Written and recorded by Robert Edwards, Law Hound
Welcome to this data protection training session from Data Law. My name is Robert Edwards. I'm a consultant at low 100. Previously, I was a counterintelligence and I t security specialist with Her Majesty's government. I then moved on to lecturing Andi providing legal training, handling subject access requests, a quick background and introduction. The General Data Protection Regulation GDP are is designed to update the Data Protection Act 1998 d p. A. In this session, we're going to examine the changes. The GDP are makes to the rights of individuals to access their data. To help organizations handle subject access requests properly, I shall be using the following terms individual meaning the data subject. The individual whose data is held by an organization or a data controller Onda organization meaning the data controller The organization holding the data data to mean personal data as applicable within the meaning of the Data Protection Act in 1998 or D. P. A. And the GDP are the basis of access. Who has the right of access? Each natural person has a right to access their personal data as recital. Warn of GDP are recognizes the protection of natural persons in relation to the processing of personal data is a fundamental right now. This, in turn, means that the principles old on rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect for their fundamental rights and freedoms in particular there, right to the protection off personal data access to personal data. Ever since the DP A individuals have had a right to access their personal data under Article 21 of the GDP are personal data means any information relating to an identified or identifiable natural person, the data subject. We also know from Article 21 that unidentifiable natural person is one who can be identified directly or indirectly, in particular by reference to unidentified air such as a name on identification number, location data, an online identify or one or more factors specific to the physical physiological, genetic, mental, economic, cultural or social identity of that natural person. So the net is cast quite white. The right also includes the sensitive personal data, which is more private personal data which could be used in a discriminatory way. An Article nine of GDP are refers to special categories of data, which is similar to the sensitive personal data under DP A but with two additions. GDP are special. Categories of personal data include racial or ethnic origin, political opinions, religious or philosophical beliefs. Trade union membership on a new one. Genetic data on biometric data for the purpose of uniquely identifying a natural person. Data concerning health or data concerning a natural person. Sex, life or orientation. Criminal records, including data about criminal proceedings. So why do we have rights of access? Well, as Recital 63 of Judy PR makes it clear, an individual should be able to access their personal data easily and at reasonable intervals so that they can be aware off and verify the lawfulness off the processing. So what is the extent of the right? Well, the right provided by Article 15 1 of GDP are enables individuals to receive confirmation that their personal data is being processed. If personal data is being processed, the individual then has the right to a description of the personal data held concerning them. On access to that data that is obtained a copy as allowed by article 15 3 but only provided that having a copy shall not adversely affect the rights and freedoms of others. According to article 15 4 however, this can't be used as a reason not to provide any information at all. The categories of data processed is covered by Article 15 1 B. The reason or purpose is why their personal data is being processed 15 1 a. The envisaged retention period or, if this is not possible, the criteria used to determine this period. Article 15 1 d Details about anyone who has received or will receive their personal data, in particular anyone in third countries or international organisations. Article 15 1 c and what safeguards are in place relating to the transfer in accordance with Article 46 Article 15 to details of the source or origin of their data if it was not collected directly from them. Article 15 1 g Details of any automatic personal decision making or data processing, including profiling, meaningful information about the logic involved and the significance and envisaged consequences off the processing for the data subject Andi or the consequences off such processing article 15 1 h. They also have the right to be told that they can complain to a supervisory body. Article 15 1 f Andi be told of their right to request rectification or erasure of their personal data or to restrict or object to processing off their data. Article 15 1 e Now, once the individual has access the data, it will enable them where appropriates to exercise their other GDP our rights, including the rights of rectification or Air Asia to restrict processing or to object to processing What a lodge. A complaint to a supervisory authority exercising the right the request well. To exercise that right of access, an individual must make a written request, which can be by electronic means, such as email or wire on organization's website. Or submit a subject access report on S A. R to the data controller or on organization holding that data on behalf off and at the behest. All the data controller, the S A. R does not have to be in any particular format, but an organization should make some sort of S a R form available to be sent to an individual or to download from their website. GDP are best practice means that where possible, organizations should provide remote access to a secure self service system, which provides the individual with direct access to his or her information. And that's Recital 63. Of course, this isn't going to be appropriate for all types of businesses. On the next part is an essential element in the provision of remote access it can take place on. No data can be given out until the identity off the data subject has been confirmed. So before an organization releases any data, they should verify the identity of the individual making the request using reasonable means. For example, you may wish to ask to see some government acceptable proof of identity, such as a birth certificate, a driving license, a passport, perhaps an official letter, which details the individuals full name and address. And since you need to verify identity, it makes sense to be clear about this on any S a R form you devise on door use so that you can explain before the request is submitted, the requirements to verify identity and what you will accept for verification purposes. And this means, of course, that you won't be receiving on I say are unaccompanied by documentation, or if you do, it's been quite clearly explained beforehand that identity documentation confirmation is required. Now. The problems with verifying identity Article 15 6 of GDP are makes it clear that without prejudice to Article 11 which deals with processing personal data which does not require the data controller toe, identify a data subject where the organization has reasonable doubts concerning the identity of the natural person. Making the request, the organization can request additional information necessary to confirm the identity off the data subject. Providing the data there are, as