Any organisation that has received a subject access request
(SAR) will know just what a nightmare dealing with it can be. As a
reminder, any person has a right to require an organisation to
provide details of the personal information which that organisation
holds about that person by serving a SAR on that organisation.
Whilst the organisation can charge the person up to £10 to
deal with the SAR, this charge pales into insignificance when
compared to the time cost of dealing with a SAR. There is added
pressure on the organisation to get it right because about half the
complaints to the Information Commissioner's Office (ICO), the
UK data protection law regulator, relate to SARs. Moreover most of
these complaints relate to the inadequacy or paucity of the
personal information provided.
Given all this, it is hardly surprising that some organisations
have adopted a "failsafe" approach to SARs and disclose
absolutely everything to the person making the SAR. Good idea? Well
as it turns out, no.
In August, a GP practice was fined £40,000 by the ICO, not
because it disclosed too little to the person making the SAR but
because it disclosed too much to that person!
Briefly, the facts of the case were that a patient served a SAR
on the GP practice. The GP practice responded by disclosing its
entire patient file. Unfortunately for the GP practice the file
contained personal details of a vulnerable third party and also
medical details of another patient.
To make matters even harder for an organisation, where personal
data relates both to the person making the SAR and another
individual, it is not the case that such personal data should
automatically be withheld. Whether the organisation should disclose
or not requires a difficult balancing act between the right of
access of the person making the SAR against the other
individual's right to confidentiality.
We recently advised an organisation in relation to a SAR which
faced such a difficult balancing act. Given the complexities of
that particular matter, our client did exactly the right thing and
asked us to consider each piece of personal data and make an
objective decision as to what extent it was disclosable.
It will not always be the case that you need to get legal advice
on every single piece of information. We can also help by providing
general advice as to what you should consider in deciding whether
personal data should be disclosed or not. In addition, we can also
provide training on dealing with SARs. As you can see, it isn't
always crystal clear.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).