Local authorities should be wary of reserving contracts for local suppliers, as recommended by Procurement Policy Note (PPN) 11/20. Other contracting authorities may want to maximise their use of this
Sorry, what? Why on earth am I quoting 19th-century poetry in an article about Data Protection and Subject Access Requests (SARs)? Let me explain the similarities and the warning signs we need to be aware of in prescriptive SARs. I’ll end with top tips in handling this particular type of SAR…
‘Jabberwocky’ by Lewis Carroll, which features in his sequel to ‘Alice in Wonderland’ 'Through the Looking Glass', is called a nonsense poem but it has the curious quality of initially sounding, when it’s read out loud, like it actually makes sense until you start to listen to the words a little closer:
‘Twas brillig, and the slithy toves
Did gyre and gimble in the wabe:
‘Beware the Jabberwock, my son!’
I’ve had to look up an analysis of the poem to know that ‘brillig’ means ‘about 4 o’clock in the afternoon’ (I might start using that!) And apparently ‘slithy’ is a portmanteau of slimy and lithe.
What has that got to do with SARs?
The similarity between ‘Jabberwocky’ and a number of SARs clients have been receiving recently, is that reading these particular SARs can be the same experience as reading ‘Jabberwocky’;
- at first, it seems to make sense;
- then you read further into it and start to get confused as to what it actually means; and
- then you (or your adviser) look a few things up and it is put it into context and plain language.
This is often the case when SARs are being used as a tool to try and get to a certain piece of information (that may or may not exist) for various reasons.
Usually linked to complaints or disciplinary procedures, these SARs will often list the types of documents, or specific documents, they want, and name people they want to see emails from. At first glance, like ‘Jabberwocky’, it all makes sense and even seems to be helpful in fulfilling the request as it’s so prescriptive.
But then, you start to consider what is in those documents and emails, and wonder if they could/should be disclosed to the requestor; what about the privacy rights of other people, and exemptions for ongoing negotiations, for example?
So how does that help?
This is where I’ve seen people start to go around in circles, looking at the request, looking at the exemptions, looking at the request again. If this sounds familiar, then this is where you need to take a step back and look a few things up or speak to an objective adviser.
At this point, I always say ‘go back to basics’ and focus on what the law says about the right to Subject Access.
General Data Protection Regulation (GDPR) Recital 63 states: “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
The right to Subject Access is not about obtaining documents, emails or anything else that someone thinks they would quite like to see, just in case it helps their complaint or disciplinary if the data contained within them isn’t their personal data. Even if a document does contain the requestor’s personal data, there are a number of reasons why either some or all, of its contents would be withheld from the SAR response.
Looking at the ICO’s detailed guidance on the right to access (in draft form at time of writing), gives us more of a steer on what should and shouldn’t be included in a SAR response. There’s no getting away from the fact the guidance is long (very long – 77 pages!) but it can be useful when working out what constitutes a subject’s ‘personal data’ and what is exempt from a SAR response, under the Data Protection Act 2018 (DPA 2018).
There is no one-size-fits-all answer, but here are three top tips to help keep you focussed on responding to a SAR as the law requires, versus responding to a shopping list type SAR that confuses the matter:
- Although a person’s name (or nickname, initials, or often their job title) is their personal data, a SAR doesn’t mean you have to provide them with a copy of every time it appears, if the information contained in the document is not ‘concerning him or her’.
Example: You don’t have to provide a copy of every time the requestor signed a purchase order or got copied into an email about fantasy football. And they especially don’t have the automatic right to a copy of the whole document that contains their name. For example, a set of minutes that refers to the requestor as well as to many other agenda points.
- The data protection rights of other people are just as valid as the rights of the requestor, and it’s up to you to carefully balance those rights, and decide when it is reasonable to disclose information about other people that’s contained with the requestor’s own data.
Unfortunately, it’s not as straightforward as getting consent from the other person. Consider whether the data can be anonymised without the requestor working out the other person’s identity. If not, consider the expectations of the other person, and any confidentiality promised to them, as well as their position in the organisation and their role. For example, in the DPA 2018 there is an expectation of reasonableness (to disclose at least some of their information to a SAR requestor) for health workers, social workers and education workers.
- Don’t be afraid to use the exemptions that are laid out in the DPA 2018; they’re there for good reason. As well as protecting third parties’ privacy rights, as above, exemptions include information that would prejudice ongoing negotiations, confidential references given or received for work purposes, and information to which legal professional privilege applies, amongst many others.
Example: I recently saw a SAR, raised by a solicitor on behalf of their client, which asked specifically for a copy of an employment reference. The person who received that SAR was thinking about providing it, even though they knew there was an exemption, because it had been asked for, and asked for by a solicitor.
- Bonus tip! When responding to a SAR made by a parent for their child’s personal data, remember the right of access is the child’s right, not the parent’s right. So, you don’t have to release information if you are not confident that the child has freely consented to the parent accessing their data, and for some types of data you should withhold it if the ‘serious harm’ test is met.
It’s easy to be lulled into following instructions in a prescriptive SAR request, but don’t be afraid to take a step back, take a breath, and take another look at the context provided by the law. If we can help with that in any way, please contact the Data Protection Team, we are always happy to help.
Remember, ‘beware the Jabberwock, my son!’
For more information
Most housing practitioners have perhaps been waiting for this news since the latest lockdown was announced by the Prime Minister on 4 January 2021.
Climate change and biodiversity is an area where significantly faster changes are needed on a global and local basis.
Chris Lloyd Smith, Adrian Leonard and Lisa Whitehouse discuss the planning opportunities available to owners of businesses and how to prepare for unforeseen events.
In their 3rd podcast of the series, Chris Lloyd-Smith and Maria Ramon discuss a number of problems with and difficulties that can arise in mediation and the mechanisms they use to overcome them.
Our previous round-up began by sharing the news that two vaccines had shown very promising test results. Here we are, not even a month later, and the first vaccines have already been administered!
The Covid-19 crisis has demonstrated that there is great resilience and innovation in the housing sector across Greater Manchester, it has also brought shortfalls and other priorities sharply into foc
For part 5 in this series of short podcasts, Chris Lloyd-Smith interviews associate Kadie Bennett on how she has been coping during these unprecedented times.
The first report of Donna Ockenden and her team into the review of maternity services at The Shrewsbury and Telford Hospital NHS Trust has been published today.
The Family Solutions Group (FSG) recommends a shift away from adversarial family proceedings, to a child-centred, holistic approach to family separation.
To receive invitations to our events, as well as information and articles on legal issues and sector developments that are of interest to you, please sign up to Newsroom.