Requests for access to personal data (subject access requests, or SARs) could come from clients, third parties and investigatory bodies, particularly Police Scotland. An individual is entitled to a copy of the personal data that you hold about them but there are limits to that right. Police Scotland is entitled to request information without a warrant but if this contains personal data then you must decide whether or not you can provide them with the information.
Almost half of the complaints that the ICO receives are about SARs and so it is an area of concern for members of the public and the ICO. The obligations under the GDPR are greater and the timescales are shorter.
Clients and third parties – subject access requests
Under the GDPR, an individual can still ask for access to their own information. Before you provide that information, you should be satisfied about the identity of that individual and you can ask for verification before dealing with the request. The information must be provided without charge – previously you could request £10 payment but not under the GDPR.
You are expected to respond to the request without undue delay, and within one month of the request being made, which is on the calendar day a month after it was received.
In relation to clients, the process may be relatively straightforward, although you should consider whether they are entitled to all the personal data in their file which relates to other people and whether any other exemptions apply. See section on Requests from other organisations for personal data.
However, dealing with requests made by third parties, ie non-clients, is likely to be more difficult. You should not disclose any information which is legally privileged, but that exemption is not likely to apply to everything in your file. In relation to the other information in your file, you must consider whether it is the personal data of the requester and/or the personal data of your client or another third party. Sometimes personal data can relate to more than one person. If it is the personal data of another individual, then you must consider whether:
- The other individual has consented to the disclosure, or
- It is reasonable in all the circumstances to comply with the request even without that individual’s consent
You should consider the impact on the individual if the information is disclosed – in particular, your client will expect that information that they provided, and which is in their file, remains confidential, although there is still a balancing exercise to be made between the right to access to information and the right to privacy. The ICO has further guidance on SARs (www.ico.org.uk).
The ICO encourages data controllers to speak to the requester to try to locate the information that they are actually interested in:
“We consider it good practice for you to engage with the applicant, having an open conversation about the information they require. This might help you to reduce the costs and effort that you would otherwise incur in searching for the information.”
You cannot use this to try to narrow the request. Also, if the requester asks for access to all the personal data you hold about them, you are obliged to provide it subject to the exemptions mentioned here, and as will be outlined in the forthcoming Data Protection Act 2018.
It is important to note that the individual is entitled to the information held about them but not necessarily a copy of the actual document. other data subject rights are covered in the example of a data protection policy on the Society's website.
Requests from other organisations for personal data
These requests are most likely to be made by the police or other investigatory bodies for the prevention and detection of crime or to apprehend or prosecute offenders. Law firms are not obliged to comply with such a request, which does not have the status of a warrant or court order.
Organisations such as other law firms may also request personal data that they believe they are entitled to. This is because they believe that the data is necessary for legal proceedings or to obtain legal advice, or to establish, exercise or defend legal rights. This can include requests from organisations seeking to recover debts. Again, law firms are not obliged to comply with such a request, which does not have the status of a warrant or court order.
The responsible manager determines whether that information can be shared and, if so, has clear methods for searching all the data on record – both physical and digital files. The policy also includes the new shorter timeline (one month) for providing information.
GDPR guide for law firms
Our guide looks at the regulation and the Data Protection Act from the perspective of a legal practice.
- Law firms as data controllers
- Create a record of data processing
- Client confidentiality, legal privilege and limited exemptions
- Data retention
- Sharing data with third parties
- Data protection officers
- Security
- Reporting personal data breaches
- Requests for client personal data
- Appendix 1 - Consent
- Appendix 2 - Example of a data protection policy
- Appendix 3 - Background to the GDPR changes
