8 minute read
2.3 Subject Access Requests
the proposed reforms to record keeping, breach reporting requirements and data protection officers?
2.3 Subject Access Requests
Advertisement
185. The right of access is one of the fundamental rights in data protection legislation and the government will protect it. Subject access requests are a critical transparency mechanism under this right, allowing individuals to check the accuracy of their personal data, learn more about how their data is being used and with whom their data is being shared, and obtain a copy of the data held about them.41 Individuals have a right to appoint a third party to act on their behalf, if they wish.
186. The government and the ICO are aware that some organisations have experienced a number of issues with the ways that subject access requests are submitted and handled. These issues fall into two broad categories:
a. Organisations’ capacity to process requests: processing subject access requests can be time-consuming for organisations, taking up significant levels of resource. This is exacerbated in circumstances where the volume of requests is high (‘bulk requests’).
Smaller organisations might have fewer resources available to respond to these requests.
b. Threshold for responding to a request: Recital 63 to the UK GDPR states that the purpose of a subject access request is to allow a data subject to ‘be aware of, and verify, the lawfulness of the processing’ of personal data. In some cases, subject access requests may be used in ways whereby the processing of personal data does not appear to be the sole or primary reason for exercising the right of access. For example, there is a risk that subject access requests may be used as a means of circumventing strict disclosure (of information and inspection of documents) protocols that would otherwise need to be followed under the Civil Procedural Rules in the context of actual or prospective litigation.42 As set out in guidance by the ICO, the general position under current law is that a controller cannot consider the purpose of a subject access request unless it seems apparent that the request is ‘manifestly unfounded’, whereby the data subject has no intention of exercising their right of access, or where the subject access request is
‘malicious in intent’ and is ‘being used to harass an organisation with no real purpose other than to cause disruption’.43 The government is aware that some organisations believe that the threshold of ‘manifestly unfounded’ makes it difficult for data controllers either to navigate instances in which it would be appropriate to enquire about the purpose of the request, or to provide sufficient grounds for a refusal to comply with a request.
187. Under the Data Protection Act 1998, individuals had the right to access any of their personal data held by third parties on payment of a nominal fee, set at a maximum of £10, provided the request satisfied certain requirements.44 With the introduction of the EU GDPR, the charging of a nominal
41 UK GDPR Article 15 42 See part 31 of the Civil Procedure Rules which govern the rules of disclosure and inspection of documents in Civil Court proceedings 43 UK GDPR Article 12(5)(b) and please see ICO guidance: ‘When can we refuse to comply with a request?’ 44 Section 7(2) Data Protection 1998 Act (now superseded by the Data Protection Act 2018) See also the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 No.191 and 2001 No.3223
fee for responding to subject access requests was no longer permitted in the majority of circumstances.45 Controllers may refuse compliance with a subject access request or charge a reasonable fee only if the request is either ‘manifestly unfounded’ or ‘manifestly excessive’.46 However, the ICO has indicated that organisations do not commonly rely on this provision in order to justify a refusal to comply with a request or to charge a fee for compliance.
188. To address the issues outlined above, the government is considering whether to introduce
a fee regime (similar to that in the Freedom of Information Act 2000, which provides for access to information held by public bodies) for access to personal data held by all data
controllers (not just public bodies). The fee regime would be structured so as not to undermine an individual's right to access their personal data. The government recognises that this proposal may impact persons less able to express themselves due to age or disability by resulting in their requests being erroneously treated as ‘disproportionate’ or ‘vexatious’ but this may be mitigated by the fact that a third party can raise a subject access request on their behalf. The government is also keen to gather views on whether there is a need for a safeguard similar to the one provided under Section 16 of the Freedom of Information Act in order to help data subjects by providing advice and assistance to anyone who has made, or is thinking of making, a request.
189. This proposal could help to ensure that organisations are not overburdened by wide-ranging, speculative subject access requests. Introducing a fee regime similar to that in the Freedom of Information Act 2000 would address current concerns by:
a. Introducing a cost ceiling to address organisations’ capacity constraints: the Freedom of
Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 set a cost limit to prevent organisations being overburdened by requests under the Freedom of
Information Act. The regulations define the appropriate cost limit as £600 for central government and £450 for public bodies outside central government, such as local authorities. Only a limited number of tasks count towards this cost and therefore it does not reflect an organisation’s actual cost of compliance with each request. This regime gives public bodies the option of either refusing to deal with the request or charging a fee for responding.47 It is worth noting that there is already a fee charging regime in place for public bodies in relation to subject access requests relating to unstructured manual data.48
If a similar fee regime were introduced for all subject access requests, organisations (both public and non-public) would still be obliged to deal with the request to the extent possible within the cost limit - for example, by suggesting to the individual the information they may be able to search for, retrieve or extract within the cost limit. The cost limit would not function as a ground on which to refuse outright to deal with a request.
45 UK GDPR Article 12 (5) ‘Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge’. 46 UK GDPR Article 12: To determine whether a SAR is 'manifestly excessive' an organisation should consider whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. In addition, Data Controllers may also need to consider the different exemptions detailed in Schedules 2-4 of the Data Protection Act 2018. These add to and complement a number of exceptions already built into certain UK GDPR's provisions. Further guidance is available on the ICO website: ‘ICO guide to GDPR: Exemptions’ 47 Section 13(1)-(3) Freedom of Information Act 2000 sets out additional fees that may be charged when the cost of compliance exceeds the appropriate limit. 48 See para 13 of Schedule 20 to the Data protection Act 2018 which sets the appropriate maximum limit of fee regulations for manual unstructured data held by Freedom of Information public authorities (until the regulations under Section 24(8) of the Data protection Act come into force)
b. Amending the threshold for response: the Freedom of Information Act 2000 provides that public bodies may refuse part or the entirety of a freedom of information request, if the request is vexatious.49 The key test for vexatious requests is whether the request is likely to 'cause a disproportionate or unjustifiable level of distress, disruption or irritation'.50
When assessing whether a request is vexatious, the ICO's guidance makes clear that the
Act permits an organisation to take into account the context and history of a request, including the identity of the requester and any previous contact with them. Applying similar provisions to subject access requests, in place of the thresholds described in paragraph 186 above, would help to prevent organisations needing to respond to subject access requests where access to personal data or concerns about its processing are not the purpose of the request.
The government welcomes views on the following questions:
Q2.3.1. Please share your views on the extent to which organisations find subject access requests time-consuming or costly to process.
Please provide supporting evidence where possible, including: ○ What characteristics of the subject access requests might generate or elevate costs ○ Whether vexatious subject access requests and/or repeat subject access requests from the same requester play a role ○ Whether it is clear what kind of information does and does not fall within scope when responding to a subject access request
Q2.3.2. To what extent do you agree with the following statement: ‘The ‘manifestly unfounded’ threshold to refuse a subject access request is too high’? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, providing supporting evidence where possible, including on what, if any, measures would make it easier to assess an appropriate threshold.
Q2.3.3. To what extent do you agree that introducing a cost limit and amending the threshold for response, akin to the Freedom of Information regime (detailed in the section on subject access requests), would help to alleviate potential costs (time and resource) in responding to these requests? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
