IAPP CIPM – Subject Access Requests (SARs/DSARs) – how to deal with Part 2

6. Supplying information to the requester

Hi, guys. In this lesson, we will discuss supplying information to the requester. You should remember that subject access entitles an individual to more than just a copy of their personal data. An individual is also entitled to be told whether any personal data is being processed. So, even if you do not have any personal data on the requester, you must respond to let them know, providing a description of the personal data, the reasons it is being processed, whether it will be shared with any other organisations or people, and the source of the data.

If known, this information might be contained in the copy of the personal data you supply. To the extent it is not, however, you must remember to provide this information in addition to a copy of the personal data itself when responding to a SAR. The right to a description of other organisations or people to whom personal information may be given is a right to this information. In general terms, it is not your right to receive the names of those organisations or people. The requester may also ask for an explanation of the reasoning behind any automated decisions taken about him or her, such as a computer-generated decision to grant or deny credit or an assessment of performance at work, except where this information is a trade secret.

You only need to provide this additional information if it has been specifically requested. Before supplying any information in response to SR, you should check that you have the correct requester’s postal or email address, or both. If you are supplying information by fax, and we recommend that you do so only if the requester specifically asks you to, then you must ensure you are sending it to the correct fax number. When deciding what information to supply, documents or files may contain a mixture of information that is the requester’s personal data, personal data about other people, and information that is not personal data at all. This means that you may need to consider each document within a file separately, as well as the content of a specific document, in order to assess the information they contain. It may be easier and more helpful to give a requester a mixture of all the personal data and ordinary information relevant to their request rather than to look at every document in a file to decide whether or not it is their personal data. This approach is likely to be appropriate where none of the information is particularly sensitive or contentious or refers to third-party individuals. Form in which the information must be Supplied Once you have located and retrieved the personal data that is relevant to the request, you must communicate it to the requester in an understandable form. In most cases, this information must be communicated to the requester by supplying him or her with a copy of it in permanent form. You may comply with this requirement by supplying a photocopy or printout of the relevant information, but if the requester has made a SARe electronically, they will probably be content and may even prefer to receive the response electronically too. It is good practise to check their preferences. If they agree to receive information in electronic form, you will comply with the GDP by sending it in that form. Some requesters are starting to ask for certain personal data, such as their domestic energy consumption data, to be supplied to them in an open, reusable format.

For example, a CSV file Offering the data in this format makes it far easier for the data to be used by the requester under their control. In relation to other services, the supervisory authority would encourage you to consider the feasibility of enabling requesters to receive their data in open, reusable formats for appropriate data sets. Clearly, we recognise that the cost and practicality of doing so must be taken into account. Explaining the Information Supplied The GDPR requires that the information supplied to the individual be in intelligible form. At its most basic, this means that information should be understandable by the average person. However, GDPR does not require you to ensure that the information is provided in a form that is understandable to the particular individual making the request. So let’s take two examples.

Example 1: An individual makes a request for their personal data. When preparing the response, you notice that a lot of it is in coded form. For example, attendance at a particular training session is logged as “A while.” Nonattendance at a similar event is logged as “M.” Also, some of the information is in the form of handwritten notes that are difficult to read without access to the organization’s key or index. To explain this information, it would be impossible for anyone outside the organisation to understand. In this case, you need to explain the meaning of the coded information. However, although it would be good practise to do so, the GDPR does not require you to decipher the poorly written notes since the meaning of “intelligible” does not extend to making them legible. Example number two: you receive a SAR from someone whose English comprehension skills are quite poor. You send a response, and they ask you to translate the information you send them. The GDPR does not require you to do this since the information is in intelligible form, even if the person who receives it cannot understand all of it. However, it would be good practise for you to help them understand the information you hold about them. This is all for now. See you in the following lesson.

7. Dealing with repeated or unreasonable requests

Hi, guys. In this lesson, we will discuss dealing with repeated or unreasonable requests. GDPR does not limit the number of contributions an individual can make to any organization. However, it does allow some discretion when dealing with requests that are made at unreasonable intervals; you are not obliged to comply with an identical or similar request you have already dealt with unless a reasonable interval has elapsed between the first request and any subsequent ones. Let me give you some help in deciding whether requests are made at reasonable intervals. It is said that you should consider the nature of the data. This could include determining whether the processing’s purposes are particularly sensitive. This could include whether the processing is likely to cause detriment or harm to the requester and how often the data is altered. If information is unlikely to have changed between requests, you may decide that you don’t need to respond to the same request twice.

