Enshrined in the GDPR, the right of access or SAR (subject access request), permits individuals to obtain copies of their personal data controlled by organisations. This month, SAR rules were clarified by the ICO, but compliance may prove difficult for many.
Whilst individuals can make a SAR verbally or in writing, and this includes social media, organisations must respond formally, without delay and usually for no charge. Informal requests through multiple channels is just one challenge facing organisations already battling with GDPR compliance. Faced with daily risks of cyber-attacks and greater pressure to protect personal data, SARs will further expose organisations already failing to meet GDPR standards. BA, Facebook, Marriott International and Equifax are just a few of those fined and facing lengthy litigation proceedings for non-compliance. Still, SAR rules could steer many more into unchartered, dangerous waters.
Data access vs data privacy
SAR guidelines reveal the difficult balancing act between the legitimate right of access and the legitimate right of privacy. Whilst individuals are only entitled to their own personal data (and other supplemental information, for example, to whom the controller sends this personal data), what happens when the SAR includes information about other individuals? Well, this is a matter of judgement and a risky one at that. An employee requesting a copy of her human resources file may well receive contributions to the file from managers and colleagues which breach data laws.
Red flags should also be raised when a third party makes a SAR, also permitted under the guidelines in certain circumstances. Imagine a daughter requesting potentially highly sensitive information from her mother’s bank. Whilst the guidelines suggest a written form of authority from the mother consenting to the SAR may suffice, lawyers should advise data handlers to be extremely cautious. In this latter scenario, one should question the capacity of the mother, unable to make a SAR herself, and whether it was safe to supply information to the daughter without a suitable Power of Attorney.
The price of non-compliance
Consequences of non-compliance or reckless compliance with a SAR could result in litigation. In addition, the ICO may also take further action, including issuing enforcement or penalty notices.
Of course, there are special categories of data where exemptions to a SAR are permitted. Data collected related to crime, taxation, and legal professional privilege fall into this category. Meanwhile, special rules apply to certain cases involving unstructured manual records, credit files, health data, educational data, and social work data.
A balancing act
With special cases, there is a genuine balance between competing, respective privacy rights of data subjects.
As an example, in one case, a cancer patient felt that his GP had dealt with him incompetently. He launched a formal complaint against his GP, which the General Medical Council (GMC) investigated. An expert report on the GP’s fitness to practice was prepared. The report contained the joint personal data of the patient and the doctor. This report found that the GP’s care had fallen below, but not seriously below the expected standard. As a result, the GMC concluded that no further action should be taken against the GP.
The patient was sent a one-page summary of the report, but he requested a full copy to support a potential claim for clinical negligence. However, the GP did not consent to the disclosure of the report. Despite this, the GMC determined that it should disclose the report to the patient.
In a High Court ruling the judge concluded that the GMC had not performed the balancing exercise correctly, and that the GMC should not have disclosed the report. The following reasons formed part of this decision:
- In the absence of consent, the GMC should have started with a presumption against disclosure.
- The GMC gave no adequate weight to the doctor’s status as a data subject or his privacy rights.
- The GMC’s decision took no adequate account of the doctor’s express refusal of consent.
- The decision taken did not adequately consider that the purpose of the request was to use the report in litigation against the GP. Or, in other words, the information was not being sought to protect the patient’s data protection rights.
Whilst the decision in this case seems to be pro-business, a SAR will likely be upheld where it is made by an individual for legitimate purposes (other than litigation).
An ongoing challenge
Organisations are having to train staff, update systems, and implement processes to recognise, handle and respond to SARs without simultaneously suffering a data breach. No easy task as organisations face unprecedented financial and operational pressures caused by the ongoing coronavirus pandemic. When uniformity and systems-based solutions are being managed by a dislocated, at-home workforce, safe navigation of the road ahead will be an impossible challenge for some.
This article was written by Matthew Evans. Matthew is a senior data breach solicitor at Keller Lenkner UK. He brings extensive data breach and commercial expertise to the practice and advises clients in current multi-party actions including against Ticketmaster, British Airways and Marriott International.