How to satisfy subject access requests

Out-Law Guide | 30 Mar 2005 | 3:18 pm | 11 min. read

This guide is based on UK law. It was last updated in September 2008.

Information to which Data Subjects are entitled

Individuals are entitled to ask data controllers:

• Whether the data controller is processing any personal data about that individual and, if so, to be given:-

  • a description of the personal data;
  • the purposes for which they are being processed; and
  • the disclosees, or potential disclosees, of the personal data.

• For a copy of the information and to be told about the sources from which the data controller derived the information so long as those sources are available to him; and

• About the logic involved in automated decisions relating to him.

Form of the request

A request for Personal Data is a subject access request under the Act. However, it may not always be necessary to treat a request for information as a formal request under the Data Protection Act 1998 (the "Act"). If the request for information is one which you would normally deal with within the normal course of your business, you should consider whether you need to deal with this as a formal subject access request under the Act. 

If you treat the request as a formal subject access request, the data controller is entitled to ask for a fee of £10 (unless the request relates to medical or education records) in order to deal with the request and it is advisable to do so without delay. The subject access request should be in writing. The data controller is also entitled to the following two further pieces of information before the forty calendar day response period commences:

  • Firstly, the data controller must satisfy himself that the person making the request is, in fact, the data subject. The use of a subject access request form is advised, since the greatest breach of a data controller's security is for the data controller to satisfy a subject access request made by a person impersonating the data subject. The use of the form goes towards proving that the data controller has adequate identification and verification procedures in place.
  • Secondly, the data controller is entitled to ask the data subject for further information to enable the data controller to locate the information which that person seeks. It should be remembered that the individual is within their rights to request copies of all information held about them. However, you may wish to try to help the data subject to try to narrow their request for information. This is discussed further below. 

 When the last of these three conditions have been satisfied, the forty day period starts to run. It is advisable to put procedures in place to ensure that the receipt of the request and the further information is correctly dated so that an organisation knows how long it has to satisfy the subject access request.

Negotiating with the Data Subject

As referred to above, it is advisable to negotiate with the data subject. The location information the data subject will have already given will give a clue as to what it is the data subject really wants to have information about. The benefit of the Data Protection Act 1998 is that it allows data controllers to negotiate with data subjects to get the data subject to specify the exact information he or she wishes to receive.

However, if the data subject is adamant that he or she wishes to receive a copy of everything the data controller holds on him or her, then there is very little the data controller can do about this, and a completely exhaustive search of the computerised and manually held data in the organisation will be required.

How to search systems

If this is the case, then a search of all databases and all relevant filing systems (manual files) which are caught by the Act must then be carried out throughout the organisation. The organisation will need to consider the extent to which back up and archived files are searched. It is usual to put a time limit on these requests.

It is sensible to organise the response to the request by giving one individual the responsibility for issuing requests for information throughout the organisation and receiving all the returns. This will normally be the data protection officer.

The data protection officer will then have the job of printing out all computerised information which has been returned to him by each department. He will also have received photocopies of all relevant manual files, and will therefore sit down with two piles of paper in front of him – one of computer printouts and the other of photocopied manual files.

Manual files

The manual files which are caught by the Act are those which pass the two tests set out in the definition of a relevant filing system. The first test is whether the file in question forms part of a structured set. The set has to be structured by reference to individuals or characteristics relating to individuals. If the manual files are organised in alphabetical name order, or payroll number, they will form a structured set.

If this is the case, the second test has to be applied. Does any particular file in the structured set contain sufficient internal structure so that specific information about a particular individual is readily accessible? In other words, does the file contain internal dividers or does it consist of pro-formas which are always in the same place in each file? If the answer to these questions is yes, then the file is caught by the Act.

Restrictions following receipt of a request

The Act is not intended to interfere with the normal running of a data controller’s business and following the receipt of a request a data controller is able to make changes to the requested information in the normal course of operation provided that no changes are made because of the request; even if the data controller would rather not release the information in its current form. This includes the correction of any incorrect data held as the principle is that the individual has a right to request the actual information held about them (whether or not it is correct).

Third party data

Once the information has been collected, the data protection officer must consider his obligations to other data subjects. The data protection officer must essentially pretend that he is the individual making the subject access request. He has to read every single page of information to see whether it reveals the identity of a third party, when viewed from inside the head of the person making the subject access request. If the identity of a third party is already known to the data subject, then the data containing the information relating to the third party can be revealed to the data subject, because he already knows it.

However, if the identity of a third party is not already known to the data subject in the context revealed by the documents, then the data protection officer has to consider whether the request requires the disclosure of the information relating to the third party or whether it is possible to separate this information from the other information to be disclosed, for example, by blanking out the name of the individual, or blanking out other identifying particulars or any other material, would be sufficient to disguise the identity of the third party from the data subject. At this point, all other information which is likely to come into the hands of the data subject must be considered as well. If the identifying material can be blanked out with black marker pen and the rest of the information on that page can be handed over without revealing the identity of the third party, then this information can be included in satisfying the subject access request.

If, however, blanking out will not disguise the identity of the third party because, for example, there is a report which has quite clearly been written by the head of the organisation, and no amount of blanking out will conceal the identity of the head of the organisation, then the data protection officer must consider whether to attempt to obtain the consent of the third party whose identity will be revealed by handing over the information to the data subject or whether it would be reasonable to supply the information without their consent (for example, because the data subject is already aware of the information in question in any case or where it is not possible to attempt to get consent from the third party as this would unavoidably disclose the personal data of the data subject making the request). If consent can be obtained then the information must be disclosed to the data subject (including the third party's information).

