Sorry, what?
Why on earth am I quoting 19th century poetry in an article about Data Protection and Subject Access Requests (SARs)? Let me explain the similarities and the warning signs we need to be aware of in prescriptive SARs. I’ll end with Top Tips in handling this particular type of SAR…

‘Jabberwocky’ by Lewis Carroll, which features in his sequel to ‘Alice in Wonderland’, ‘Through the Looking Glass’, is called a nonsense poem, but it has the curious quality of initially sounding, when it’s read out loud, like it actually makes sense, until you start to listen to the words a little closer:

‘Twas brillig, and the slithy toves
Did gyre and gimble in the wabe:

‘Beware the Jabberwock, my son!’

I’ve had to look up an analysis of the poem to know that ‘brillig’ means ‘about 4 o’clock in the afternoon’ (I might start using that!) And apparently ‘slithy’ is a portmanteau of slimy and lithe.

What has that got to do with SARs?
The similarity between ‘Jabberwocky’ and a number of SARs clients have been receiving recently, is that reading these particular SARs can be the same experience as reading ‘Jabberwocky’;

  • at first it seems to make sense;
  • then you read further into it and start to get confused as to what it actually means; and
  • then you (or your adviser) look a few things up and it is put it into context and plain language.

This is often the case when SARs are being used as a tool to try and get to a certain piece of information (that may or may not exist) for various reasons.

Usually linked to complaints or disciplinary procedures, these SARs will often list the types of documents, or specific documents, they want, and name people they want to see emails from. At first glance, like ‘Jabberwocky’, it all makes sense, and even seems to be helpful in fulfilling the request as it’s so prescriptive.

But then, you start to consider what is in those documents and emails, and wonder if they could/should be disclosed to the requestor; what about the privacy rights of other people, and exemptions for ongoing negotiations, for example?

So how does that help?
This is where I’ve seen people start to go around in circles, looking at the request, looking at the exemptions, looking at the request again. If this sounds familiar, then this is where you need to take a step back and look a few things up, or speak to an objective advisor.

At this point, I always say ‘go back to basics’ and focus on what the law says about the right to Subject Access.

General Data Protection Regulation (GDPR) Recital 63 states (with my own emphasis): “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

The right to Subject Access is not about obtaining documents, emails or anything else that someone thinks they would quite like to see, just in case it helps their complaint or disciplinary, if the data contained within them isn’t their personal data. Even if a document does contain the requestor’s personal data, there are a number of reasons why either some, or all, of its contents would be withheld from the SAR response.

Looking at the ICO’s detailed guidance on the right to access (in draft form at time of writing), gives us more of a steer on what should and shouldn’t be included in a SAR response. There’s no getting away from the fact the guidance is long (very long – 77 pages!) but it can be useful when working out what constitutes a subject’s ‘personal data’ and what is exempt from a SAR response, under the Data Protection Act 2018 (DPA 2018).

Top Tips
There is no one-size-fits-all answer, but here are 3 top tips to help keep you focussed on responding to a SAR as the law requires, versus responding to a shopping list type SAR that confuses the matter:

  1. Although a person’s name (or nickname, initials, or often their job title) is their personal data, a SAR doesn’t mean you have to provide them with a copy of every time it appears, if the information contained in the document is not ‘concerning him or her’.

    Example: You don’t have to provide a copy of every time the requestor signed a purchase order or got copied into an email about fantasy football. And they especially don’t have the automatic right to a copy of the whole document that contains their name. For example, a set of minutes that refers to the requestor as well as to many other agenda points.

  2. The data protection rights of other people are just as valid as the rights of the requestor, and it’s up to you to carefully balance those rights, and decide when it is reasonable to disclose information about other people that’s contained with the requestor’s own data.

    Unfortunately, it’s not as straightforward as getting consent from the other person. Consider whether the data can be anonymised without the requestor working out the other person’s identity. If not, consider the expectations of the other person, and any confidentiality promised to them, as well as their position in the organisation and their role. For example, in the DPA 2018 there is an expectation of reasonableness (to disclose at least some of their information to a SAR requestor) for health workers, social workers and education workers.

  3. Don’t be afraid to use the exemptions that are laid out in the DPA 2018; they’re there for good reason. As well as protecting third parties’ privacy rights, as above, exemptions include information that would prejudice ongoing negotiations, confidential references given or received for work purposes, and information to which legal professional privilege applies, amongst many others.

    Example: I recently saw a SAR, raised by a solicitor on behalf of their client, which asked specifically for a copy of an employment reference. The person who received that SAR was thinking about providing it, even though they knew there was an exemption, because it had been asked for, and asked for by a solicitor.

  4. Bonus Tip! When responding to a SAR made by a parent for their child’s personal data, remember the right of access is the child’s right, not the parent’s right. So, you don’t have to release information if you are not confident that the child has freely consented to the parent accessing their data, and for some types of data you should withhold it if the ‘serious harm’ test is met.

It’s easy to be lulled into following instructions in a prescriptive SAR request, but don’t be afraid to take a step back, take a breath, and take another look at the context provided by the law. If we can help with that in any way, please contact the Data Protection Team, we are always happy to help.

Remember, ‘beware the Jabberwock, my son!’