Individuals’ rights are a key area where the GDPR differs from former data protection laws. A year on from the introduction of the GDPR, organisations have more experience in dealing with individuals’ rights requests and are better placed to understand the impact of the changes.
More people are making information rights requests
People in the UK have had legally enforceable information rights for over 30 years, but many organisations are receiving access requests for the first time. The subject access fee used to be £10, which was a deterrent for many, but since the fee has been waived the volume of requests has gone up.
Access rights at a glance
No single strand in a regulation can exist independently, and access requests tie into the right to portability, erasure and correction, amongst others. Managing access requests isn’t always straightforward, and organisations should learn from these requests so they can deal with them more easily in future.
Here are some pointers for dealing with subject access - and other rights - requests positively, compliantly and as painlessly as possible:
- Standards for recording personal information - there’s no ‘that’s embarrassing, I wish I hadn’t written it’ exemption
Learn to record information – even adverse information – in a neutral, professional, disclosable way. Senior staff can often be the worst for recording comments in a candid format and training can be beneficial.
- Be clear about scope – remember that the applicant should be the focus of the information. Is it about that person?
Just because a document mentions someone or they are included as a cc in an email, it does not make it their personal information.
Scope can be a tricky area and the old ICO guidance on information held in complaints files remains useful.
- Records management – organisations should develop systems and inventories to find and collate requested information easily
The applicant may be an ex-employee with a good knowledge of your company’s information assets. So, always come clean and don’t try to hide information or deny its existence. Once a request has been received, you must not make any changes to the information in order to hide embarrassing or controversial content – that is against the law and is a regulatory red-line.
- Data quality – it may not matter much if a file containing inaccuracies or out of date information is buried inertly in a rarely-accessed filing system
But if you are asked to dig up that information and hand it over to someone, it suddenly matters a lot. You must make sure your information governance is up to scratch, and that you sample your records to assess data quality regularly.
- Transparency and purpose limitation – people don’t always read privacy notices, but individuals moved to exercise their rights may do so
If you are using someone’s personal information for purposes not described in your privacy notice, then you could have a problem. For example, if you are going to use building-access data for disciplinary (timekeeping/attendance) purposes, then you should be open about this. Remember that a lot of rights requests are made in the context of disputes between employees/former employees and their employers, or between customers and businesses.
- Purpose blindness – the law does not allow you to ask why someone wants to exercise their information rights
The things you need to consider are whether a request is valid, what personal information is held and whether an exemption applies. The purpose of the request is irrelevant.
- Exemptions – don’t be afraid to rely on an exemption the law provides for the withholding of information for good reasons
That said, if you are going to withhold information, be sure of your reasons and document the decision-making process. In the event of the courts or the regulator disagreeing with your decision, it will help to demonstrate due consideration of the issue before a decision was made.
- Automate as much as possible - make it easier for employees to access their HR records and for customers to access their account information
Adopting an ‘access by design’ approach when procuring new systems can save time and money dealing with subject access, portability and other requests. But this only takes you so far. ‘Standard’ requests can often be automated, while more complex requests will still need to be assessed on a case-by-case basis.
- Take a positive approach - don’t be defensive if someone makes a right to erasure request – sometimes organisations think that deleting someone’s personal information somehow weakens them but unnecessarily retained information can be a liability
If someone requests the deletion of information that you have no business or other need to keep, then get rid of it. If you do have a need to keep it, then the law will normally allow you to refuse the deletion request.