Tag Archives: Transparency (Data Protection)

Subject Access Requests under the GDPR

The right of subject access has been a cornerstone of the Data Protection Act 1998 (“the DPA”).  This is the right that allows individual data subjects to, among other things, receive confirmation from a data controller whether or not the controller is processing their personal data and to obtain copies of that data which is being processed by the data controller.  Under the DPA, data controllers have 40 calendar days in which to respond to a subject access requests and can charge a fee which does not exceed the prescribed limit (which is £10 for most data controllers).

The critical importance of the right of subject access means there is no surprise that the General Data Protection Regulation (“GDPR”), which becomes applicable from 25 May 2018, continues to have in place a right of subject access. The right of subject access is to be found in Article 15 of the GDPR and has been incorporated into Clause 43 of the Data Protection Bill, published by the government earlier this month.  There have been some changes to that right which are designed to make it much more effective for data subjects.  This blog post explores some of the key changes to the right of subject access; however, it is by no means comprehensive.

The first key change to note is the length of time that data controllers will have to comply with a subject access request; this is being reduced from the current 40 calendar days to 30.  Where the data controller has “reasonable doubts as to the identity of an individual making” as subject access request, then they may request the provision of additional information to enable the controller to confirm the identity.  Where such a request is made, Clause 52 of the Data Protection Bill provides that the 30 day period does not begin to be calculated until the day on which that information is provided to the data contoller.  It should be noted though that this does not provide a route to delay the fulfilling of a subject access request; the data controller must have doubts as to the identity of the requester and those doubts must be reasonable.

In terms of fees, there is no provision within the GDPR for a data controller to request a fee for making a subject access request; however, Article 15(3) of the GDPR does permit data controllers to charge a reasonable fee based on administrative costs for providing copies of the personal data being processed beyond the first copy (i.e. the first copy is free).  For subsequent copies, what will be considered a “reasonable fee” remains to be seen.  The Data Protection Bill has supplemented this provision and allows the Secretary of State to set a cap on such fees.  There has not yet been any indication as to whether (a) the Secretary of State will set such a cap; and (b) if so, what that cap will be.

The administrative fines provisions of the GDPR apply to the right of subject access and a failure to comply with the requirements of Article 15 can attract a maximum administrative fine of the greater of €20m or 4% of global turnover.

Data Controllers have sometimes interpreted the right of subject access under Section 7 of DPA as only providing a right to receive copies of the personal data processed, but that is not the case; and it continues to be the case under the GDPR.  Data Controllers should therefore familiarise themselves with the full suite of rights that a data subject has under the heading of subject access; these can be found in Clause 43(2) of the Data Protection Bill or in Article 15 of the GDPR.

There are a number of circumstances in which a data controller can restrict a data subject’s right of subject access.  These are set out in Clause 43(4) of the Data Protection Bill and are:

  • to avoid obstructing an official or legal inquiry, investigation or procedure;
  • avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • to protect public security;
  • to protect national security

However, where a data controller has restricted the data subject’s right to subject access, the data contoller is required to provide certain information to the data subject in writing and without undue delay.  That information is:

  • that the rights of the data subject have been restricted;
  • the reasons for the restriction;
  • the data subject’s right to make a request to the Information Commissioner to check that the processing is compliant;
  • the data subject’s right to make a complaint to the Information commissioner; and
  • the data subject’s rights to make an application to the court (in Scotland, the Court of Session or the Sheriff Court).

One additional point of note about subject access requests is that the GDPR, in recital 63 and unlike the Data Protection Directive, upon which the Data Protection Act 1998 is based, states that the purpose of the right to subject access is to enable the data subject “to be aware of, and verify, the lawfulness of the processing.”  This may mean that Subject Access Requests may be rejected where they are submitted for other reasons.  Whether the courts will consider Recital 63 as exhaustive as to the purposes for which an individual may exercise their rights of subject access or not remains to be seen.

There is a lot to the right of subject access and there are some key changes which will come into effect on 25 May 2018.  This is a cornerstone of data protection law and data controllers should be attaching substantial weight to compliance as a consequence.

