Information Law Webinar: Subject Access Requests (SARs)

3 October 2024

A webinar hosted in collaboration with the Society of Computers and Law (SCL)

Subject Access Requests

This webinar, designed for professionals navigating Subject Access Request challenges, covered the legal framework, offered practical advice, and provided tips for litigation.

The relevant provisions of the UK GDPR and the DPA 2018 dealing with SARs, including the circumstances in which a data subject’s rights may be restricted, were explained. 

We addressed some key practical issues to consider when responding to SARs such as locating personal data; handling third-party data; meeting deadlines and assessing exemptions.

Finally, we shared our experiences of litigating SARs: how to prepare and run the case so as to minimise the costs (and pain) while maximising the odds of a successful outcome. 

Speakers

  • Emma Price, Barrister
  • Beatrice Collier, Barrister
  • Alex Ustych, Barrister

The presentations were followed by a Q&A session.

Click here to access the recording: Subject Access Requests Webinar – Society for Computers & Law (scl.org) 

Q&A

Below are some of the questions asked by delegates at the end of the webinar to which we have provided answers.

We are not aware of any cases on this. Whether there are “reasonable doubts” concerning the identity of the natural person making the request for the purposes of Article 12(6) will always be fact specific. Data controllers are likely to be mindful of the risk of falling foul of the sixth data principle (processing in a manner that ensures appropriate security of personal data, in this context having regard to confidentiality in particular). This may explain why some data controllers take a more risk averse stance when it comes to confirming identify, notwithstanding the content of ICO guidance.

There are several situations in which a request might be made by someone other than the data subject, on the data subject’s behalf. For example, someone with parental responsibility for a data subject who is a child, or a court appointed guardian in the case of someone lacking capacity (see the safeguards which exist where such applications are made at Schedule 3, Part 2, section 4). Or an agent instructed by the data subject to make the request on the data subject’s behalf (e.g. a solicitor with instructions and authority to do so). What further information a data controller will require is situation dependent, but it is likely to include i) verification of the data subject’s identity and ii) verification that the person making the request has authority to make the request on behalf of that data subject.

If the ICO fails to progress a complaint at all, a data subject can apply to the First-tier Tribunal (“FTT”) under s. 166 DPA 2018 for an order that the ICO progresses a complaint which has been made to it under section 165 or Article 77 GDPR. However, this is not a backdoor to appeal the ICO decision where there is no statutory right to do so (as there is with FOIA decision notices for example). The Upper Tribunal in Lawton v. Information Commissioner (UA-2022-000676-GIA) is a helpful case to consider. Mr Lawton complained to the ICO about how two organisations had handled his SARs. In both complaints the ICO decided that no further action was required by it. Mr Lawton subsequently complained to the FTT that in both instances the ICO had “not taken appropriate steps to investigate his complaint”. Both complaints were struck out by FTT. Mr. Lawton argued that the Upper Tribunal should order the ICO “to investigate to the extent appropriate”. The UT made clear that s. 166 is not applicable to challenging the merit of the ICO decision—it only applies narrowly to procedural steps along the way to that decision. Section 166 is therefore not a route to re-open or re-investigate complaints, only to ensure complaints are progressed.

An individual can always write to the ICO pointing out any clear deficiencies in its decision. There is also a way to make a ‘service complaint’ to the ICO: https://ico.org.uk/make-a-complaint/complaints-and-compliments-about-us/complain-about-us/
Judicial review is theoretically an option but not something which is likely to be viable often (a regulator is often given a broad margin of discretion by the courts).
A data subject who is advised that their UK GDPR/DPA rights were breached can, of course, pursue the claim through the courts—regardless of what the ICO decided.

No, only damages (it seems that a compliance order was not sought). However, it is common for claimants to seek a compliance order (e.g. to compel disclosure of data requested via a SAR, to compel rectification/erasure of data etc.) under s. 167 DPA 2018—in addition to or instead of damages. The s. 167 relief is discretionary as reflected in the use of the word ‘may’ in the legislation:

(1)This section applies if, on an application by a data subject, a court is satisfied that there has been an infringement of the data subject’s rights under the data protection legislation in contravention of that legislation.
(2)A court may make an order for the purposes of securing compliance with the data protection legislation which requires the controller in respect of the processing, or a processor acting on behalf of that controller—

  • (a)to take steps specified in the order, or
  • (b)to refrain from taking steps specified in the order.

Is it this one? https://curia.europa.eu/juris/document/document.jsf?docid=269146&doclang=en

We referred to two Austrian cases—both, confusingly, involving the Austrian Postal service.

The Austrian Post case on de minimis threshold is: UI v Österreichische Post AG (Case C-300/21).
The Austrian Post case on whether Article 15 GDPR requires disclosure of identities of data recipients is: RW v Österreichische Post AG (C-154/21)

The best summary on how personal data can be presented is in the Rudd v Bridle & Anor [2019] EWHC 893 (QB) case we mentioned. Paragraph 127 says:
“The claimant has no right to documents, nor does he have a right to know the full contents of documents. His right is to the information in personal data … Information can be presented in intelligible form without the need to provide its full context, or even the whole of the sentence in which it appears.”
This means that, as long as the information is presented in an ‘intelligible form’, it is permissible to extract it (e.g. into a response letter) without providing a copy of the document itself. That approach can be useful to avoid the appearance of wholesale redactions on a page (where the other paragraphs/sentences are not the person’s personal data).

Disclaimer:

The information provided, including content within the presentations, is for information purposes only. It does not constitute legal advice and should not be relied upon or treated as a substitute for specific advice relevant to particular circumstances. Users should seek appropriate legal advice before taking or refraining from taking any action based on the content.


Authors

Beatrice Collier

Call 2004

Emma Price

Call 2007

Alex Ustych

Call 2010

Search

Join our mailing list to receive the latest news and event updates.

Subscribe

Popular

16 April 2024

Chambers is delighted to announce that Head of Chambers, Jason Beer KC is one of only…

Discover more

14 February 2022

The first hearings of the Post Office Horizon IT Inquiry commenced today.  Previously a non-statutory…

Discover more

15 February 2023

This is an ‘Original Manuscript’ of an article published by Taylor & Francis Group in the Journal…

Discover more
Affiliations

 

Affiliations

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)