ICO revises guidance on Subject Access Requests (SARs)

Out-law.com has recently reported that the Information Commissioners Office have set out in their newly revised code of practice on subject access requests (SARs), how rules under the Data Protection Act on handling individuals’ requests for personal data apply to organisations that allow employees to store such information on their own devices.

The Data Protection Act states that people have a right to a copy of the personal data organisations hold on them, by filing a request for such information. This includes employees requesting data held by employers. Those requests are called data subject access requests (SARs) and must generally be complied with within 40 days.

According to the article, supplementary information also has to be disclosed by organisations alongside the personal data they provide in response to SARs. This includes the type of personal data organisations hold about the requester, what the purposes of their processing are and details of the third parties to whom the requesters’ data may be disclosed, as well as the logic involved in any decisions taken on the basis of personal data processing carried out by computer algorithms or automated decision technology.

The ICO stated that it is “good practice” for organisations to apply a “policy restricting the circumstances in which staff may hold information about customers, contacts, or other employees on their own devices or in private email accounts”. However, it did confirm that where organisations allow staff to store such information on their own devices, that data is potentially subject to disclosure when SARs are submitted.

“If you do permit staff to hold personal data on their own devices, they may be processing that data on your behalf, in which case it would be within the scope of a SAR you receive,” the ICO said. “The purpose for which the information is held, and its context, is likely to be relevant in this regard. We would not expect you to instruct staff to search their private emails or personal devices in response to a SAR unless you have a good reason to believe they are holding relevant personal data.”

What I found particularly interesting is that the ICO have also used this opportunity to confirm that organisations cannot ignore those SARs submitted through social media channels. Whilst organisations can steer people to submitting SARs through a particular communications channel, they “may not insist on the use of a particular means of delivery for a SAR”.

“Individuals may make a SAR using any Facebook page or Twitter account your organisation has, other social-media sites to which it subscribes, or possibly via third-party websites,” informed the ICO. “This might not be the most effective way of delivering the request in a form you will be able to process quickly and easily, but there is nothing to prevent it in principle. You should therefore assess the potential for SARs to be received via social-media channels and ensure that you take reasonable and proportionate steps to respond effectively to requests received in this way.”

The ICO did comment however, that organisations are entitled to ask requesters to confirm their identity and that they can, in some cases, respond to SARs submitted via social media using other communications channels: “you may decline to use social media to supply information in response to a SAR if technological constraints make it impractical, or if information security considerations make it inappropriate to do so. In these circumstances you should ask for an alternative delivery address for the response.”

So it seems we must ensure our best practices, following the introduction of GDPR next May, are developed to include procedures for BYOD initiatives and social media SARs.

Original article published at https://www.out-law.com/en/articles/2017/june/ico-updates-its-guidance-on-handling-subject-access-requests/