Beware the Jabberwock, my son! (Or, a warning about prescriptive Subject Access Requests…)

Sorry, what?
Why on earth am I quoting 19th century poetry in an article about Data Protection and Subject Access Requests (SARs)? Let me explain the similarities and the warning signs we need to be aware of in prescriptive SARs. I’ll end with Top Tips in handling this particular type of SAR…

‘Jabberwocky’ by Lewis Carroll, which features in his sequel to ‘Alice in Wonderland’, ‘Through the Looking Glass’, is called a nonsense poem, but it has the curious quality of initially sounding, when it’s read out loud, like it actually makes sense, until you start to listen to the words a little closer:

‘Twas brillig, and the slithy toves
Did gyre and gimble in the wabe:
…
‘Beware the Jabberwock, my son!’

I’ve had to look up an analysis of the poem to know that ‘brillig’ means ‘about 4 o’clock in the afternoon’ (I might start using that!) And apparently ‘slithy’ is a portmanteau of slimy and lithe.

What has that got to do with SARs?
The similarity between ‘Jabberwocky’ and a number of SARs clients have been receiving recently, is that reading these particular SARs can be the same experience as reading ‘Jabberwocky’;

at first it seems to make sense;
then you read further into it and start to get confused as to what it actually means; and
then you (or your adviser) look a few things up and it is put it into context and plain language.

This is often the case when SARs are being used as a tool to try and get to a certain piece of information (that may or may not exist) for various reasons.

Usually linked to complaints or disciplinary procedures, these SARs will often list the types of documents, or specific documents, they want, and name people they want to see emails from. At first glance, like ‘Jabberwocky’, it all makes sense, and even seems to be helpful in fulfilling the request as it’s so prescriptive.

But then, you start to consider what is in those documents and emails, and wonder if they could/should be disclosed to the requestor; what about the privacy rights of other people, and exemptions for ongoing negotiations, for example?

So how does that help?
This is where I’ve seen people start to go around in circles, looking at the request, looking at the exemptions, looking at the request again. If this sounds familiar, then this is where you need to take a step back and look a few things up, or speak to an objective advisor.

At this point, I always say ‘go back to basics’ and focus on what the law says about the right to Subject Access.

General Data Protection Regulation (GDPR) Recital 63 states (with my own emphasis): “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

The right to Subject Access is not about obtaining documents, emails or anything else that someone thinks they would quite like to see, just in case it helps their complaint or disciplinary, if the data contained within them isn’t their personal data. Even if a document does contain the requestor’s personal data, there are a number of reasons why either some, or all, of its contents would be withheld from the SAR response.

Looking at the ICO’s detailed guidance on the right to access (in draft form at time of writing), gives us more of a steer on what should and shouldn’t be included in a SAR response. There’s no getting away from the fact the guidance is long (very long – 77 pages!) but it can be useful when working out what constitutes a subject’s ‘personal data’ and what is exempt from a SAR response, under the Data Protection Act 2018 (DPA 2018).

Top Tips
There is no one-size-fits-all answer, but here are 3 top tips to help keep you focussed on responding to a SAR as the law requires, versus responding to a shopping list type SAR that confuses the matter:

Although a person’s name (or nickname, initials, or often their job title) is their personal data, a SAR doesn’t mean you have to provide them with a copy of every time it appears, if the information contained in the document is not ‘concerning him or her’.

Example: You don’t have to provide a copy of every time the requestor signed a purchase order or got copied into an email about fantasy football. And they especially don’t have the automatic right to a copy of the whole document that contains their name. For example, a set of minutes that refers to the requestor as well as to many other agenda points.
The data protection rights of other people are just as valid as the rights of the requestor, and it’s up to you to carefully balance those rights, and decide when it is reasonable to disclose information about other people that’s contained with the requestor’s own data.