always, timescales you have one month from receipt of the essay are to deal with it under Article 12 3 of GDP are the information requested by an S A. R must be provided without undue delay. Onda at the latest within one month of receipt off the request, Article 12 3 allows or it to be possible to extend the period of compliance by an additional two months where necessary. If the request is complex or numerous, however, on organization can't simply take that extra time without letting the individual no. Instead, Article 12 3 also makes it clear that within the original one month time period from the date of receipt of the request, the organization must right to inform the individual Andi explain why the extension is necessary. Charging for the data No free Article 12 5 of GDP are makes it plain, but the data or information must now be provided free of charge. So there's no right to the traditional practice that we had under the DP A of making a £10 charged to the individual to cover administrative expenses. However, as Article 12 5 also explains, there are exceptions when a data controller can make a charge the first instance being when a request is manifestly unfounded or excessive. An organization can charge a reasonable fee if an individual's request is manifestly unfounded or excessive, particularly if it is repetitive Now. This time there's no guidance on interpreting the expression manifestly unfounded or excessive. But it is anticipated that the Information Commissioner's office, the I C E. O, will provide guidance eventually. Until we get that, it would be wise for any data controller to be cautious when trying to levy a charge. Andi. It would also be good practice to record the nature of the request on the reasons why such a request was considered to be either manifestly unfounded or excessive. A charge can also be levied in the event that a data subject requests further copies so an organization can charge a reasonable fee to comply with requests for further copies off the same information. However, this does not mean that a charge could be made for all subsequent essay ours. The consideration under Article 15 5 is whether the requests are manifestly unfounded or excessive again, in particular this time because of their repetitive nature. Now, the burden of demonstrating the manifestly unfounded or excessive character off the request rests firmly with the data controller, who naturally will be expected when called upon, to do so, to be able to prove the reasoning behind their decision. So again, the decision on the reasons for the decision should be clearly documented. So how much can be charged? Well, any fees charged must be reasonable on. Based on the administrative cost of providing the information are the UK Data Protection Bill, which at the time of recording this session is in its very earliest stages, seeks to impose regulations which will mean that organizations must publish guidance about the fees that they charge when they're relying on the exceptions to make a charge providing the data it should be clear and concise. Article 12 of GDP are refers to transparent information, communication and modalities for the exercise of the rights of the data subject. Article 12 1 makes it clear that data should be provided in a concise, transparent, intelligible and easily accessible form using clear and plain language. This is particularly important for any information addressed specifically to a child. Article 12 1 goes on to say that the information should be provided in writing or by any other means, including where appropriate by electronic means, particularly if the request regarding the data is made by Elektronik means. Then where possible, the data should be provided by electronic means unless the individual asks otherwise. For example, they want printed data. Recital 63 makes it clear that where individual makes an Elektronik request, then that data should be provided in a commonly used Elektronik format, if possible, and where possible. An organization should be able to provide remote access to a self serve secure system, one which would enable the individual toe have direct access to his or her personal data. A GDP are best practice would be a data subject access portal, enabling individuals to access their information quickly, easily and remotely. But the insertion of the words where possible into Into Recital 63 makes allowances for the fact that in a Elektronik access, using a self serve secure system may not be possible for every organization that holds data. Article 15 7 also allows data to be provided in combination with standardized icons in order to provide on easily visible, intelligible and clearly legible manner, a meaningful overview off the intended processing. And where the icons have presented Elektronik Lee, they shall be machine readable. Information can also be provided orally. However, before that happens, Article 12 1 makes it clear that this should only be provided where the identity of the data subject is proven by other means. Withholding personal data. Recital 63 also provides that the individual should have direct access to his or her personal data, but that this should be provided without adversely affecting the rights or freedoms off others, including trade secrets or intellectual property and in particular, the copyright protecting the software. This means that under GDP are an organization could withhold personal data in these limited circumstances. Article 23 will enable the UK to introduce any further exemptions to essay ours, such as for national and public security, crime prevention and regulator functions, which we assume are likely to be similar to D. P. A. On the UK data protection bill seeks to do this An organization would normally be expected to provide the information as requested by the individual within the allotted time scales. However, there are some exceptions to this in which a refusal could be made when there's bean. No confirmation of identity subject to Article 11 which deals with processing personal data, which does not require the data controller to identify a day to subject Article 12 to makes it clear that an organization should usually facilitate the exercise of data subject rights unless the controller demonstrates that it is not in a position toe. Identify the data subject. So if the organization is unable to confirm the individual's identity, then it doesn't have to comply. Of course, the organization must first take reasonable steps to request that the individual provides such additional information necessary to confirm the identity or the data subject or, in other words, their identity. Unreasonable request. As we've already see, If a new organization receives a request which is manifestly unfounded or excessive, they may charge a reasonable fee based on they're admin costs. However, all the organizations will be able to refuse an essay. All Article 12 4 clarifies that the organization does still have to respond to the request without undue delay on the latest within one month from receipt Off the request advising the individual that the organization is refusing to comply with the request, explaining why the reasons for that refusal Andi inform the individual of their rights to complain to the supervisory authority on their rights to seek a judicial remedy if they wish. And that concludes this session for Data Law. Thank you for joining me, Robert Edwards, on this session.
00:21:53
