Insights
The General Data Protection Regulation (GDPR) comes into force 25 May 2018 and will introduce the greatest changes to data protection legislation in over 30 years. In this blog Val Surgenor, charity law specialist at MacRoberts LLP, looks at subject access requests (SARs) under the GDPR and what changes this will bring. There is less than a year to go now before the GDPR comes into force, therefore you should act now to make sure you are GDPR compliant!
A SAR is a request for personal information that your Charity may hold about a data subject i.e. an individual. If an individual wishes to exercise their subject access right, the request must be made in writing. The purpose of a SAR is to make individuals aware of and allow them to verify the lawfulness of processing of their personal data.
Under the GDPR and the current Data Protection Act (DPA), individuals have the right to obtain confirmation as to whether personal data about them is being processed by your Charity. If personal information is being processed, they are entitled to access:
Charities need to be mindful that the rules on subject access apply to any individual. Charities are likely to hold and process personal data about its trustees; its employees; service users; members; donors, volunteers and many others. Each category will have the same access rights.
Under the GDPR, the procedure for making a SAR is similar to the procedure under the DPA. However there are some key changes your Charity needs to be aware of which may require you to make changes to Charity’s procedures:
Under the DPA, your organisation can charge up to £10 for a SAR. Under the GDPR, a request for personal information is free unless the request is ‘manifestly unfounded or excessive.’
Your organisation can charge a ‘reasonable fee’ for multiple requests. Impact: This may have a significant effect on your organisation where you receive large volumes of requests and this may result in an increase in administrative costs on your organisation.
At present there is insufficient guidance on what is meant by “manifestly unfounded or excessive” and therefore your organisation should approach this with some caution. It should also be recognised that the £10 fee may have acted in the past as an impediment to making a request and as a result charities may see an increase in requests as a result.
Under the DPA, you must respond to SARs within 40 days of receipt of the written request. Under the GDPR, your organisation must respond to SARs within one month of receipt.
This deadline can be extended by a further two months where there are a number of requests or the request is complex but you must contact the individual within a month of receipt, explaining why the extension is necessary.
Impact: Charities will have a shorter time to deal with SARs; therefore having an effective procedure in place will ensure that you are able to comply with the new reduced timescales. Being able to recognise a subject access request and pass it to the correct person in your Charity will be critical if you are to comply with the reduced timescales.
Remember, for it to be a valid request, it doesn’t need to say it is a subject access request or even mention the DPA. If staff have personal e-mail accounts where a SAR could be made to, these should be monitored when the member of staff is out of the office (for example when on holiday or on secondment) to ensure that SAR’s are dealt with quickly. Remember you will only have up to one month to respond, your Charity needs to have good procedures to make sure it complies on time and is able to provide the information that it needs to.
Individuals can make a SAR electronically. If they do so, the information provided should be in a commonly-used electronic format, unless otherwise requested. But remember your Charity must verify the individual’s identity prior to granting access to information.
This can sometimes take a little time especially if it is a guardian or someone acting under a power of attorney who are seeking the information about a data subject. In responding to a subject access request, the Charity will need to advise the data subject of:
Impact: Where your Charity doesn’t already have a procedure for staff to identify a SAR and/or know how to escalate this to be dealt with – put a procedure in place and train staff accordingly. Does your Charity have a data retention or data destruction policy? If not, put one in place – think about what data you hold and why – how long do you really need to hold it, and hold all of it? Be careful to consider why you want to hold onto data “just in case”? If your Charity has thought about what data it holds and how long it needs to hold it, this will assist in complying with the new information provisions.
Under the GDPR, organisations can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others.’ It will be up to the UK government to introduce any further exemptions to SARs such as for national security, defence and public security.
Charities should take advice if they are proposing to withhold information on this basis as your organisation will need to carefully consider its applicability and its use should not act to result in a refusal to provide all information.
Join us on the 14th of May for our Q&A session. It will provide a whistlestop tour of Microsoft Copilot’s key capabilities, how they can help charities, and answer all your burning questions around Microsoft’s AI service.