Written and recorded by Robert Edwards, Law Hound
welcome to this data protection training session from Data Law. My name is Robert Edwards. I'm a consultant at Low Unlimited. Previously, I was a counterintelligence and I t security specialist with Her Majesty's government. I then moved on to lecturing Andi providing legal training. GDP will subject access requests on GDP are the General Data Protection regulation is set to come into force in May 2018. Andi introduces the greatest changes to data protection legislation in 30 years. In this session, we're going to consider what the rights that individuals will have under GDP are and that is the right to access. Their own personal data will remind ourselves of the Data Protection Act, writes Andi. Compared these with GDP, our rights subject access report or s a R data controllers organizations hold personal data about data subjects for a variety of lawful reasons. On data protection legislation allows an individual who is the subject of that data the data subject to request details about any personal information that is held about them. To exercise that right of access, an individual must make a written request known as an S a. R to the data controller or organization holding that data in this session, I'll be using the following terms individual meaning The data subject. The individual whose data is held by an organization or data controller organization meaning the data controller the organization holding the data on data to be taken to mean personal data as applicable within the meaning of the data Protection Act 1988 40 p a on GDP are the dp a right under the GDP are individuals will have a right similar to the right of access water. Macon S. A. R, which they currently have under the Dictate Protection eight. Let's remind ourselves all the dp A Rights Section seven of the DP a gives an individual the right of access to their personal data from any data controller if they requested by submitting an essay all it enables an individual to write to a data controller for these purposes and organization who holds personal data about them. It must be a written request aunt to pay a fee of £10 to be entitled to be told whether any personal data is being processed to be given a description of the personal data. The reasons why it is being processed on whether it will be given to any other organizations or people. Aunt To be given a copy of the information comprising the data and given details off the source off the data where this is available before releasing the information. Under section 73 the organization holding the information can ask the individual making the request for any further information that is reasonably required to establish that individual's identity GDP are right of access. The GDP are right of access is similar to the right under DP A. However, Recital 63 makes it clear that an individual should be able to access their personal data easily and at reasonable intervals so that they can be aware off on verify the lawfulness off the processing. Recital 63 reinforces the right in relation to health records to clarify that an individual should be able to access all data concerning their health. For example, the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided the right enables individuals to receive confirmation that their personal data is being processed. If personal data is being processed, then the individual has the right to a description off the personal data held concerning them to access the data to obtain a copy. The categories or data process should be made known to them. They should know the reason or purpose is of why their personal data is being processed the envisage retention period or, if this is not possible, the criteria used to determine this period. Details about anyone who has received or will receive their personal data, details of the source or origin of their data if it was not collected directly from them, and details of any automatic personal decision making or data processing. The logic involved on the significance and envisaged consequences off the processing for the data subject. Andi or the consequences off such processing. The individual should also be made aware of their rights of rectification, or AirAsia to restrict processing or to object to processing on to lodge a complaint to a supervisory authority so the data subjects right is to be aware off on verify the lawfulness off the processing. This confirms comments in the European Court of Justice in Y S, the minister for Democrat E intake rt. And a seal, or minister for Immigration Integration and Asylum. But the purpose of essay Ours is to allow the individual to confirm the accuracy of data and to confirm the lawfulness of processing. Andi enables them to exercise rights of correction or objection if necessary. This probably means that requests for non data protection purposes could potentially be rejected. For example, non data protection purposes such as to assist in litigation, as we've seen in Dorsen Dharma v. Taylor West ING LLP, where the Court of Appeal said that there was nothing in the U data protection directive which limits the purpose for which a data subject may request his data or provides data controllers with the option of not providing data based solely on the request is purpose dealing with an S A r. Before providing the information, the organization should verify the identity of the individual making the request using reasonable means. Article 15 6 of GDP are makes it clear that without prejudice to Article 11 which deals with processing personal data which does not require the data controller to identify a data subject where the organization has reasonable doubts concerning the identity of the natural person making the request the organization can request additional information necessary to confirm the identity off the data subject to be provided confirming data there will, of course, be occasions when an organization holds a large amount of data on DIT is useful to be able to clarify exactly what date of the individual needs without having to provide data which is not required. Recital 63 of GDP are does enable an organization to request that before the information is delivered, the data subject should specify the information or processing activities to which the request relates. This does not provide an exemption or excuse not to provide it, but it may be helpful in cutting down the amount of data to be sent to the individual, helping both the organization on the individual who may not wish to plow through a huge amount of data timescales for compliance very simply one month on organization has less time to comply with an S a. R than under DP A under Article 12 3 of GDP are the information requested by an S. A. R must be provided without undue delay and at the latest within one month of receipt off the request. Can this be extended well. Article 12 3 also makes it possible to extend the period of compliance by a further two months if necessary. If the request is complex or numerous, however, an organization can't just take that extra time and not let the individual no in stand. Article 12 3 also makes it clear that within the original one month time period from the date of receipt of the request, the organization must right to inform the individual ONDA explain why the extension is necessary. Where the individual makes the request by Elektronik form means the information should be provided by electronic means where possible. Unless the individual asks otherwise. For example, they want