Transcript of the Video
Good afternoon ladies and gentlemen. Suzanne Dibble here, data protection law expert coming to you live, raw and live and uncut from a sweaty Singapore where the jet lag has kicked in and hence you can see the extremely large bags under my eyes, but as I stated in my video right up front, it's not about how I look, it's about the guidance that I'm giving you.
So what I wanted to talk about today, there was another great question in the group about subject to access requests and how we deal with those and how the possession has changed under GDPR, so this video addresses that.
Firstly, subject access requests exist at the moment. They are not new and what I'm going to do is post in the comments to this video a really handy subject access request step by step guide through the process that the ICO has already produced and then I'm going to tell you how it's changed with GDPR, but things just to point out about the replying to subject access request is, the first thing is to verify the person who is requesting the data's identity because if it's not actually them and you reply to that, then you're in breach by disclosing that personal data, so the very first step is to make sure that the person who is requesting the personal data actually is who he says he is.
The points here say that if it's a person with whom you have regular contact, sends a letter from their known address, it may be safe to assume that they are who they say they are, but if you have good cause to doubt the requester's identity you can ask them to provide any evidence you reasonably need to confirm it. So, you could ask them to send you a copy of their passport for example, or something like that and you need to consider whether you need any information to find the records that they're asking you to disclose, so have a look at that in the step by step guide that I'm going to post in the comments to the video.
Also, something else to point out is that it's not all information that you hold on them. So, if it's an employee for example or a customer or a prospect, then it's not everything. You don't have to send, you know, chains of emails that go back however long. It's personal data. We're only talking about personal data. Data that identifies somebody, so an employee contact, that might be something like for example an employee writing in to say I've got a splitting headache today. I won't be in and that would be personal data, but you know just work emails backward and forwards typically won't contain personal data, so have to be clear about that.
The other thing to consider is when you are including information about other people. You don't have to supply information about other people unless the other people mentioned have given their consent or, it's reasonable to supply the information without their consent and even when the other person's information should not be disclosed, you should supply as much as possible by editing the references to other people. So in employee contacts for example, if you have a supervisor who has commented on an aspect of an employee's performance and by disclosing that, even if that person isn't named, but if it would be obvious to the employee that those comments are from the other employee then you wouldn't have to disclose that data. I'll post this step by step guide in the group for you to see.
Now, what's changed under GDPR? Well, the answer is actually not an awful lot. The two main things that have changed are that you can no longer charge a fee. There used to be ... you used to be able to charge a £10 fee for processing it. You can't now charge that, unless the request is manifestly unfounded or excessive in which case you can charge a reasonable administrative cost fee for that and again, if further copies are requested you can also charge a fee for that.
The other thing is the time to respond, that has changed although not hugely significant. At the moment the response time is 40 days and under GDPR that's going to change to a month, so unless there is a particularly complex request in which case you have the possibility to extend that to three months, but you do have to write to them within the month, the initial month to tell them that you need longer to reply and explain what you need longer to reply.
There the main things that have changed. The other one is that it's got to be possible to make requests electronically, so by email for example and where a request is made electronically, the information should be provided in a commonly used electronic format unless otherwise requested by the individual. So if they request by email, then typically you should provide the reply by email.
I talked about before about the right to withhold certain data. The words in GDPR is that you can withhold personal data if disclosing it would adversely affect the rights and freedoms of others and the recitals to GDPR note that this could extend to intellectual property rights and trade secrets. Member states may introduce further examples such as legal privilege, which is where advice is shared from a lawyer to its client and that is known as legally privileged information.
So not an awful lot has changed, but you obviously need to be mindful of the fact that there is the shorter time period. I think that as consumers become savvier about their rights in particular subject access requests, we could see more of these and I think employees as well. Certainly if an employee is going through any kind of disciplinary or grievance procedure then subject access requests I think will become more common as employees like to go on a bit of a fishing expedition to find out what information you hold of them to see if there's anything that can further their case but if you are in the middle of an employee dispute then obviously do take bespoke legal advice on that, about how to respond to subject access requests.
If you have a subject access request from a customer or a prospect, just maybe someone disgruntled on your email list who has heard with the GDPR being the hot topic and with the ICO launching their consumer-facing campaign next month, you might see more of them, so it's important that you are aware of the time limit and treat it seriously, but possibly more importantly that you train any staff who are possibly going to receive a subject access request. So that's the people that open the post. It's the people aware if you've got a support email address, the people who are monitoring that support email address you train them to be able to spot a subject access request and to forward that onto the appropriate person.