Take Subject Access Requests Seriously

Daniel Geller
Daniel Geller

The ICO’s recent fine for a data breach at a GP surgery in Hertfordshire was the direct result of a subject access request (“SAR”) that had gone wrong.

The surgery revealed confidential details about a patient to an estranged ex-partner because there were insufficient systems in place for staff to deal with SARs.

Subject access is a fundamental right of individuals under the Data Protection Act, enabling individuals to find out what personal data you hold about them, why you hold it and who you share it with is fundamental to good information-handling practice. This right, commonly known as subject access, is set out in section 7 of the DPA. Individuals may exercise the right by making a written subject access request, or SAR.

Aside from a £40,000 fine this case caused huge damage to the organisation’s reputation. Such a significant and high profile data breach could have been avoided had suitable internal measures been put in place.  No matter the size of the organisation, if you hold personal data, most organisations will have to respond to a SAR at some point.

Dealing with SARs involving third party data

As evidenced by the GP surgery, responding to a SAR may involve providing information that relates both to the requester and another individual.  Under the DPA you will not have to comply with the SAR if to do so would mean disclosing information about another individual who can be identified from that information except where:

  1. the other individual has consented to the disclosure; or
  2. it is reasonable in all the circumstances to comply with the request without that individual’s consent.

So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights in respect of their own personal data. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway. You should make decisions about disclosing third-party information on a case-by-case basis. It is not advisable to apply a blanket policy of withholding it.

For the avoidance of doubt, you cannot refuse to provide subject access to personal data about an individual simply because you obtained that data from a third party. The rules about third party data apply only to personal data which includes both information about the individual who is the subject of the request and information about someone else.

ICO figures show that 46% of all complaints made to the ICO last year were about SARs and the difficulties people face when trying to get hold of their personal information.  This is a substantial figure and highlights that – however inconvenient – SARs should not be taken lightly by companies.

It is important to make sure staff are equipped to deal with SARs. The ICO has provided some helpful guidance as to best practice with dealing with SARs, alternatively for more information on this subject feel free to contact a member of the Fox Williams idatalaw team.

 

Daniel Geller  is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at dgeller@foxwilliams.com

Advertisements

At last, agreement on EU data protection reform

Nigel Miller
Nigel Miller

First proposed in January 2012, agreement has finally been reached between the European Commission, the European Parliament and the Council (the so-called ‘trilogue’) regarding a new General Data Protection Regulation (GDPR).

Current data protection rules are based on the 1995 Data Protection Directive, which predates mainstream internet, social media, big data, the cloud and other advances in technology which shape the way business operates today. It’s a classic case of legislation not keeping pace with technological development; its overhaul is well overdue.

A key benefit of the GDPR will be a single harmonised data protection law covering the whole of the EU. At present, each EU state has implemented its own version of the 1995 Directive and differences can apply in different member states.

The main highlights are summarized as follows:

A stricter regulatory environment

Reflecting ever increasing concerns about how personal data is used in the digital economy, and the continuous flow of news reports about data security breaches, the GDPR imposes a much higher burden of compliance on business.  Specific points include:

  • Fines – the maximum fine for breach of the GDPR is to be set at 4 per cent. of a company’s worldwide turnover. Currently the maximum fine under the DPA is £500,000. This alone should be enough to put the GDPR onto every Board’s agenda.
  • Easier access to data: individuals will have (and businesses will be required to provide) more information on how their data is processed and this information should be available in a clear and understandable way.
  • Consent – a new more expansive and specific definition of consent requires that it must be a “freely given, specific, informed and unambiguous indication of his or her wishes” by which the data subject, either “by a statement or by a clear affirmative action”, signifies agreement to personal data relating to them being processed.
  • Additional administrative burden – businesses must keep a record of any data processing activities under their responsibility (referred to as documentation) and must carry out data protection impact assessments (DPIAs) if they are processing date using new technologies and this is likely to result in a high risk to personal data.
  • Rules for innovation – the regulation requires that data protection safeguards are built into products and services from the earliest stage of development (privacy by design). Privacy-friendly techniques such as pseudonymisation are encouraged by the GDPR, to allow the benefit of big data innovation while protecting privacy.
  • Data protection officers – companies will be required to appoint data protection officers if they process sensitive data or collect information from consumers on a large scale. This will be an additional cost to many companies, although there is an exemption applicable to SMEs – see below.
  • Data processors – the GDPR treats data processors as data controller if they process personal data otherwise than in accordance with the data controller’s instructions and subjects data to processors fines for breaches of the GDPR; under current rules, in general, only the data controller is responsible for compliance.
  • Data breach notification – companies and organisations must notify the national supervisory authority (that’s the ICO in the UK) of serious data breaches as soon as possible so that users can take appropriate measures.

