The Information Commissioner’s Office (ICO) put their ‘right of access’ (commonly referred to as subject access) guidance out for consultation at the end of last year and, following a lot of responses, they have updated their resources and information. It is aimed at data protection officers (DPOs), but you need to be aware of your data protection responsibilities as data controllers.
The ICO have provided clarity on 3 common questions:
- Stopping the clock for clarification – in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to clarify their request
- What is a manifestly excessive request – this now has a broader definition
- What can be included when charging a fee for excessive, unfounded or repeat requests – there is an update on what organisations can take into account when charging an admin fee
Key points about right of access:
- Individuals have the right to access and receive a copy of their personal data and other supplementary information
- This is commonly referred to as a subject access request or ‘SAR’
- Individuals can make SARs verbally or in writing, including via social media
- A third party can also make a SAR on behalf of another person
- In most circumstances, you cannot charge a fee to deal with a request
- You should respond without delay and within one month of receipt of the request
- You may extend the time limit by a further two months if the request is complex, or if you receive a number of requests from the individual
- You should perform a reasonable search for the requested information
- You should provide the information in an accessible, concise and intelligible format
- The information should be disclosed securely
- You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive
The ICO have produced useful checklists for preparing for SARs and complying with SARs, and there is a section about Health data which includes information about charging a fee, exemptions, disclosure restrictions and requests for health data from a third party.
Key reminders about handing SARs:
- Before responding to a third-party SAR, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority
- Before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights
- Can you ask for ID? Yes – You need to be satisfied that you know the identity of the requester (or the person the request is made on behalf of)
- If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise, and consider whether the individual has the ability to access the data you provide in that format
- It’s good practice to establish the individual’s preferred format prior to fulfilling their request. However, you should allow Patients to access their data remotely and download a copy in an appropriate format
There are exemptions where you can refuse to comply with a request to protect the rights of others, including confidential references you have received. Therefore, an employee would need to submit the SAR to the person or organisation who created the confidential reference.
