When the General Data Protection Regulation (GDPR) comes into force on 25 May 2018 it will introduce a number of new obligations on data controllers. Some new data subject rights, including the right to erasure and data portability, will also be introduced. With some breaches carrying fines of up to 4% of global annual turnover or €20m, no one can ignore the GDPR.
The good news is that, while the GDPR will replace the UK’s Data Protection Act 1998 (DPA), it still includes familiar concepts such as the right of an individual (the data subject) to request a copy of their data (known as a subject access request (SAR) in DPA parlance).
In brief, article 15 of the GDPR gives a data subject the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information.
The supplementary information is the same as under section 7 of the DPA (for example, information about the source and recipients of the data) but now includes, among other things, details of international transfers, other data subject rights, the right to lodge a complaint with the Information Commissioner’s Office (ICO) and the envisaged retention period for the data.
Under the DPA, data controllers can charge £10 for a SAR (£50 for a health record). The GDPR allows most requests to be made free of charge. This is a significant change and will hit the budgets of those who receive voluminous or complex requests, for example local authority social services departments. However, a ‘reasonable fee’ can be charged for further copies of the same information and when a request is manifestly unfounded or excessive, particularly if it is repetitive. The fee must be based on the administrative cost of providing the information.
The DPA allows data controllers 40 calendar days to respond to a SAR. Under the GDPR, the requested information must be provided without delay and at the latest within one month of receipt. This can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, the data subject must be contacted within one month of the receipt of the request to explain why the extension is necessary.
All refusals must be in writing, setting out the reasons and the right of the data subject to complain to the ICO and to seek a judicial remedy.
Format of responses
Where the data subject makes a SAR by electronic means, and unless otherwise requested by the data subject, the information should be provided in a commonly used electronic format. Before providing the information, the data controller must verify the identity of the person making the request using ‘reasonable means’.
The GDPR (Recital 63) introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to their information. This will not be appropriate for all organisations, but there are sectors where this could work well, for example local authorities may look to provide secure online access to social work records.
Article 15 makes it clear that the right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others. Therefore, as is the case under section 7(4) of the DPA, thought must be given to whether third-party personal data needs to be redacted before disclosing information.
Data protection officers will be familiar with the exemptions in the DPA, set out in part 4 and schedule 7, some of which allow a data controller to refuse a SAR. There is currently no such list in the GDPR. However, article 23 allows governments to introduce exemptions to various provisions in the GDPR, including SARs, by way of national legislation based on a list set out in that article. This contains the same categories as in the DPA, for example national security, crime prevention and regulatory functions. My guess is that the UK government will enact the same exemptions as currently exist in the DPA.
Recital 63 states that the purpose of the SAR is to make data subjects aware of, and allow them to verify, the lawfulness of the processing of their personal data. This suggests that requests for other purposes (for example to assist in litigation) may be rejected. Compare this to Dawson-Damer v Taylor Wessing LLP  EWCA Civ 74, in which the Court of Appeal said there was nothing in the EU Data Protection Directive (which the DPA implements into UK law) which ‘limits the purpose for which a data subject may request his data, or provides data controllers with the option of not providing data based solely on the requestor’s purpose’.
The GDPR does not introduce an exemption for requests that relate to large amounts of data, but a data controller may be able to consider whether the request is manifestly unfounded or excessive. Recital 63 also permits asking the individual to specify the information to which the request relates.
Access and data portability
How different is the subject access right to the right to data portability set out in article 20? The latter also allows for data subjects to receive their personal data in a structured, commonly used and machine-readable format. It also allows them to request it to be transmitted to another data controller.
Unlike the subject access right, the data portability right does not apply to all personal data held by the data controller concerning the data subject. First, it has to be automated data. Paper files are not included. Second, the personal data has to be knowingly and actively provided by the data subject. By contrast, personal data derived or inferred from the data provided by the data subject, such as a user profile created by analysis of raw smart-metering data or a website search history, is excluded from the scope of the right to data portability, since this is not provided by the data subject but created by the data controller. Third, the personal data has to be processed by the data controller with the data subject’s consent or pursuant to a contract with them.
In contrast, the subject access right applies to all personal data about a data subject processed by the data controller, regardless of the format it is held in, the justification for processing or its origin.
It is important to note that both rights do not require data controllers to keep personal data for longer than specified in their retention schedules or privacy polices. Nor is there a requirement to start storing data just to comply with a request if received.
Last year, the ICO’s good practice department conducted a survey on information governance practices in local government. It said: ‘The overarching conclusion from our analysis of the results was that, although there is good practice out there, with the GDPR coming in May 2018, many councils have work to do. Adhering to good practice measures under the DPA will stand organisations in good stead for the new regulations.’ The ICO found that:
- 75% of councils have appointed a data protection officer.
- 85% of councils have data protection training for employees processing personal data. Most legal training companies have a range of DPA and GDPR courses to suit a variety of budgets.
- Most councils carry out privacy impact assessments but 34% still do not. The GDPR makes it a legal requirement for all data controllers to conduct data protection impact assessments in certain circumstances. The ICO’s privacy impact assessment code of practice provides more advice and will be reissued for the GDPR in due course.
- 93% of councils have a data protection and information security policy in place. This is good to see, with the additional importance placed on security in GDPR, especially breach notification.
- 90% of councils have created a role of senior information risk owner to help manage information risk.
Ibrahim Hasan is a solicitor and director of Act Now Training