Individual rights

As well as the above, the new rules strengthen existing rights to include:

  • a right to data portability – the GDPR will make it easier for consumers to transfer personal data between service providers such as social network platforms and SaaS service providers;
  • right to be forgotten– EU citizens will have a stronger right to require that their data is deleted provided that there are no legitimate grounds for retaining it, which may require a business to rethink its current policy on data retention and deletion.

International aspects

  • Impact on non-EU businesses – the new rules will apply to companies who do not have a physical presence in the EU but offer services in the EU and collect data about EU data subjects. This will, for example, affect many US companies that provide services into the EU.
  • International data transfers – the position regarding transfers of data outside of the EU is unsatisfactory, highlighted by the recent invalidation of the Safe Harbor framework in respect of transfers to the US. However, it seems that the position under the GDPR will be largely unchanged from the current position.
  • One continent, one law – The GDPR will establish one single set of rules for the whole of the EU which will make it simpler and cheaper for companies to do business in the EU.
  • One-stop-shop – businesses will only have to deal with one single supervisory authority.

Exemptions for SMEs

Under the new rules, SMEs benefit from certain exemptions to reduce the burden of compliance:

  • No more notifications: the requirement to notify to / register with the ICO is to be scrapped.
  • Subject access: Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
  • Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
  • Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a high risk.

Next steps

Before the GDPR becomes law, the final text must be formally adopted by the European Parliament and Council, which is set to happen at the beginning of 2016.

The new rules will then become applicable across the EU two years thereafter.

For more information on how the GDPR will affect your business, please contact Nigel Miller (partner) or Sian Barr (associate) at Fox Williams LLP.

 

Do you need to register (notify) under the Data Protection Act?

Nigel Miller
Nigel Miller

Many companies are at risk of committing a criminal offence and attracting bad publicity by failing to register (notify) under the Data Protection Act. Notification to the Information Commissioner’s Office (ICO) under the Data Protection Act is a relatively straightforward step. On the other hand, failure to notify is publicly visible – because firms which have registered are on the searchable register on the Information Commissioner’s website which contains the name and address of data controllers and a description of the kind of processing they do – and could also betray a failure to comply with Data Protection requirements more generally.

The Data Protection Act requires every data controller who is processing personal information to register with the ICO, unless they are exempt. Failure to notify where required to do so is a criminal offence.

The Act largely covers personal data held on computer, but it also manual data that is held within a structured filing system.

Most organisations that handle personal information must register (notify) with the ICO. There is no need to register if you handle personal data only for core business purposes of staff administration, advertising marketing and PR and accounts and record keeping. So long as processing remains strictly within these limits, then there is no need to register. However, even if you are exempt from registration you must still comply with the other provisions of the Act, and it may be advisable to register voluntarily for public transparency and in case any of your processing should extent beyond the scope of the exemptions (so as to avoid the criminal offence of processing without notification).

Registration cannot, as yet, be effected online in the UK but the forms may be completed using the standard templates available from the ICO website and, once completed online, may be printed off, signed and sent with the appropriate fee to the ICO. The fee is £35 but for larger data controllers with an annual turnover of £25.9 million and 250 or more members of staff, the fee is £500.

The ICO does not seek to verify the contents of the notification and cannot refuse registration. However, in the event of any sort of regulatory action following for example a complaint about data protection, the ICO may check that he notification is accurate and take enforcement action if it is found to be incomplete.

Notifications are renewable annually. There is no such thing as a parent company registration, which means that each data controller within a corporate group must register. The data protection register can be searched on the ICO website at http://www.ico.gov.uk/ESDWebPages/search.asp

Contact us if you need any assistance with notification.