil Court proceedings 43 UK GDPR Article 12(5)(b) and please see ICO guidance: ‘When can we refuse to comply with a request?’ 44 Section 7(2) Data Protection 1998 Act (now superseded by the Data Protection Act 2018) See also the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 No.191 and 2001 No.3223 42
69