Usually, the information to be supplied pursuant to a request must be supplied by reference to the data in question at the time the request is received. If there has been a previous request or requests and the information has been added to or amended since then, When answering a SAR, you are required to provide a full response to the request and not merely supply information that is new or has been amended since the last request. However, in practice, the supervisory authority accepts that you may attempt to negotiate with the requester to get them to restrict the scope of their SAR to the new or updated information. But if they insist on a full response, then you would need to supply all the information. Let’s take an example. A library receives a SAR from an individual who made a similar request one month earlier. The information relates to when the individual joined the library and the items borrowed. None of the information has changed since the previous request.

With this in mind, along with the fact that the individual is unlikely to suffer any disadvantage if the library does not send any personal data in response, you do not need to comply with this request. However, it would be good practise to respond, explaining why it has not provided the information. Again, in example 2, a therapist who offers nonmedical counselling receives a SAR from a client.

She had responded to a similar request from the same client three weeks earlier. When considering whether the requests have been made at unreasonable intervals, the therapist should take into account the fact that the client has attended five sessions between requests, so there is a lot of new information in the file. She should respond to this request, and she could ask the client to agree that she only needs to send any new information. But it would also be a good practise to discuss with the client a different way of allowing the client access to the session notes about the session. If for these reasons you decide not to provide the information requested, you are not obliged to do so. It is good practise to explain this to the requester. They may not realize, for example, that your records have not changed since their last request. This is all for now. See you in the following lesson.

8. Exemptions – part 1

Hi, guys. In this lesson, we’ll start discussing exemptions. There are some circumstances in which you might have a legitimate reason for not complying with the subject access request, so there are a number of exceptions to the duty to do so. If an exception applies to the fact of a specific request, you may refuse to provide all or some of the requested information, depending on the circumstances. It is a matter for you to decide whether or not to use an exemption.

There is no obligation for you to do so, so you are free to comply with the SAR even if you could use an exemption. Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies in a particular SAR. Some exemptions apply because of the nature of the personal data in question, for example, information contained in a confidential reference. Others apply because disclosure of the information would be likely to prejudice a particular function of the organisation to which the request is made. There is no real explanation of what is meant by “likely to prejudice.” However, the view is that it requires there to be a substantial chance, rather than a mere risk, that complying with the SAR wouldn’t noticeably damage the discharge of the function. If challenged, you must be prepared to defend your decision to apply for an exemption. It is therefore good practise to ensure that such a decision is taken at a suitably senior level in your organisation and that you document the reasons for it.

Let’s discuss confidential references. From time to time, you may give or receive references about an individual, for example, in connection with their employment or for educational purposes. Such references are often given in confidence, but that fact alone does not mean the personal data included in the reference is exempt from subject access. There is a difference between references you give and references you receive. References you give are exempt from subject access if you give them with incompetence, for the purposes of an individual’s education, training, or employment, or the provision of a service by them. There is no such exemption for references you receive from a third party. If you receive a SAR relating to such a reference, you must apply the usual principles about subject access to decide whether to provide some or all of the information contained in the reference. For example, company A provides an employment reference for one of its employees to company B. If the employee makes a SAR to Company A, the reference will be exempt from disclosure. If the employee makes a request to company B, the reference is not automatically exempt from disclosure, and the usual subject access rules apply. It may be difficult to disclose the whole of a reference to the individual it relates to without disclosing some personal data about the author of the reference, most obviously their identity.

If the reference was not provided in confidence, This difficulty should not prevent disclosure. However, if a question of confidentiality arises, you should contact the author to find out whether they object to the reference being disclosed and, if so, why. Even if the provider of a reference objects to his disclosure in response to ASR, you will need to supply the personal data it contains to the requester if it is reasonable to do so in all the circumstances. You will therefore need to weigh the respondent’s interest in having their comments treated confidentially against the requester’s interest in seeing what has been said about them. Relevant considerations are likely to include any clearly stated assurance of confidentiality given to the referee, any reasons the referee gives for withholding consent, the likely impact of the reference on the requester, the requester’s interest in being able to satisfy himself or herself that the reference is truthful and accurate, and any risk that disclosure may pose to the referee. Let’s continue in the next lesson.

