A response to a subject access request should include a copy of the personal data being processed plus certain additional information as explained below (Article 15(1)).
Much of the additional information will have already been provided in the privacy notice and will appear in any record of processing activities.
Form of response
The response should be in writing or, if appropriate, by electronic means (Article 12.1).
If the request was made originally by electronic means, information should be provided “in a commonly used” electronic form unless otherwise requested by the individual.
Copy of the personal data
We must supply a copy of the personal data concerning the individual, subject to the rules on data that also identifies others.
Bear the following in mind:
- Although the requirement is to provide a copy of personal data, not a specific document, it will often be easiest to produce a copy of the document with redactions.
- Redactions may be made to protect personal data of others who are identified in the document/s that contain the requester’s personal data.
- Data that does not concern the individual may also be redacted.
- We have no obligation to provide information that is not personal data (for example, information relating to business performance or to organisational arrangements).
- Before redacting personal data of other data subjects consider requesting those individuals to consent to their data being supplied to the person making the request.
- Whilst we may redact documents as explained above, common sense and proportionality should be considered. Is the data in question sensitive or confidential? If not, it is often most sensible to supply the documents that contain the data without redaction.
Purposes of the processing
When responding to a request, we must provide information on the purposes of the processing.
Check the relevant privacy notice and record of processing activities and use the reason given in these documents.
Categories of personal data
Information should be provided on the categories of personal data concerned.
Again, check the relevant privacy notice and record of processing activities and use the reason given in these documents.
Recipients or categories of recipient
The information should include the recipients or categories of recipient to whom personal data has been disclosed or to whom it will be disclosed.
We don’t need to identify each recipient; it is sufficient to identify categories of recipient.
A recipient means a person, public authority, agency or another body to which the personal data are disclosed, whether or not a “third party” (Article 4(9)). Our employees are not recipients.
Identifying recipients not only assists an individual in forming a view as to whether data is being processed fairly, lawfully and otherwise consistently with the data protection principles, but also enables that individual to continue to track their data by making requests to other data controllers.
Information on the source of personal data
Except where the information originally came from the person making the request, we should provide any available information on the source of the data.
Providing individuals with information on the source of data enables them to follow their data back up the chain to ensure that the data controller at source is also processing lawfully.
The response should, where possible, set out the envisaged period for which personal data will be stored.
Again, check the relevant privacy notice and record of processing activities and use the retention periods given in these documents.
Existence of data subject rights
The information in the response should include the existence of the right to request rectification or erasure of personal data, the right to restrict processing of personal data and the right to object to processing of personal data.
Existence of automated decision-making including profiling
If the we make decisions based solely on automated processing, including profiling which produce legal or other significant effects, we must provide information on the existence of the decision-making, the logic and envisaged significance for the individual.
Transfers outside the EEA and safeguards
If personal data is transferred outside the EEA, the individual has a right to be told of any “safeguards” in place (see Article 15.2).
These safeguards are listed in Article 46 and include standard model clauses and binding corporate rules.
Right to lodge a complaint with a supervisory authority
The information should state that there is a right to lodge a complaint with a supervisory authority (Article 15(1)(f)).
Exemptions to providing subject access
There is no obligation to comply with a subject access request in relation to:
Personal data in respect of which a claim of legal professional privilege could be maintained in legal proceedings (paragraph 19, Schedule 2, DPA 2018). This applies only to documents which carry legal professional privilege for the purposes of English law or its equivalent under Scots law.
Purely personal or household activity (see Article 2.2(c)). This covers personal information, but probably not records made personally in a work context.
A reference given (or to be given) in confidence for employment, training or educational purposes. The exemption covers the personal data within the reference whether processed by the reference giver or the recipient. (paragraph 24, Schedule 2, DPA 2018).
Personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that complying with a subject access request would prejudice the conduct of the business or activity (paragraph 22, Schedule 2, DPA 2018). For example, it is likely to prejudice the conduct of a business if information on a staff redundancy programme is disclosed in advance of it being announced to the rest of the workforce.
Personal data consisting of records of intentions in relation to negotiations between an employer and an employee to the extent that compliance with the subject access request would be likely to prejudice the negotiations (paragraph 23, Schedule 2, DPA 2018).
There are other exceptions relating to regulatory functions, judicial appointments and proceedings, the honours system, criminal investigations, tax collections and various corporate finance services (see Schedule 2 to the DPA 2018).
If an exemption to the rules on subject access is relevant, that personal data should be redacted or otherwise removed.
Finding and retrieving personal data
Extent of the duty
Dealing with a subject access request can be demanding and time-consuming, particularly in an employment context in which much data will be unstructured and will relate not only to the employee but also to other individuals. Such data will almost inevitably require redaction.
Although on the face of Article 15 there is no limit on the personal data to which an employee can seek access, there are constraints derived from EU law and Article 12.5 which are reflected in Information Commissioner guidance.
First, the subject access requirements are subject to the principle of proportionality; measures adopted should not exceed the limits of what is appropriate and necessary to achieve the objectives pursued by the legislation in question.
Where there is a choice between several appropriate measures, recourse must be had to the least onerous.
The disadvantages caused must not be disproportionate to the aims pursued.
Second, the Information Commissioner says that although we should be prepared to make extensive efforts to find and retrieve the requested information, we are not required to do things that would be unreasonable or disproportionate.
Third, the EU doctrine of the abuse of rights may apply. In summary, the effect of the doctrine is that where a person asserts a right under EU-derived law for an abusive purpose (for example for the purpose of harassing an employer or to cause it to incur substantial expense), the person asserting the right does not deserve to have the right upheld and the legal provision should be interpreted, contrary to its literal meaning, as not conferring the right.
So, if an employee makes a subject access request for the primary purposes of causing trouble and expense to an employer or is insisting on production of information with no conceivable value, those may be circumstances in which it may be possible to rely on the doctrine. A court will look closely and seek cogent evidence before accepting that the assertion of a right is abusive.
We may also refuse to act on a request (or part of a request) if it can demonstrate that the request is “manifestly unfounded or excessive”.
Finding the individual’s personal data
The primary task is to find the relevant personal data. How that is done depends on its nature, how it is stored and, more generally, on the employer’s approach to information management.
Most electronic information can be found and sorted relatively easily. Emails are usually the starting point and, because of their unstructured nature, the most difficult to deal with.
Other places to look
Although most personal data will normally be found on our main servers, it is possible that there will be relevant data in backup servers or disks or data held on other systems or devices, for example on an individual’s work hard drives, mobile devices or home computers.
To the extent that search mechanisms allow an employer to find backed up data for its own purposes, it should use the same effort to find data to respond to a subject access request.
Changes to data
The employer is required to provide a copy of the personal data undergoing processing. Unlike the DPA, the GDPR does not specify explicitly that data should be determined at the date of receipt of the request. But that is likely to be the position.
Most data will not change at all; to the extent that data would change in the normal course (even if no subject access request had been made) the data “undergoing processing” will be the data as modified. For example, data on total earnings in a particular tax year will change with every payroll; there is no requirement to freeze it in time or to reverse engineer it.
But the employer must not delete data to defeat a subject access request. It is an offence for an employer or a person employed by the employer to alter or erase information with the intention of preventing disclosure (section 173(3), DPA 2018).
There is a defence if the alteration or erasure would have occurred even if no data subject request had been made (clause 173(5), DPA 2018).