In an age where information is so vital, companies possess huge amounts of personal data, and some individuals are starting to ask for their information back. As a result, data controllers must find cost- and time-effective ways of complying with subject access requests. Some organisations are benefitting from the support of an alternative legal service provider.
Why are data access requests becoming more common?
Through the process of subject access requests, data protection laws enable any person (or data subject) to request and be provided with the information held by any entity (or data controller) which concerns them.
In recent times, there has been an exponential growth in the number of subject access requests being made. This is largely due to the growth of online communication channels. For example, Facebook and Google are inundated on a daily basis with subject access requests.
People are now more aware than ever that data controllers hold information about them. However, the greatest cause of concern among data subjects is the extent of the information retained by data controllers. In a society in which people are keenly aware of their rights, and conscious of the fact that their personal information is being stored by third parties, they are more inclined to make data access requests.
When these requests are made, data controllers have no right to refuse to supply the information requested. Companies of all sizes must delegate specific compliance personnel with the task of processing and responding to subject access requests. Once a request is placed, a data controller must follow four steps:
- ensure the request is valid
- locate and collate all personal data relating to the data subject
- review the data to discern whether any statutory exceptions apply
- respond to the request within the statutory time limit
The time limit currently stands at 40 days, but will be reduced to one month by the General Data Protection Regulation (2016/679) (GDPR) when it comes into effect in May 2018.
In addition to access to data, individuals are also entitled to have information changed or deleted, if this information:
- is factually incorrect
- was obtained or processed in an unfair way
- is not accurate, complete or up to date
- is used in a manner incompatible with the reason for which it was originally collected
- is being stored in an unsafe way, or where storage security measures are inappropriate
- the organisation cannot provide a valid reason for retaining
Given the proliferation in subject access requests, this can represent quite a significant expenditure for data controllers. Responding to a subject access request is not a profitable activity, but demands a lot of time and effort, and therefore costs money. No wonder some organisations look to to outsource this work to an alternative legal service provider.
Moreover, the cost of responding to a subject access request cannot be passed on to the data subject. Currently, only a nominal fee is payable by the data subject which cannot exceed €6.35. Once the GDPR is introduced, no fee will be payable unless the request is unreasonable or unduly burdensome.
Other exemptions where Data Controllers can refuse access to personal data include:
- Information that would be subject to professional legal privilege
- Information retained by the Gardai for the purposes of detecting, preventing crime
- Where an individual is involved in a claim against an organisation,
- Where the data being sought involves personal opinions expressed by another individual and given in confidence.
However, the Data Protection Commission (DPC) interpret these exemptions very narrowly.
Johnson Hana International (JHI) is an alternative legal service provider, delivering technological solutions to organisations which handle data access requests. We offer a full suite of services, featuring subject access request compliance and freedom of information compliance.
With the support of an alternative legal service provider such as JHI, data controllers can concentrate on their core business, rather than divert personnel and resources towards this obligation.
The DPC made a very recent decision in relation to the online accommodation platform, Airbnb. A guest who used the platform to book to stay at a host’s house sought a particular email about him, which had been sent to Airbnb by the host.
The DPC regarded the email in question as predominantly factual in nature. While one aspect of the email constituted an expression of opinion, there was no indication in the email of any expectation of the email being kept confidential, or not being disclosed to the guest. It was therefore held by the DPC that Airbnb could not rely on the exemption on this occasion.
E.G. Dairy Gold
In another example of the DPC’s narrow approach, Dairy Gold sought legal privilege over two documents sought by an individual’s solicitor for the purposes of a personal injury claim.
The two documents that were sought was an internal accident report, and a consultation engineer’s report. Dairy Gold claimed legal privilege over the two documents on the basis that they were prepared in contemplation of litigation.
However, the DPC held that Dairy Gold could only claim legal privilege over the engineer’s report, and not the internal accident report, as the latter contained personal information on the individual.