The right of individuals to access the information an organisation holds about them is an important safeguard and a cornerstone of data protection. Garreth Cameron, group manager (business and industry) at the ICO, explains more
Whatever business you’re in, if you hold personal data, you will probably have to respond to a request at some point.
Subject access requests happen to be the top cause of complaint to the ICO, accounting for 46 percent of cases we receive.
We know that when businesses fail to respond properly to a subject access request it can end up costing them time, money and reputational damage.
What concerns do individuals raise with us?
We often see cases where a subject access request is made following a dispute with a customer or employee that hasn’t been resolved, or has been badly managed.
If you can avoid a position where the requestor feels their only option is making a subject access request, you stand a good chance of not receiving a request in the first place.
The importance of good customer service and a pragmatic approach cannot be overstated.
A disgruntled requestor may be motivated to complain if you’ve clearly not met legal obligations. Failing to respond within the statutory 40-day time limit is a common problem.
We understand it can take time to get the information required together and review it.
On the records
Good records management is key to ensuring information can be easily identified and retrieved. Of course, you shouldn’t be retaining information you no longer have a justifiable need for anyway.
It goes without saying; you should be conducting an extensive search for the data, because failing to provide something the requestor knows you hold, is a sure fire way to a concern being raised with the ICO.
In some cases individuals’ requests are just plain ignored. While in a low number of cases it may be reasonable to inform a vexatious customer that you are ceasing contact with them, you’re still obliged to respond to their subject access request if they make one.
In other cases we see, organisations fail to identify receipt of a request. It’s important that frontline staff are trained on individuals’ rights individuals, and know how to respond when a request is received.
Extra care is needed to ensure information about third parties is not inappropriately disclosed.
We recently fined a GP surgery £40,000 after the practice revealed confidential details about a woman and her family to her estranged ex-partner, after he made a subject access request.
It’s about control
Giving people more control over their data is crucial to building consumer trust.
While individuals have legal rights under data protection, you should consider whether you want to force people to resort to the law to see what information you hold about them.
It’s a better experience for the customer to be in the driving seat, with the ability to access their data without going through a formal legal process. The growth of digital services helps to make this a reality.
Remember, individuals’ rights will be brought into focus across the European Union when the General Data Protection Regulation comes into force in May 2018. The regulation will require the data to be provided free of charge and, in certain cases, in a common electronic format.
No matter what happens in the UK post-Brexit, it’s time to ensure your house is in order when it comes to subject access.