Subject Access Requests during Covid-19
A Subject Access Request (“SAR”) is a tool that allows you to exercise your right to see what information a company has about you.
As I previously explained, it can be a good alternative to your contractual right to obtain a copy of your files from professionals such as solicitors.
As a result of GDPR, everyone has the right to ask any organisation whether or not they are storing any personal information. Issuing a Subject Access Request normally means the recipient has up to one (calendar) month to comply with the request.
But what are the challenges for organisations seeking to comply with the normal rules during the global Covid-19 pandemic?
How does Coronavirus affect data protection?
The Information Commissioner’s Office (ICO) has confirmed that the key to dealing with data protection during these unprecedented times is ‘proportionality’. It published guidance how regulatory action should be approached during the pandemic , highlighting that there are likely to be delays.
For some organisations, such as hospitals, councils and police forces, Coronavirus has meant that their resources, people and finances are being diverted. Although statutory deadlines cannot be extended, the ICO states that it will be advising those making requests of the likely delays and will take a more lenient approach to enforcement.
There are three main areas where Coronavirus may change how organisations respond to SARs:
If an organisation has any doubts about the identity of the person making a SAR, then they are still entitled to ask for more information to confirm their identity, providing this is proportionate.
The period for complying with a Subject Access Request does not start until receipt of the additional information.
In the current climate, it should still be possible to ask for copies of passports, conduct online Anti-Money Laundering (AML) checks, and have video calls to verify identity.
Organisations, which have previously only accepted hard copy requests and evidence, may now be prepared to accept these electronically.
If the SAR is complex or there are multiple requests, then an organisation may be able to extend the deadline by a further two months. In this instance, a letter should be sent to the data subject explaining why the extension is required. This should be issued before expiry of the original one-month deadline.
Whilst most organisations will have data held electronically; the reality is that there will still be historical data held in paper form.
With the workforce of most organisations working remotely, there will be limitations on the extent of any data that can be provided at this time.
As such, the data subject should be provided with any data that can be obtained and informed that any missing data will be provided as soon as the circumstances permit (i.e. when staff are allowed to return to the office).
Complying with SARs during Covid-19
These are challenging times on a global basis and organisations have to do their best to comply in a manner that is proportionate to the circumstances. However, organisations should be readily able to justify instances where compliance has not been possible.