Data subject access requests have traditionally been one of the most challenging and time-consuming aspects of data protection legislation, and the updated regime under the GDPR maintains this reputation.
The right to access your personal data which is being held by an organisation is one of the most important and powerful rights which an individual has under data protection legislation. The right was originally enshrined in the Data Protection Act 1998 and continues to feature prominently in the new data protection regime introduced by the GDPR and Data Protection Act 2018.
What is the right?
In essence, the right entitles an individual to be given:
- confirmation as to whether their personal data is being processed
- a copy of that personal data
- confirmation as to the purpose of the processing
- the categories of personal data concerned
- the recipients to whom the personal data has been or will be disclosed
- the period during which the data will be retained
- information on the source of the data
- information regarding their right to complain, to rectify or erase, or to object to or restrict the processing
- information concerning any automated decision making
- information on any Article 46 safeguards where personal data is transferred outside of the EEA
What is personal data?
“Personal data” is defined as any information relating to an identified or identifiable living person, known as a data subject.
How long do I have to respond?
Timescales for responding to data subject access requests have always been tight but became even tighter under the DPA 2018. Data controllers now only have one month in which to respond, although this can be extended by a further two months, taking into account the complexity and number of requests.
Can I charge a fee or refuse to respond?
There is no longer any fee payable in order to submit a valid request unless the data controller can show that the request is “manifestly unfounded or excessive”. If the data controller can show this, a reasonable fee may be charged, or the data controller may even refuse to respond to the request. There is no definition of what amounts to “manifestly unfounded or excessive", but it is likely to include repetitive requests or those which engage the EU doctrine of abuse of rights. In either case, it would be for the data controller to demonstrate that this is the case, and the data subject may challenge this by way of a complaint to the Information Commissioner.
The ability for the data controller to redact or withhold personal data is one of the most contentious and hotly debated areas of data protection legislation. Unless redaction is necessary in order to prevent the disclosure of personal data relating to a third party, the right to withhold data will only apply in certain very limited circumstances. These might include:
- Confidential references
- Purely personal or household activity
- Publicly available information
- Management information
- Legal advice
Whilst a data subject’s motive for making a data subject access request may be relevant to the question of whether the request is “manifestly unfounded or excessive”, the mere fact that their primary motive may be to further a grievance or litigation will not in itself give the data controller grounds to withhold the personal data.