Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
This webinar, designed for professionals navigating Subject Access Request challenges, covered the legal framework, offered practical advice, and provided tips for litigation.
The relevant provisions of the UK GDPR and the DPA 2018 dealing with SARs, including the circumstances in which a data subject’s rights may be restricted, were explained.
We addressed some key practical issues to consider when responding to SARs such as locating personal data; handling third-party data; meeting deadlines and assessing exemptions.
Finally, we shared our experiences of litigating SARs: how to prepare and run the case so as to minimise the costs (and pain) while maximising the odds of a successful outcome.
The presentations were followed by a Q&A session.
Click here to access the recording: Subject Access Requests Webinar – Society for Computers & Law (scl.org)
Below are some of the questions asked by delegates at the end of the webinar to which we have provided answers.
There are several situations in which a request might be made by someone other than the data subject, on the data subject’s behalf. For example, someone with parental responsibility for a data subject who is a child, or a court appointed guardian in the case of someone lacking capacity (see the safeguards which exist where such applications are made at Schedule 3, Part 2, section 4). Or an agent instructed by the data subject to make the request on the data subject’s behalf (e.g. a solicitor with instructions and authority to do so). What further information a data controller will require is situation dependent, but it is likely to include i) verification of the data subject’s identity and ii) verification that the person making the request has authority to make the request on behalf of that data subject.
An individual can always write to the ICO pointing out any clear deficiencies in its decision. There is also a way to make a ‘service complaint’ to the ICO: https://ico.org.uk/make-a-complaint/complaints-and-compliments-about-us/complain-about-us/
Judicial review is theoretically an option but not something which is likely to be viable often (a regulator is often given a broad margin of discretion by the courts).
A data subject who is advised that their UK GDPR/DPA rights were breached can, of course, pursue the claim through the courts—regardless of what the ICO decided.
No, only damages (it seems that a compliance order was not sought). However, it is common for claimants to seek a compliance order (e.g. to compel disclosure of data requested via a SAR, to compel rectification/erasure of data etc.) under s. 167 DPA 2018—in addition to or instead of damages. The s. 167 relief is discretionary as reflected in the use of the word ‘may’ in the legislation:
(1)This section applies if, on an application by a data subject, a court is satisfied that there has been an infringement of the data subject’s rights under the data protection legislation in contravention of that legislation.
(2)A court may make an order for the purposes of securing compliance with the data protection legislation which requires the controller in respect of the processing, or a processor acting on behalf of that controller—
Is it this one? https://curia.europa.eu/juris/document/document.jsf?docid=269146&doclang=en
We referred to two Austrian cases—both, confusingly, involving the Austrian Postal service.
The Austrian Post case on de minimis threshold is: UI v Österreichische Post AG (Case C-300/21).
The Austrian Post case on whether Article 15 GDPR requires disclosure of identities of data recipients is: RW v Österreichische Post AG (C-154/21)
The best summary on how personal data can be presented is in the Rudd v Bridle & Anor [2019] EWHC 893 (QB) case we mentioned. Paragraph 127 says:
“The claimant has no right to documents, nor does he have a right to know the full contents of documents. His right is to the information in personal data … Information can be presented in intelligible form without the need to provide its full context, or even the whole of the sentence in which it appears.”
This means that, as long as the information is presented in an ‘intelligible form’, it is permissible to extract it (e.g. into a response letter) without providing a copy of the document itself. That approach can be useful to avoid the appearance of wholesale redactions on a page (where the other paragraphs/sentences are not the person’s personal data).
Disclaimer:
The information provided, including content within the presentations, is for information purposes only. It does not constitute legal advice and should not be relied upon or treated as a substitute for specific advice relevant to particular circumstances. Users should seek appropriate legal advice before taking or refraining from taking any action based on the content.
16 April 2024
Chambers is delighted to announce that Head of Chambers, Jason Beer KC is one of only…
Discover more14 February 2022
The first hearings of the Post Office Horizon IT Inquiry commenced today. Previously a non-statutory…
Discover more15 February 2023
This is an ‘Original Manuscript’ of an article published by Taylor & Francis Group in the Journal…
Discover more