Unfortunately, it’s not as straightforward as getting consent from the other person. Consider whether the data can be anonymised without the requestor working out the other person’s identity. If not, consider the expectations of the other person, and any confidentiality promised to them, as well as their position in the organisation and their role. For example, in the DPA 2018 there is an expectation of reasonableness (to disclose at least some of their information to a SAR requestor) for health workers, social workers and education workers.
Don’t be afraid to use the exemptions that are laid out in the DPA 2018; they’re there for good reason. As well as protecting third parties’ privacy rights, as above, exemptions include information that would prejudice ongoing negotiations, confidential references given or received for work purposes, and information to which legal professional privilege applies, amongst many others.

Example: I recently saw a SAR, raised by a solicitor on behalf of their client, which asked specifically for a copy of an employment reference. The person who received that SAR was thinking about providing it, even though they knew there was an exemption, because it had been asked for, and asked for by a solicitor.
Bonus Tip! When responding to a SAR made by a parent for their child’s personal data, remember the right of access is the child’s right, not the parent’s right. So, you don’t have to release information if you are not confident that the child has freely consented to the parent accessing their data, and for some types of data you should withhold it if the ‘serious harm’ test is met.

It’s easy to be lulled into following instructions in a prescriptive SAR request, but don’t be afraid to take a step back, take a breath, and take another look at the context provided by the law. If we can help with that in any way, please contact the Data Protection Team, we are always happy to help.

Remember, ‘beware the Jabberwock, my son!’

Latest news, webinars and podcasts

Band 1 rankings in Chambers and Partners 2021 for Anthony Collins Solicitors Thursday 22 October 2020

Anthony Collins Solicitors is pleased to have been ranked as a Band 1 firm once again.

Covid-19 - A lockdown of property litigation updates Wednesday 21 October 2020

Since March 2020, commercial property owners and occupiers across many sectors, whether housing associations, charities, care providers or local authorities, have been impacted by the rules regulating how they deal with their tenants and their landlords. It seems each week there is a change in policy, regulation or legislation, governing how they must respond.

The Building Safety Bill: the golden thread of information Wednesday 21 October 2020

A key element of the Bill is the establishment of a duty holder regime and requirement to maintain the ‘golden thread of information’ throughout the life cycle of high-risk residential buildings

Care home contracts – CHC and additional fees Monday 19 October 2020

We have been working with care homes to update their contracts and advise on the risks of charging the resident a regular “top-up” or additional fee where a resident is funded through NHS CHC

In with a bang: cap on public sector exit payments from 4 November 2020 Monday 19 October 2020

The parliamentary processes are complete and the Restriction of Public Exit Payments Regulations 2020 (“the Regulations”) which cap exit payments in the public sector at £95,000 will be in force from 4 November.

WEBINAR: Practical lessons in crisis management and disaster recovery Friday 16 October 2020

As the UK’s social housing sector recovers from the initial Covid-19 outbreak and lockdown, now is the time to focus on the challenges that may emerge next.

WEBINAR: Role of joint ventures in driving housing-led regeneration Friday 16 October 2020

There is no universal approach to regenerating town centres. However, housing must be considered a key part of any regeneration project – providing well-needed new homes and economic growth.

Show racism the red card! #SRTRC Wednesday 14 October 2020

Friday 16 October marks the 6th annual Wear Red Day in England, Wales and Scotland. Wear Red Day is the brainchild of the charity; Show Racism the Red Card (SRTRC). SRTRC aims to educate young people so they are equipped to recognise and challenge stereotypes, misconceptions and negative attitudes towards race.

Prioritising building safety – the Fire Safety Bill Wednesday 14 October 2020

Alongside the Building Safety Bill published in July 2020, the Fire Safety Bill is a key step in the Government’s strategy to improve building and fire safety in the wake of the Grenfell Tower tragedy

LGPS: new flexibilities on extra payments and contributions Tuesday 13 October 2020

Government regulations came into force on 23 September 2020 providing LGPS (local government pension scheme) employers with flexibility on meeting exit payments and LGPS funds with flexibility too

Beware the Jabberwock, my son! (Or, a warning about prescriptive Subject Access Requests…)

Latest news, webinars and podcasts

Sector

Interests