The Information Commissioner’s Office (ICO) have again warned of the perils of dealing incorrectly with Subject Access Requests while fining a GP surgery in Hertfordshire £40,000 for failing to have adequate protections in place. Below, we take a look at the issues behind the recent case.
What are Subject Access Requests?
Subject Access Requests give individuals the right to request details of their personal data held by Data Controllers and oblige Data Controllers to respond to such requests when they are made. This means that if an organisation receives a Subject Access Request it has to respond to the individual or face the prospect of a complaint to the ICO.
How should a business respond?
There are some ways around responding to Subject Access Request, such as when sufficient information or the relevant fee has not been provided, or where such a response would be disproportionate. However, generally speaking, the individual will need to be provided with the data they are requesting unless the request is covered by one of the narrow exceptions.
When disclosing personal data, including as part of a Subject Access Request, it is vital to ensure that the individual has the right to request the data they are requesting. This is relatively straight forward for adults, but may be more of an issue when dealing with children or those under a Power of Attorney. It is also possible for individuals to allow third parties to make requests on their behalf though care should be taken to ensure consent has been properly given.
What are individuals entitled to know?
While an individual’s entitlement needs to be clearly established, the rights of other individuals needs to be looked out for as well. In the Hertfordshire case a father had request the personal data of his son held by the surgery. The surgery provided this information as well as the contact details of the father’s estranged ex-partner, her parents and an unrelated child. As always this example shows what might seem obvious isn’t always the case. While there was an entitlement to some of the personal data provided, the surgery should have reviewed the contents of the data and removed rogue personal data contained within.
The ICO’s view is that, whatever business an organisation is engaged in, if it holds personal data, that business will one day receive a Subject Access Request. Given this, having the correct policies and procedures in place is important to ensure requests are dealt with correctly and possible ICO involvement is avoided. A clearly drafted Data Protection Policy with associated training will give employees the knowledge to deal with personal data correctly, will demonstrate to the ICO that an organisation takes its data protection obligations seriously and, should the worse happen, will hopefully mitigate any fine the ICO might want to levy for a breach.
Given that the financial penalties for breaches will be increasing under the General Data Protection Regulation (which comes in to force on 25 May 2018), data protection and Subject Access Requests should be a priority for any organisation that deals with personal information.