9. Exemptions – part 2

Hi, guys. Let’s continue with the exemptions. Publicly available information If an enactment requires an organisation to make information available to the public, any personal data included in it is exempt from the right of subject access. The exemption only applies to the information that the organisation is required to publish if it holds additional personal data about an individual. The additional personal data is not exempt from the right of subject access, even if the organisation publishes it. Personal data processing for certain purposes related to crime and taxation is exempt from the subject access right. These purposes are the prevention or detection of crime, the capture or prosecution of offenders, and the assessment or collection of tax or duty.

Let’s take an example. The police process an individual’s personal data because they suspect him of involvement in a serious crime. If telling the individual they are processing his personal data for this purpose would be likely to prejudice the investigation—perhaps because he might abscond or destroy evidence—then the police do not need to do so. However, the exemption applies in any particular case only to the extent that complying with the SAR would be likely to prejudice the crime and taxation purposes set out above. You need to judge whether or not this is likely in each case. You should not use the exemption to justify denying subjects access to entire categories of personal data if the crime and taxation purposes are unlikely to be harmed for some individuals.

Another example is a taxpayer who makes a SAR to the tax office for personal data they hold about him in relation to an ongoing investigation into possible tax evasion. If disclosing the information that the tax office has collected about the taxpayer would be likely to prejudice their investigation, For example, because it would make it difficult for them to collect evidence, the tax office could refuse to grant the subject access to the extent that doing so would be likely to prejudice their investigation. If, however, a taxpayer does not make the request until some years later, when the investigation has been completed, it is unlikely that complying with the SAR would prejudice the crime or taxation purposes, in which case the tax office would need to comply with it. Nor would the exemption justify withholding all the personal data to which the request relates when only part of the personal data would be likely to prejudice those purposes. In the previous example of an ongoing investigation into possible tax evasion, the tax office would be entitled to refuse subject access to personal data that would prejudice their investigation. However, this would not justify a refusal to grant access to other personal data they hold about the taxpayer. Personal data that is processed for the purpose of discharging statutory functions and consists of information obtained for this purpose from someone who held it for any of the crime and taxation purposes described above This is also exempt from the right of subject access to the extent that providing subject access to the personal data would be likely to prejudice any of the criminal or taxation purposes. This prevents the right from applying to personal data that is passed to statutory review bodies by law enforcement agencies and ensures that the exemption is not lost when the information is disclosed during a review. This is all for now. On to the next slide.

10. Exemptions – part 3

Hi, guys. In this lesson, we will continue with the last part of exceptions. A further exemption applies to personal data that is processed for management forecasting or management planning. Such data is exempt from the right of subject access to the extent that complying with the SAR would be likely to prejudice the business or other activity of the ty of the organization. Or Let’s take an example. The senior management of an organisation is planning a reorganization.

This is likely to involve making certain employees redundant, and this possibility is included in management plans before the plans are revealed to the workforce. An employee makes a SAR in responding to that request. The organisation does not have to reveal its plans to make him redundant if doing so would be likely to prejudice the conduct of the business, perhaps by causing staff unrest in advance of an announcement of the management’s plans. Negotiations with the Requester Personal data that consists of a record of your intentions in negotiations with an individual is exempt from the right of subject access to the extent that complying with the SAR would be likely to prejudice the negotiations. Let’s take an example again. An individual makes a claim to his insurance company.

The claim is for compensation for personal injuries he sustained in an accident. The insurance company disputes the seriousness of the injuries and the amount of compensation they should pay. An internal paper sets out the company’s position on these matters and indicates the maximum sum they would be willing to pay to avoid the claim going to court. If the individual makes a SAR to the insurance company, they would not have to send him the internal paper because doing so would be likely to prejudice the negotiations to settle the claim. Finally, there is regulatory activity. Some organisations may use an exemption from subject access if they perform regulatory activities. The exemption is not available to all organizations but only to those that have regulatory functions concerning the protection of the public, charities, or fair competition in business. Organizations that do have such functions may only apply the exemption to personal data processed for these core regulatory activities, and then only to the extent that granting subjects access to the information concerned would be likely to prejudice the proper discharge of those functions. This is all for now. See you in the following lesson.