Keep up to date with the latest in SARs with the DPAS blog. Charlotte Bolt discusses Subject Access Requests, and the changing data landscape around personal data rights.
What is a SAR?
Individuals have a right to access to their personal data. This is commonly referred to as a subject access request. An individual can make a SAR verbally or in writing, and a response should be provided without undue delay and, in any event, within one month.
What is ‘Personal Data’?
A notable case concerning the access to personal data is the Durant case. The Appellant had made a subject access request under the Data Protection Act 1998 for any personal data relating to him. The Respondent provided the Appellant with this information. However, they refused to provide any information held on manual files, claiming it did not meet the definition of “personal data” under section 1(1) of the 1998 Act.
There were two points to be addressed. Firstly, what is “personal data”, with reference to the “relevant filing system”. Secondly, what approach should the data controller be taking when deciding what information to disclose that relates to a third party.
The court concluded that the mere mention of the data subject’s name did not mean it constituted personal data. For it to constitute personal data, the content had to have significant focus on the data subject. The court also held that the work of the data controller to find the data subject’s personal data had to be reasonable and proportionate, as it would be unfair to force data controllers to search through information in unstructured filing systems.
What is reasonable?
The Durant case helps provide more scope as to what is considered reasonable, but there are further points to be considered. As this case now dates back to 2003, it should only be referred to in limited circumstances. For example, what is the data subject’s reason for making the request? The ICO advises that you may refuse to respond to a request if it is manifestly unfounded or excessive.
At the end of 2020, in the High Course case of Lees v Lloyds Bank plc, a number of circumstances in which it would be reasonable for a data controller to refuse to respond to a SAR were identified. This includes (amongst other things):
- Where numerous requests are made, suggesting the requester was being abusive.
- Where the purpose of the SAR is to obtain documents, as oppose to personal data.
- There is intent to use the SAR to pursue a litigation case.
Organisations may, therefore, wish to refer to the above case when processing SARs.
The ICO has advised that it is reasonable to ask the requester their rationale for requesting their data. Therefore, this gives the data controller more time to respond to the request – the requirement to respond within one month is paused until additional clarification is received. Should the requester choose not to respond to the request for additional information, then the data controller may not need to respond, in certain cases.
What is happening in the Marketplace?
There has become an increasing awareness by the general public of certain rights around their personal data. Firstly because of the introduction of the GDPR, and secondly because of the attention received by certain articles highlighting fines received by large organisations, for example the data leak by EasyJet.
As the number of SARs coming in increases, the higher the risk imposed on organisations and therefore the greater need to have updated policies and procedures. If you would like any advice on the handling of SARs, please do reach out to us at DPAS.
Charlotte is our Data Protection Paralegal, having studied law at Cardiff University. She has worked in public and private sectors in Cardiff and the South West, and has experience in audits and providing legal services.