to the data in print. How should the information be provided? Article 12 of GDP are refers to transparent information communication on modalities for the exercise of the rights of the data subject. Article 12 1 makes it clear that data should be provided in a concise, transparent people and easily assess of accessible form using clear on playing language. This is particularly important for any information address specifically to a child. It should be in writing Elektronik Lee if possible. Article 12 World goes on to say that it should be provided in writing or by other means, including where appropriate, by electronic means. Recital 63 makes it clear that, if possible, where an individual makes an Elektronik request, then that data should be provided in a commonly used electronic format. Recital 63 also provides that, where possible, an organization should be able to provide remote access to a self serve secure system, one which would enable the individual to have direct access to his or her personal data. The insertion of the words where possible into Recital 63 makes allowances for the fact Elektronik access. Using a self serve secure system may not be possible for every organization that holds data, however, GDP are best practice would be a data subject access portal, enabling individuals to access their information quickly easily on remotely. Article 15 7 also allows data to be provided in combination with standardized icons in order to give on easily visible, intelligible and clearly legible manner. A meaningful overview of the intended processing where the icons are presented, Elektronik Lee, they shall be machine readable. Information can be provided orally. An individual can request that their data be provided orally. However, before that happens, Article 12 1 makes it clear that this should only be provided where the identity of the data subject is proven by other means. Withholding personal data. Recital 63 also provides that the individual should have direct access to his or her personal data, but that this should be provided without adversely affecting the rights or freedoms of others, including trade secrets or intellectual property. Ondimba particular the copyright protecting the software this effectively means that under GDP are on organization could withhold personal data in these limited circumstances. Article 23 will enable the UK to introduce any further exemptions to essay ours, such as for national and public security Crime prevention on regulator He functions, which we assume are likely to be similar to those in D. P. A. Charging it's free Article 12 5 of GDP are makes it plain that the data or information must now be provided free of charge. There will no longer be any right to make a £10 charge to the individual as the rays under the Data Protection Act exceptions, Article 12 5 also explains that there are exceptions when a data controller can make a charge. An organization can charge a reasonable fee if an individual's request is manifestly unfounded or excessive, particularly if it is repetitive at this time. There's no guidance on interpreting, manifestly unfounded or excessive. But it is anticipated that the information Commissioner's office, the I C E O, will do so eventually until we get that. It would be wise for any data controller to be cautious about trying to levy a charge on organization can also charge a reasonable fee to comply with requests for further copies over the same information. However, this does not mean that the charge could be made for all subsequent essay ours. The consideration under Article 15 5 is whether the request is manifestly unfounded or excessive, in particular because of their repetitive character, the burden of demonstrating the element manifestly unfounded or excessive. The character of the request rests firmly with the data controller, who of course, should be able to prove the reasoning behind their decision. Any fees charged must be reasonable and based on the administrative cost of providing the information on refusal. An organization would normally be expected to provide the information as requested by the individual within the allotted time scales. However, there are some exceptions. No confirmation of identity subject to Article 11 which deals with processing personal data, which does not require the data controller to identify a data subject. Article 12 to makes it clear that an organization should usually facilitate the exercise off data subject rights under articles 15 to 22 unless the controller demonstrates that it is not in a position toe. Identify the data subject. So if the organization is unable to confirm the individual's identity, they don't have to comply. Of course, the organization must first take reasonable steps to request that the individual provides such additional information necessary to confirm the identity over the data subject in the event of an unreasonable request, as we've already seen, if an organization receives a request which is quote manifestly unfounded or excessive, they can charge a reasonable fee based on admin costs. However, although organizations will be able to refuse on S. A R. Article 12 4 clarifies that the organization does still have to respond to the request without undue delay. Andi, but the latest within one month off the receipt off the request advising the individual but the organization is refusing to comply with the request, explaining why Andi informing the individual off their right to complain to the supervisory authority, onda the right to a judicial remedy. The key changes between D. P. A. On GDP are, although they're very similar, they're awesome. Key changes. Andi data controllers have to take them into account under DP A. A data controller could charge up to £10 for an S, A. R under GDP. Are a data controller can't charge anything unless the request is manifestly unfounded or excessive or it's a request for further copies. And only in these limited circumstances can a data controller charge of fee on then the fee must be based on the administrative costs in supplying the data if a organization receives large volumes of requests and this may have cost and labor impact, but it is something that must be prepared for responding. The DP A allowed data controllers to respond to essay ours within 40 days of receipt of the written request. Judy PR shortens the time to one month from receipt of the essay. All if there are a number of requests or the request is complex, then The one month deadline can be extended by a further two months, but the data controller still has to contact the data subject within a month of receipt to explain why the extension is necessary. Having less time to respond may well be a problem, depending on the size of the organization, the number of requests, the amount of data and how and where that data is stored. Elektronik provision under GDP are a data subject. Can make an S a r Elektronik Lee on def. They do. Unless the data subject requests otherwise. For example, they ask for printed data. The data should be provided in a commonly used electronic format. Before doing this, the data controller needs to verify the individual's identity. This means having a clear system, which identifies and processes essay ours effectively. Of course, best practice where possible. Under Recital 63 means providing a data subject access portal, enabling a data subject to access their information quickly, easily and remotely. Thank you for joining me in this session. I'm Robert Edwards from Law Hound Limited for Data Law
00:19:23