SAR: new guidance from the Information Commissioner

By Mark McClelland August 15, 2017

Clerk on high ladder extracts a file from a massive filing cabinetAn updated code of practice promises to make it tougher to comply with data protection law.

The new guidance from the Information Commissioner – the UK’s independent data protection regulator – makes it clear that there is a ‘high expectation’ that organisations should be providing information in response to a subject access request (SAR).

Changes have been put in place to reflect recent case law. The burden of proof will be on data controllers – those enterprises that hold personal information about individuals – to show that they took all reasonable steps to comply with the SAR.

The guidance from the Information Commissioner’s Office (ICO) does say that data controllers are only required to carry out ‘a reasonable and proportionate’ search for personal data.

These changes are significant and are set to impact virtually every organisation of any size in the UK.

The ICO says that it has more than 400,000 registered data controllers on its books. So every one of those 400,000 needs to individually work out what the updated guidance means for them. The next step will be to set out a strategy for implementing the changes and updating the learning and training of their staff responsible for data protection.

The Curve: Financial Services Edition

Lumesse has been talking to some of those affected who are raising concerns that the new guidance could lead to a sudden flood of SARs and that the process of responding to those SARs could become more onerous. Those fears are based on two aspects in the updated guidance:

First, that it is good practice for the Data Controller to have an open conversation with the applicant about the information they require. If a complaint were lodged about the Data Controller’s handling of the SAR then the ICO would take into account the level of co-operation shown by the applicant, as well as the willingness of the enterprise to hold a conversation.

Secondly, the applicant’s motive for making the SAR is irrelevant. Although if there has been an abuse of practice by the applicant then the court could use its discretion not to order compliance.

Allowing individuals to find out what personal data you hold about them, why you hold it and who you disclose it to is seen as fundamental to good information-handling practice. The right, now known as ‘subject access’ is set out in section 7 of the Data Protection Act 1998.

While many think of SARs coming from customers or users (such as patients in the NHS), they can also come from employees and ex-employees. Indeed it was on the employee/employer area where recent case law focussed.

The Court of Appeal gave judgement in the first half of 2017 in three cases which should be helpful to employers in giving more precise scope of their obligations in responding to SARs from employee/ex-employees. The Appeal Court said that a SAR could come via social media or email it did not need to be a request made in a letter; employers cannot refuse SARs simply because they believe they are fishing expeditions gathering evidence for litigation; but a SAR could be refused if its sole purpose was to antagonise.

The judgement confirmed that a SAR requires employers to carry out a ‘reasonable and proportionate’ search for personal data. While that may put some limit on the time and expense lawyers are saying that a proportionate search may still be extensive, particularly for large employers. So arguing that a potential search is not proportionate will not provide an easy get out.

Where an employer receives a broad and generalised request for all personal data which might be many documents, the employer should not refuse to comply. Instead they should first seek to clarify the specific data required, for example by asking for a date range and names or subject headings to search. In other words back to that conversation. And data controllers have to bear in mind that when they receive a SAR the clock starts ticking: they have 40 days to comply with the request.

And while organisations are still coming to grips with this latest updated guidance from the Information Commissioner, they should be aware that more changes are coming down the tracks.

Data Protection reforms the government announced in August 2017 set out a whole raft of measures to keep data protection relevant in today’s internet economy. This includes a promise to improve data access even further with individuals promised that they will find it easier to find out what personal data an organisation holds about them at no charge. Although organisations will not have to comply if the request is ‘manifestly unfounded or excessive.’

The Government envisages that in years to come Data Controllers will provide better information on how to access information and empower people to take ownership, including ensuring the information is correct.

Now more than ever the correct handling of personal data is becoming a critical issue for enterprises. With changes coming thick and fast everyone concerned with handling data needs to be up to date with data protection law and regulations.

All this has huge ramifications for those who handle personal data every day.

While off-the-shelf learning solutions may cover a lot of ground, enterprises also need to think how best to engage the workforce to ensure the right level of awareness on the bespoke specific learning that data protection compliance is demanding.

For further information and help with SAR please contact Mark McClelland – Key Account Manager Financial Services. mark.mcclelland@lumesse.com / 07774 758717

Leave a Reply

Your email address will not be published. Required fields are marked *