Dealing with Data Subject Access Requests
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
Who is responsible for responding to Subject Access Requests?
A Subject Access Requests (SAR) is when a person requests a copy of all their personal data from either The Scout Association Headquarters or a Scout Unit (i.e. Group, District, County or Country), under the Data Protection Act (DPA). As the DPA applies to both The Scout Association Headquarters as well as Scout Units (as each is created and operates as an independent charity in its own right) both must comply with any SAR it receives.
Of course, whilst the data held on Compass will be the same for both HQ and the Scout Unit, each may also hold certain other information which may also need to be disclosed e.g. emails, letters, reports etc. Guidance about how to respond to an SAR can be on the national web site.
What information is an individual entitled to under the GDPR?
Under the GDPR, individuals will have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information – this largely corresponds to the information that should be provided in your privacy notice.
Please note, the rules only apply to information actually held: it may be that certain information has been destroyed/deleted locally as should be normal practice when it is no longer required.
Examples automated records include:
- Computer files: Spreadsheets, Word documents, databases - files stored on removable storage devises, CD-Roms, DVDs, hard disks, removemale storage (USBs, hard drives),back-up files, emails
- Audio/Video - CCTV, webcam images
- Digitalised images - scanned photos, digital photographs
Examples of manual records include:
- Files - on volunteers, young people, employees
- Index systems - names, addresses, other details
- Microfiche records - containing personal data
What data can be withdrawn or redacted (i.e. deleted) when disclosing the SAR to the subject and how
There are exemptions to disclosure but, in the main, these are very specific and tend to apply to particular cases e.g. confidentiality of police investigation or certain HR records. It is quite rare for exemptions to apply more generally and decisions must be made on a carefully considered discretionary basis, which can be justified. Also, when they do apply this does not necessarily mean that a whole document is exempt eg the exemption could apply to a part or parts of a document too. Please see the ICO website for further explanation and to see whether any exemptions may apply.
Redactions/deletions of exempt or third party data should be deleted using a black pen or white corrector tape and the subject should be sent photocopies of the redacted documents (not the originals) so that any redaction data cannot be deciphered by close inspection or by removing the corrector tape.
Practical guidance on redacting information
Under the rules, an individual is entitled only to their own personal data and not to information relating to other people. Therefore, when disclosing personal data to subjects it is important not to inadvertently disclose personal data about third parties in the process i.e. you have be careful not to breach the data protection rights of those third parties, unless those third parties have expressly consented to their information being disclosed.
Please also remember to redact your own personal data. Please note, the subject could share the data as they choose or it may get misplaced once in their possession.
Therefore, the papers/documents you send to the subjects will need to be checked very carefully for this and any personal data relating to third parties 'redacted' i.e. deleted/crossed out - to the extent that it is not visible to the requester. We find that this is best done by using a white redaction tape (similar to Tippex - but not the liquid version which sometimes does not block the information properly).
You can also use a black marker but again ensuring that the information does not 'show through'. In any event, following the redaction you should photocopy the resultant documents and send the photocopies to the subject (and not the original redacted papers) as the photocopying process will ensure the redacted information remains obscured. Remember, to keep a copy of the original documents too.
It's important to note that you should not withhold whole documents just because they contain the details of third parties. In that instance, you will likely need to redact just the details of those third parties so as to ensure that they cannot be identified. However, where even after redaction, the identity of third parties is still ascertainable then you may be able to withhold the whole document but you will need to assess this very carefully. If in any doubt, you should seek advice from the Information Commissioner’s Office (ICO).
Please also contact the Scout Information Centre if you need further assistance.
Some basic rules to apply when redacting
1. The information disclosed should relate to the data subject making the request - do not include irrelevant information.
2. Particular care should be taken when redacting to ensure that the personal data of other individuals is not released - that is any data which would allow you to identify the people from the data combined with other information held.
3. The following general rules should be applied – although there may be specific incidents when they would not:
- redact all names other than that of the person making the request
- redact job/role titles
- redact e-mail addresses
- redact addresses
- redact phone numbers
- redact references to an individual's gender if that would lead to them being identified
- redact personal descriptions which may lead to a person being identified, so a description of someone as a brown haired man is unlikely to identify someone but a red haired man with a beard may
- redact any other narrative data that would lead to an individual being identified
- think about the combination of information sets that taken together would lead to an individual being identified.
4. When taking out personal details from email headers, leave in the date and title line unless the title line conflicts with the above.
What is the purpose of the right of access under GDPR?
The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.
Can we charge a fee for dealing with a subject access request?
You must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests.
The fee must be based on the administrative cost of providing the information.
How long do we have to comply?
Information must be provided without delay and at the latest within one month of receipt.
You will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
What if the request is manifestly unfounded or excessive?
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, you can:
- charge a reasonable fee taking into account the administrative costs of providing the information; or
- refuse to respond.
Where you refuse to respond to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
How should the information be provided?
You must verify the identity of the person making the request, using ‘reasonable means’.
If the request is made electronically, you should provide the information in a commonly used electronic format.
The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organisations, but there are some sectors where this may work well.
The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.
What about requests for large amounts of personal data?
Where you process a large quantity of information about an individual, the GDPR permits you to ask the individual to specify the information the request relates to .
The GDPR does not include an exemption for requests that relate to large amounts of data, but you may be able to consider whether the request is manifestly unfounded or excessive.