If it is not possible to obtain the third party's consent, then it may still be possible for the data protection officer to provide the data subject with the information it would be "reasonable in all the circumstances" to do so. This will involve a balancing exercise taking into account any duty of confidentiality owed to the third party (for example, if they are an employee of the data controller), attempts to receive the consent of the third party (and whether they have expressly refused consent), whether the third party is actually able to give consent, whether the information will already be known to the requesting data subject in any case and the impact on the privacy of the third party if the information is disclosed. These considerations are discussed further below under "Exemptions".

If consent cannot / is not received from the third party and the data protection officer concludes that it would not be reasonable to disclose the information without consent, then the data protection officer should still attempt to deal with the request as far as possible, for example, by blanking out or separating information which is to be withheld.

Consent

Forty days is a very short period in which to obtain consent from numerous third parties so try to think ahead. If your activities are likely to give rise to frequent subject access requests, for example, if you are running an investigations department, it is sensible to obtain consent from third parties when compiling reports for investigations. This will save time at a later date if and when subject access requests are received.

Exemptions

The next stage is to apply the exemptions. Legal professional privilege applies in two areas. Firstly, legal professional privilege attaches to any document which was created with the dominant purpose of being used in current or potential litigation. The document can be created by anybody so long as this was its dominant purpose. The second branch of legal professional privilege attaches to any document which was brought into being in order to obtain legal advice from a barrister or solicitor. This will include documents created by third parties as part of the process of giving or receiving legal advice.

Information in respect of informal grievances may well not be covered by legal professional privilege if the information is not the giving or receiving of legal advice from a barrister or solicitor. Lots of other people give legal advice, such as accountants, patent agents and management consultants, but none of these attract legal professional privilege.

The next useful exemption is negotiations with the data subject. If the data controller is negotiating with the data subject at the time at which the data subject makes the subject access request, the data controller does not have to reveal requested information if to do so would be likely to prejudice those negotiations. Once the negotiations are complete and have been put into effect, the whole file becomes subject to subject access in the normal way. Similarly, there is an exemption for information relating to management forecasting or management planning.

Emails are subject to subject access, as are archived computerised and manual files and all back up tapes. It must be remembered that CCTV footage and tapes of telephone conversations may also be included as personal data and must be searched on receipt of a subject access request if the data subject so requires. The compliance costs of subject access can sometimes be very high.

Other general exemptions to subject access are national security and the prevention or detection of crime, or the apprehension or prosecution of offenders.

Confidential references given in confidence by the data controller are not subject to subject access in the hands of the data controller, but they may well be in the hands of  the recipient. This is a two way street and therefore any confidential references given to you could correctly be subject to release under the Act.

Where the personal data contain health information, there is a duty on the data controller to consult an appropriate health professional before the information can be released to the data subject. This is to avoid disclosing information about adverse health conditions to a data subject where the disclosure may be harmful to the data subject or to another person. This requirement does not apply where the data subject has already had access to the information, or where the data subject originally provided the information himself or herself.

If consent has not been obtained by the data controller for whatever reason, the data controller has to apply the four guidelines set out in the Act. These tests have been included in the Act to take account of the human rights case of Gaskin, where a young man had spent his childhood in the care of a local authority. When he got into his twenties, he made a request to the local authority to see a copy of his file. The local authority records relating to his time in care were considered to provide the only coherent record of his early childhood and formative years. On receipt of the request, the Council discovered that his file revealed the identities of well over a hundred other individuals. The Council attempted to gain consent from these people but in fact, after several years, had only managed to achieve consent from around half the people on the file. The case went all the way to the European Court of Human Rights in Strasbourg, and the Court considered that people in his situation had a vital interest protected by the European Convention on Human Rights in receiving the information necessary to know and understand their childhood and early development. Lack of consent from third parties should not prevent the information from being handed over where this would place the data subject’s Human Rights in jeopardy.

In summary, the four guidelines are:

  • Consideration of any duty of confidentiality owed to the other individual;
  • Consideration of any steps taken by the data controller with a view to seeking the consent of the other individual;
  • whether the other individual is capable of giving consent; and
  • any express refusal of consent by the other individual.

There is no extension of the 40-day time period for obtaining consents. Failure to respond to a subject access request within the 40-day period gives rise to the ability of the individual to obtain a court order to require the data controller to comply with the request. In addition, failure to respond within 40 days will be a breach of the Sixth Data Protection Principle. Any person affected by the breach may bring an action for damages (provided they can prove loss, which may be difficult to do) and any associated distress.

Any such failure may be reported by the individual to the Information Commissioner and may well give rise to an investigation by the Information Commissioner.

It is possible for the data controller to negotiate with the data subject as to the form in which the data controller hands over the information to the data subject. The default position is that the data subject gets a hard copy of the information in a permanent and intelligible format (which may make it necessary for any internal codes released with the information to be explained), unless the supply of such a copy is not possible or would involve a disproportionate effort, or the data subject agrees otherwise. Any terms which are not intelligible without an explanation must be accompanied by an explanation.

Contacts