How should local authorities prepare for GDPR? Dealing with subject access requests.

GDPR gives individuals enhanced rights to access the data that organisations hold on them. Under current data protection legislation anyone can make a so-called subject access request and ask to see what data you hold on them. Under GDPR these rights are enhanced.

You will no longer be able to charge a fee for this service and you’ll have a month to respond rather than 40 days as is currently the case. It’s possible that this will result in a significant increase in the number of subject access requests so it’s important that organisations have this right and have a process in place to deal with subject access requests appropriately.

• Data audit – do you know what data you hold on individuals and where it is? It’s common for local authorities to have data held across multiple systems and numerous different departments. A data audit can help you map out what type of data you hold and where it is.

• Subject access request response – is there a process in place for dealing with subject access requests and does everyone know what it is? Subject access requests can come in to anyone in the organisation and the clock starts ticking as soon as they’re received. You need to make sure that everyone who could receive such a request is trained to recognise it when it comes in and to immediately pass it onto the data protection officer or whoever you have nominated to deal with such requests.

• Potential for embarrassment – individuals have the right to see all the data you hold on them in which they are personally identifiable. That includes mentions of them in staff emails or in the free text fields of databases where staff might write up notes after a meeting or phone call. This has always been the case but it’s probably worth reminding staff of this as part of your GDPR training, particularly since the number of subject access requests is likely to increase. Staff need to be conscious that everything they write about an individual in which that individual is personally identifiable is in scope and might potentially end up being shown to that individual.

• Limiting the scope – when a subject access request comes in you don’t automatically have to show the individual everything that you hold on them. You have the right to go back to them and ask them specifically what information they’d like to see, with the intention of limiting the scope of the request.

• Confirming the individual’s identity – clearly you should not give out an individual’s personal data without confirming that the person making the request is entitled to see it. You need to take reasonable steps to confirm that the individual making the request is who they say they are. You’re entitled to request a reasonable amount of information to confirm someone’s identity. How much information this is will depend on the circumstances. If an employee that you know personally makes a subject access request to you in person then it would not be reasonable to then ask them to produce documents to confirm their identity. However if a customer with whom you have had very limited dealings makes a subject access request then clearly you’ll need to take significantly more rigorous steps to confirm their identity.

If you’ve found this blog helpful then take a look at the first post in this series which looks at the issue of consent in local government.

The information provided and the opinions expressed in this blog post represent the views of the author. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the General Data Protection Regulation.