Regardless of Brexit, the General Data Protection Regulation will bring in a range of new rights allowing employees to access information held on them by employers. Clare Edwards and Joe Orme of Hill Dickinson advise on key changes, including to subject access requests.
On 28 May 2018, the data protection regime across the EU (including the UK) will change. The General Data Protection Regulation (GDPR) will replace the provisions of the Data Protection Act 1998 (DPA).
The GDPR preserves the rights provided under the current law and also provides new rights and enhanced protection for individuals, who are known as “data subjects”. Failure to comply with the provisions of the GDPR may lead to greatly increased monetary sanctions, so it is critical that any organisations processing personal data are aware of the changes.
What enhanced rights are given under the GDPR?
More on the General Data Protection Regulation
New data subject rights include the right to erasure, requiring an organisation to delete the personal data it holds and to cease processing it any further.
This data could include personnel records, metadata on computers and servers, CCTV, call logs, electronic premises access records, health and safety reports and any other electronic records or filing systems used within the organisation.
In addition, individuals will have a right to rectification of personal data being processed inaccurately by an organisation, and the right to data portability, essentially giving an individual the ability to have a copy of their personal data in a commonly used and a machine-readable format.
Perhaps the most prominent and commonly used right under the DPA is subject access, and this is changing under the GDPR. Organisations need to be aware of the changes and how to prepare for subject access requests under GDPR.
Subject access under the GDPR
The GDPR defines personal data as “any information relating to a data subject” and a data subject as an identified or identifiable (whether directly or indirectly) living person to whom personal data relates. Organisations must consider how to identify individuals, in particular employees.
Names clearly identify a person, but so may an email address, payroll number and computer login details. Careful consideration will need to be given to any other aspects of an organisation’s operation that uses alternative designations (through coding or shorthand) to identify an individual.
General Data Protection Regulation: future developments
European Data Protection Regulation
On 4 May 2016, the General Data Protection Regulation (2016/679 EU) (GDPR) was published in the EU Official Journal. The GDPR came into force on 24 May 2016 and will apply to member states from 25 May 2018. The GDPR repeals the Data Protection Directive (95/46/EC) with effect from the latter date.
The GDPR forms part of a package of measures for data protection reform, with a Data Protection Directive (2016/680 EU) for the police and criminal justice sector.
According to a European Commission fact sheet “Data protection reform – questions and answers”, a single law will apply, rather than different national laws. Organisations will be able to deal with one supervisory authority rather than different authorities and will “benefit from consistency of decisions where the same processing activity takes place in several member states” (referred to as the “one-stop-shop”).
The Information Commissioner’s Office (ICO) has published an Overview of the GDPR. The overview comments that the “GDPR will apply in the UK from 25 May 2018”. It also states that: “The Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.”
The GDPR applies to:
- the processing of personal data by an establishment within the EU, whether or not the processing takes place within the EU; and
- the processing of personal data of subjects within the EU by an establishment based outside the EU where the processing activities relate to the offering of goods or services to, or the monitoring of, subjects within the EU. The GDPR allows regulators to impose significantly higher maximum fines than apply under existing provisions.
Supervisory authorities will be empowered to impose a fine of up to €20 million or up to 4% of an organisation’s annual worldwide turnover, whichever is greater (the ICO’s existing powers permit it to impose fines of up to £500,000).
The ICO has published Preparing for the “General Data Protection Regulation: 12 steps to take now” and a code of practice on communicating privacy information to individuals.
The GDPR sets out the purpose of a subject access request, something that is not explicit in the current regime. The right of access is stated to enable an individual to be aware of, and to verify, the lawfulness of the processing of their personal data.
Organisations must use “reasonable means” to identify those making a subject access request. For an employee, this should be sufficiently easy given the nature of the relationship.
When requesters are not employees, organisations should establish a policy that sets out the identification requirements needed to be sure that the requester is authenticated. Consider asking for passport/driving licence and recent utility bills. This data should only be processed in order to verify the identity of a requester. It should be processed no further once that purpose has been satisfied.
Fees for responding to a request
Further, under the DPA a fee of up to £10 can be charged for responding to a request. Helpfully, the time for complying with a request does not commence until payment has been made. This will no longer be the case under the GDPR as the right to charge a fee as standard is abolished.
Happily, though, organisations will be able to charge a “reasonable fee” when complying with requests for additional copies of data previously provided. The Information Commissioner’s Office states that the fee must be based on the administrative cost of providing the further copies. To clarify, this would not enable an organisation to charge for a subsequent subject access request that sought data that had not been previously requested or provided.
Deadline to comply with subject access requests
Another big change to the subject access regime will be the time allowed for compliance. Less time will be available to organisations in order to comply with a subject access request. The current regime allows for 40 calendar days, but the GDPR will reduce this to one month.
Organisations may, however, be able to seek an extension of up to a maximum of two further months in cases of complex or numerous requests from an individual. If an organisation seeks an extension, it must notify the requester within one month of receiving the original request and set out why the extension is necessary. Any explanation will need to be sufficiently detailed in order to justify the request.
Organisations should exercise their right, where legitimate, to ask the requester to specify the information relating to the request.
The request will not pause the time for complying, but it may be of particular use to those organisations that process large amounts of personal data, bringing the search into focus.
Finally, organisations should keep in mind whether a request is manifestly unfounded or excessive. This is a new avenue for organisations receiving disproportionate requests. Organisations may be able to refuse to respond to such requests, or consider an administrative charge if the information is something that has been provided previously. Deciding whether a request is “manifestly unfounded or excessive” will turn on individual facts and organisations should seek legal advice before making a determination.