As Subject Access Requests increase, so too does the expectation from the Information Commissioner (ICO) that Data Controllers should effectively comply with this fundamental right under Privacy law. Our Director Gary Baker explains the minimum steps you should be following as the trend suggests your SAR applications will rise in 2021.
Most of our clients have experienced quantifiable increases in the number of SAR requests they have received. Some report a 40-50% increase year on year since GDPR was introduced in 2018.
The need to be properly prepared to receive, research, redact and respond to access requests is more important than ever.
Emerging undercurrents from our Healthcare clients also suggest that an increasing number of people are keen to learn how their data has been used and shared during the Covid Test & Trace process, and how Vaccine distribution decisions regarding their own ‘place in the queue’ have been made.
This is likely to drive a new chapter in SAR trends as curiosity and genuine concerns over loose data sharing begin to ripple through Communities.
Whilst at first glance for those who haven’t had much experience of handling SARs, the process seems onerous and complex, it doesn’t need to be.
When advising our clients our first aim is to have them establish a basic framework to deal with a request. This means demonstrating good governance and leadership from above (usually at SIRO level), creating a clear and straightforward policy to follow for your staff and ensuring a level of expertise within the organisation that at least knows when to recognise a SAR and how you should respond (for example within the statutory timescales).
There was a key legal decision last week (1) when the High Court of England and Wales dismissed a claim against a bank for allegedly failing to provide an adequate response to the Claimant’s data subject access request.
In the past 12 months we have seen increasing number of people and legal firms attempting to use the right of access to acquire information and documents to support associated claims or as a rudimentary ‘fishing expedition’ to see what data is available that may be useful for civil redress.
Whilst the access right is an important entitlement to people across Europe and as a Data Controller your SAR process needs to be effective and timely, there are times when you will need to be robust in your response where the circumstances behind the application appear to stretch beyond what is considered a reasonable request.
For example, the above judgment commented on the applicant’s course of action in negative terms, referring to:
- the numerous and repetitive SAR applications from the individual, some of which were considered to be abusive in nature;
- the view from the Court that the true objective of the SARs were thought to be simply to obtain documents rather than the authentic principle of accessing their personal data; and,
- as there were outline associated Civil proceedings between the bank and the applicant, the SARs were aimed at obtaining information principally to support civil claims against the Data Controller.
This case shows once again the often-convoluted nuances behind SARs, and whilst they are to be approached as ‘motive-blind’ by the Controller, in some cases their true purpose can be a factor when considering what to disclose or withhold.
(1) Lees v Lloyds Bank Plc  EWHC 2249 (Ch)