Alistair Sloan

If you would like any advice and assistance on subject access requests, either under the GDPR or the Data Protection Act 1998, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Privacy and the Monitoring of Communications in the Employment Setting

On 5th September 2017 the Grand Chamber of the European Court of Human Rights issued its decision in the case of Bărbulescu v. Romania, which considers the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

The background to the case is that an employee was dismissed by his employer for making use of company equipment and services (internet connection and computer) for personal purposes during working hours; in particular, he had been sending personal messages (some of which were of an “intimate nature”) to his brother and fiancée.  The company’s internal policies prohibited this use and after following the disciplinary process required by Romanian domestic law, he was dismissed.  He brought a case in the domestic courts and was unsuccessful in all of those courts.  He then brought a case before the European Court of Human Rights which ultimately ended up with the Grand Chamber issuing its decision on 5th September 2017.  The procedural background to the case is more fully set out in the Court’s judgment.

The Court stated that the relationship between an employee and their employer “is contractual, with particular rights and obligations on either side, and is characterised by legal subordination.” (paragraph 117) The court went on to state, at paragraph 118, that “labour law leaves room for negotiation between the parties to the contract of employment.  Thus, it is generally for the parties themselves to regulate a significant part of the content of their relations.”

In terms of the margin of appreciation afforded to States under the European Convention of Human Rights, the Court decided, at paragraph 119, that States “must be granted a wide margin of appreciation in assessing the need to establish a legal framework governing the conditions in which an employer may regulate electronic or other communications of a non-professional nature by its employees in the workplace.”  However, the Court went on to state, in paragraph 120 of its judgment, that “the discretion enjoyed by States in this field cannot be unlimited.  The domestic authorities should ensure that the introduction by an employer of measures to monitor correspondence and other communications, irrespective of the extent and duration of such measures, is accompanied by adequate and sufficient safeguards against abuse.”  These adequate and sufficient safeguards, the court stated at paragraph 121, “are essential.”

The Court sets out five factors which it considers domestic authorities should treat as being relevant:

  1. What notification has been given to the employee regarding the possibility that the employer might take measures to monitor their correspondence and other communications, and what notification the employee has been given regarding the implementation of these measures;
  2. The extent of the monitoring by the employer and the degree of intrusion into the employee’s privacy (a distinction should be drawn between simply monitoring the flow of communications and the monitoring of the content of the communications);
  3. The reasons the employer has provided to justify the monitoring of their communications and their actual content – greater justification will be required for monitoring the content as opposed to just the flow;
  4. Whether it would have been possible for the employer to have in place a monitoring system that was based on less intrusive methods and measures than simply directly accessing the content of the employee’s communications;
  5. The consequences of the monitoring for the employee subjected to it, and the use made by the employer of the results of the monitoring operation, in particular whether the results were used to achieve the declared aim of the measure;
  6. Whether there were adequate safeguards in place; especially when the employer’s monitoring operations are of an intrusive nature.

This case makes it clear that it can be legitimate for an employer to monitor, not only the flow of private communications made by an employee on company systems, but also the actual content of the correspondence.  However, employers do not have an unlimited right.

Employers will have to think carefully about what aims they are trying to achieve by the monitoring of communications by employees on company systems and whether their proposed method of monitoring is proportionate with that aim.  Furthermore, employees should be given clear and fair notice of what monitoring is taking place and the purpose for the monitoring.

Employers will also need to give careful consideration to the safeguards that they need to have in place with regards to the monitoring procedures they have in place and ensure that what safeguards they do have in place are adequate.  With regards to safeguards, the court specifically stated that employers should not have access to the actual content of the correspondence concerned unless the employee has been notified in advance.

The court has also said that domestic authorities should ensure that any employee whose communications have been monitored has access to a remedy before a judicial body and that judicial body should have jurisdiction to determine, at least in substance, how the six criteria set out in its judgment have been observed and whether the impugned measures were in fact lawful.

This decision doesn’t really change the law as it already operated.  The decision does not prevent employers from undertaking the monitoring of communications by their employees on the employer’s systems.  However, the decision does act as a useful reminder that the ability to conduct such monitoring activities is not wholly unrestrained.  The decision, coupled with the forthcoming applicability of the General Data Protection Regulation, may well provide a good opportunity for employers to review their policies in this area to ensure that they are compliant with the law.

Alistair Sloan

If you would like advice on a matter concerning data protection or privacy, then you can contact our Alistair Sloan on 0345 450 0123 or by completing the contact page on this blog.  Alternatively, you can send him an E-mail directly.