By Tom Llewellyn, above, commercial disputes and data protection partner, Ashfords
Data is king when it comes to understanding your customers and leveraging information that aids quality business decisions. However, a failure to comply with Subject Access Requests can land any organisation in hot water, as recently demonstrated by The Labour Party.
The Labour Party was publicly reprimanded by the Information Commissioner’s Office (ICO) for ‘repeatedly failing’ to respond to 352 subject access requests (SARs), with over half of the individuals (56 percent) not receiving a response for over a year – 11 months past the one month deadline for responding set out in UK GDPR.
The ICO investigation, triggered by complaints from individuals who had made SARs to the Labour Party, also discovered a ‘privacy inbox’ that had an additional 646 SARs and around 597 requests for information to be deleted following a cyberattack on the political party in October 2021.
Whilst the failure to respond to a SAR can lead to reputational damage, it can also result in hefty regulatory fines or legal action to force compliance.
Swift action
As individuals become more aware of their rights regarding personal data, organisations are seeing a significant increase in the number of SARs received. SARs often stem from the end of a long complaint made by an unhappy customer or employee who feels they have been treated unfairly inside or outside of the business.
UK GDPR requires you to respond to a request within one calendar month, unless the SAR is complex in which case organisations are permitted up to three calendar months. Get ahead of the issue early, by establishing a method to identify, respond and process SARs swiftly. This includes determining who will lead on any inquiries internally and creating internal deadlines to collate the data, clearly documenting the process in full.
SAR response planning should also include identifying any locations that SARs might be sent to and ensuring that employees are trained to identify them.
Seek clarity
A lot of time can be wasted if you lack clarity around the request or if opportunities are missed to narrow the scope. It is not uncommon for a request to relate to all information held about the requester when they are really only seeking a specific piece of data. Responding to the initial request seeking clarification will pause the clock until further information has been provided and may save a significant amount of time if the scope is narrowed.
Searching for data
It is not uncommon for businesses, regardless of size, to store data in various locations across, for example, multiple email inboxes, handheld devices and either on-prem or cloud based storage. Having a clear understanding of where the data is located and the custodians likely to hold relevant data will significantly reduce the discovery time once a SAR has been submitted.
Once you have identified where data is held, the next step is to search for all potentially relevant data using keywords. The SAR may provide some suggested keywords and custodians, but organisations should carefully consider whether there are any additional custodians or keywords that should be used. Any failure to consider these at this stage could result in elements of the SAR having to be re-done at a later date.
Once the keyword searches have been completed you are then likely to be left with a significant amount of personal data which contains day-to-day business information or is irrelevant, save for limited information such as names or contact details.
The next stage is therefore a culling exercise to remove all irrelevant data. Some SARs will have a few hundred documents at this stage, whilst others could have tens of thousands. Digital tools are available to help with this review stage.
Finally, don’t forget that SARs also cover physical documents as well as digital information. Ensure that you do not forget to include this.
The balancing act between personal data and third parties
Once you have culled any irrelevant data, the response is not necessarily complete. You may be able to apply exemptions, such as where information is legally privilege or would prejudice negotiations with the requester. However, you also need to consider the rights of third parties whose data may be mixed in with that of the requester. This is a complex and developing area, and if you get it wrong you could be liable for having breach the data protection rights of those third parties or for not adequately responding to the SAR.
A recent high court case, Harrison v Cameron, exposed the difficult balancing act between protecting third-party information and sufficiently responding to a SAR request, highlighting the factors that must be considered when dealing with third-party information. It also demonstrates how a SAR can lead to a legal dispute.
Mr Harrison, a real estate investor, contracted Mr Cameron’s landscaping company to carry out work on his garden. When the contract was terminated before completion, the business owner requested payment for the materials and services. Unhappy with the response, Mr Harrison made several threatening phone calls to the customer who covertly recorded the exchange and shared them among family members, friends and colleagues.
Determined to establish who had received the recordings, as he argued they had damaged his reputation, Mr Harrison submitted a SAR seeking the names of all people who the recordings had been sent to. Mr Cameron refused in part based on the likelihood of them becoming embroiled in hostile litigation. Mr Harrison then sought unsuccessfully to force disclosure, but it was held that Mr Cameron had struck the right balance in refusing to disclose the information without the consent of the recipients to protect them from hostile litigation.
Defining the scope of redactions
Whilst in cases like Harrison v Cameron it might be right to refuse to disclose the names of third parties, in other cases the balance might fall in favour of disclosing such names. It requires careful consideration of all relevant interests, and applying wholesale redactions is unlikely to yield an ICO-compliant response.
The recent case demonstrates that you can hold back third-party information in certain circumstances. That said, you must document each step of your search and review process, and the reason for redaction so you can draw upon it at a later date if the seeker appeals your response or in the unlikely event that the case is pursued in court.
The aforementioned case demonstrates that SARs can require complex decision-making that may need third-party assistance.
For further guidance on how to deal with SARs, contact Tom Llewellyn, Ashfords law firm, at: [email protected]
