How to deal with a GDPR Personal Data Request
How to deal with a GDPR personal data request. This arose from an experience that I had recently which was interesting. Amongst other things it was extremely time consuming.
General Data Protection Regulation “(GDPR”) does not appear to compensate those of us who might have to spend a great many hours seeking to comply with the GDPR and the Data Protection Act 2018. The purpose of a subject access request is so that a Data Subject can have their personal data and check if their privacy has been breached.
I was asked not that long ago by another Insolvency Practitoner (“IP”) if I had experience of such matters. I had and then another such request sprouted recently, so I thought I would share my experience. It led to a complaint being issued to the Information Commissioner’s Office (“ICO”) by an individual whose bankruptcy I used to deal with, hereinafter referred to as the individual.
In the past I have received and addressed subject access requests from individuals in my capacity as a data Controller but this was the first one since GDPR came along. So in response I contacted the ICO to obtain further guidance to clarify matters.
GDPR Personal Data
But first I looked at the ICO website as to what is personal data and personal data in more detail. However, a problem that can arise is when personal data is unstructured, such as when a case involves literally thousands of emails which might merely do no more than refer to an individual in some or all of them. What happens then? Are we supposed to review thousands of emails to see if there might be a few snippets of personal data lurking therein? It seems as though we are but for what benefit might conceivably appear unclear and potentially at great expense to the recipient of such a request.
I contacted the ICO helpline for further advice. I later discovered that they did not record these calls. When the ICO wrote to me about the complaint, although I had made a brief file note of the telephone call to them, I asked the ICO (pursuant to my own GDPR rights) to provide to me my own personal data that they had processed as a result of that call. In response to this request the ICO wrote to me as follows:
“Whilst we would like to thank you for your proactive action on this case, we would also like to clarify that telephone calls to our office are not recorded and, as our Helpline is anonymous, we do not hold a record of this call. As such, we would also like to advise that in the event that an organisation does opt to record calls, the individual should be explicitly informed of this.” [added emphasis]
I asked the ICO about personal data in the context of the case in which I was involved and how it needed to be communicated to the individual who had requested the same. What appeared notable to me was that the ICO seemed to largely leave it to me ie. the Controller, as to what was and was not personal data. The other thing was that the ICO’s helpline informed me that GDPR and the Data Protection Act 2018 did not enable the data subject to determine unilaterally the platform for provision of their personal data ie. electronic or hard copy.
Responding to GDPR Personal Data Request
The Subject Access Request from the individual was served on me by email seeking a response in PDF format or by mail. In response I posted to the individual a copy of their personal data via encrypted USB stick. The individual said they received my enclosure letter with the relevant notices but not the USB stick. The individual proceeded to demand all of their personal data be provided in hard copy format.
Upon being notified that the USB stick had not been received I issued to the individual more than once by email, a secure download link to their personal data, inviting them to contact me to confirm receipt, so that I could provide a password to enable access to the data. In response the individual maintained their insistence that I provide the data to them by hard copy and did not acknowledge receipt of the download links.
Although Article 12(5) of the GDPR appears to anticipate that a subject access request is undertaken without charge, the Controller can look to either charge a fee or refuse a request in circumstances where it is manifestly unfounded or excessive. I informed the individual that if they wished to receive a hard copy of their personal data that they could place me in funds to discharge a third party quotation that I had requested on their behalf. This was a quotation from an independent copying company who could undertake the task of printing out, assembling and issuing a hard copy of the personal data. Due to the volume of data concerned this would run into several hundred pounds. I supplied to the individual a copy of the quotation and invited them to consider the matter accordingly.
A few weeks or months passed and then the ICO’s letter about the formal complaint arrived in my inbox. What was interesting was the way that the ICO couched the position in their letter as follows:
“Article 12(3) states that ‘Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject’.”
“As a result, we deem that it may be appropriate for your organisation to provide” the individual “with a hardcopy”. [added emphasis]
I sought to respond to this inter alia by suggesting that the ICO’s emphasis of “unless otherwise requested by the data subject” was a ‘request’; it was not grounds for the data subject to unilaterially determine the platform through which the data was to be provided.
After a review of the matter, some weeks later the ICO subsequently wrote to me as follows:
“Having considered the supporting documentation that has been provided to the ICO by both parties, we are of the view that Oliver Elliot has provided” the individual ” … with a disclosure of” their “personal data in an appropriate format. We also deem that it may be acceptable, as per the legislation, to charge a reasonable fee to re-provide this documentation.”
The issue of an individual’s right to unilaterally insist upon a hard copy as opposed to an electronic version of the personal data was left unresolved.
In essence because the individual had submitted their original request by email and or because they had done so and asked for it originally by PDF format or via post, the electronic provision that I had made was compliant.
However, what if the individual had supplied their original request only by post and stipulated that the response was to be afforded exclusively by post? I think it might be helpful if the ICO were to provide reasoned guidance on such a scenario.