The General Data Protection Regulation (GDPR) comes into force 25 May 2018 and will introduce the greatest changes to data protection legislation in over 30 years. In this blog Val Surgenor, charity law specialist at MacRoberts LLP, looks at subject access requests (SARs) under the GDPR and what changes this will bring. There is less than a year to go now before the GDPR comes into force, therefore you should act now to make sure you are GDPR compliant!
What is a SAR?
A SAR is a request for personal information that your Charity may hold about a data subject i.e. an individual. If an individual wishes to exercise their subject access right, the request must be made in writing. The purpose of a SAR is to make individuals aware of and allow them to verify the lawfulness of processing of their personal data. Under the GDPR and the current Data Protection Act (DPA), individuals have the right to obtain confirmation as to whether personal data about them is being processed by your Charity. If personal information is being processed, they are entitled to access:
- the reasons why their data is being processed
- the description of the personal data concerning them
- information about anyone who has received or will receive their personal data
- details of the origin of their data if it was not collected from them
Charities need to be mindful that the rules on subject access apply to any individual. Charities are likely to hold and process personal data about its trustees; its employees; service users; members; donors, volunteers and many others. Each category will have the same access rights.
Key Changes to SARs under GDPR
Under the GDPR, the procedure for making a SAR is similar to the procedure under the DPA. However there are some key changes your Charity needs to be aware of which may require you to make changes to Charity’s procedures:
Under the DPA, your organisation can charge up to £10 for a SAR. Under the GDPR, a request for personal information is free unless the request is ‘manifestly unfounded or excessive.’
Your organisation can charge a ‘reasonable fee’
for multiple requests.
This may have a significant effect on your organisation where you receive large volumes of requests and this may result in an increase in administrative costs on your organisation. At present there is insufficient guidance on what is meant by “manifestly unfounded or excessive” and therefore your organisation should approach this with some caution.
It should also be recognised that the £10 fee may have acted in the past as an impediment to making a request and as a result charities may see an increase in requests as a result.
Under the DPA, you must respond to SARs within 40 days of receipt of the written request. Under the GDPR, your organisation must respond to SARs within one month of receipt. This deadline can be extended by a further two months where there are a number of requests or the request is complex but you must contact the individual within a month of receipt, explaining why the extension is necessary.
Charities will have a shorter time to deal with SARs; therefore having an effective procedure in place will ensure that you are able to comply with the new reduced timescales. Being able to recognise a subject access request and pass it to the correct person in your Charity will be critical if you are to comply with the reduced timescales. Remember, for it to be a valid request, it doesn’t need to say it is a subject access request or even mention the DPA.
If staff have personal e-mail accounts where a SAR could be made to, these should be monitored when the member of staff is out of the office (for example when on holiday or on secondment) to ensure that SAR’s are dealt with quickly. Remember you will only have up to one month to respond, your Charity needs to have good procedures to make sure it complies on time and is able to provide the information that it needs to.
- Provision of Information:
Individuals can make a SAR electronically. If they do so, the information provided should be in a commonly-used electronic format, unless otherwise requested. But remember your Charity must verify
the individual’s identity prior
to granting access to information. This can sometimes take a little time especially if it is a guardian or someone acting under a power of attorney who are seeking the information about a data subject.
In responding to a subject access request, the Charity will need to advise the data subject of:
- the purposes of the processing,
- the categories of personal data concerned,
- who are the recipients to whom your Charity discloses the information,
- where possible, how long you will hold onto the information or what categories your Charity uses to decide how long the personal information will be held for,
- the right to request rectification, erasure or restriction of the processing,
- the right to lodge a complaint to the ICO,
- where the personal data are not collected from the data subject, the source from where your Charity obtained the data,
- and finally, the existence of any automated decision-making.
Where your Charity doesn’t already have a procedure for staff to identify a SAR and/or know how to escalate this to be dealt with – put a procedure in place and train staff accordingly.
Does your Charity have a data retention or data destruction policy? If not, put one in place – think about what data you hold and why – how long do you really need to hold it, and hold all of it? Be careful to consider why you want to hold onto data “just in case”? If your Charity has thought about what data it holds and how long it needs to hold it, this will assist in complying with the new information provisions.
- Right to withhold Personal Data:
Under the GDPR, organisations can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others.’
It will be up to the UK government to introduce any further exemptions to SARs such as for national security, defence and public security. Charities should take advice if they are proposing to withhold information on this basis as your organisation will need to carefully consider its applicability and its use should not act to result in a refusal to provide all information.
- Design and implement template response letters so that you can ensure that all requirements of a response to a SAR are complied with under the GDPR.
- Design and implement policies and procedures for handling SARs and ensure these take into account new timescales (including implementing a new data retention policy if your Charity doesn’t already have one).
- Ensure that employees are trained in dealing with SARs and that they can recognise when an individual has made a SAR and how this is to be dealt with.
- Consider GDPR best practice and perhaps consider incorporating a ‘data subject access portal’ (where appropriate) which can allow an individual to access their information quickly easily and remotely.