The Hot Topic of Subject Access Requests
16 December 2019
by Graham Francis, AoC Workshop Facilitator
The introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 have resulted in major changes in how we need to consider and process personal data within any organisation.
We have moved from a regime which focused more on the security of personal data to one where we need to consider the rights of the individual at all stages of data processing.
These new rights have given the data subject more power in the way in which their data is processed as well as significant rights to view and obtain a copy of the data that an organisation holds on them.
The introduction of GDPR saw an immediate rise in the number of Subject Access Requests many organisations received and (this coupled with an often false understanding of the ‘right to erasure’) has seen organisations needing to consider each application as it is received.
Many organisations state that this request needs to be made in writing although the regulation itself does not indicate the format in which the request must be made. In fact Recital 59 of GDPR recommends that data controller should provide means for the request to be made electronically especially where the processing of processing of personal data is carried out electronically.
Providing a means by which a data subject can access their own data will obligate an organisation from some of the requirements of carrying out a subject access request if that information is already available. Further good practice would be to be to introduce a means by which a data subject can make a Subject Access Request electronically through the use of an electronic form and to provide the requestor with an opportunity to clearly state what personal information they actually require.
It should be remembered that a request for “all of my data” might be considered excessive however current guidance dictates that ‘excessive’ does not refer to ‘all of my data’ but to a request overlapping with other requests or one that repeats the substance of previous requests and that a reasonable period of time has not passed since the previous request was made. Whilst this guidance now provides a definition for excessive it is not clear ‘what a reasonable amount of time’ might be.
In all cases a statutory period 30 days is in place in which to make a response is in place. It should also be noted that a minor change to the interpretation of when this period begins has been introduced with day 1 now being considered as the day on which the request was received. In the light of this it might be prudent for organisations to adopt a period of 28 days in which to make a reply rather than the statutory period.
The introduction of GDPR has led to many organisations having to carefully consider how they share personal data with third parties such as parents and support services. It is clear from GPDR that the personal data is that of the individuals and should not be shared under normal circumstances with anyone else without their permission (i.e. Consent).
However for many years in education we have followed a “carrot and stick” policy when reporting student progress to their parents, it would now appear that we need the students’ permission to do so. Therefore we ideally need to gain their Consent (in an affirmative manner) as part of the enrolment process, ideally when they are committing to studying at the organisation in order to continue this process.
We also need to consider what to do when an individual no longer wishes to share their progress with others. It is after all their data and not of their parents. In these circumstances it is probably best for that hard conversation to take place between the respective parties and not with the organisation itself.