There are many challenges in handling subject access requests (SARs). Some may have a clear resolution, such as not retaining emails for 20 years, while others may be relatively untested issues, where the legislation and guidance aren’t wholly clear.
SARs are among the most common queries many data controllers, and data protection officers (DPOs) within organisations, will face on a daily basis. Even before GDPR, the Data Protection Act 1998 outlined the right for individuals to access their personal data held by organisations. The adoption of GDPR into UK law amounted to slashing the time from 40 working days to 30 working days for a response.
When it comes to responding to SARs, there are several common areas of confusion – often regarding whether or not particular information counts as “personal data” or whether any exemption might apply. These themes include “do I have to provide every email which mentions them over the past 20 years?” and “our customer services rep called them a twerp – can I withhold this?”. There are more unusual queries, too, which raise lesser-known aspects of the rules.
Where there’s no obvious answer to such questions, it may be helpful to open up a dialogue with the requestor to find a solution together, such as how they might identify themselves. You should also keep clear records of analysis and conclusions, including when you apply exemptions, and how you’ve balanced corporate interests with transparency for individuals. Although many SARs may seem straightforward, there are nuances in how the law is applied, which businesses need to remain on top of.
Do IP addresses count as personal data?
A company received a request from an individual to access information associated with an internet protocol (IP) address, which the requestor said was assigned to their computer. The question posed to me by the company was: do we need to provide this information?
A person has a right to access to personal data, which means information relating to an identified or identifiable individual. Someone can be identified by reference to an “online identifier”, which includes cookie identifiers and IP addresses. So, in theory, information associated with an IP address – such as logs of access to a website, or behavioural advertising profiles – could be personal data.
But it isn’t as simple as that. An organisation may or may not use IP addresses in a way that is intended to identify or impact specific individuals. They may automatically be collected by its systems, but either not reviewed, or only used for gathering aggregated statistics on website visitors. An organisation may also be unable to link the identity of someone making a SAR to the personal data associated with the IP address. So, if you receive a message from me asking for logs of my access to your website – which requires no credentials to access – can you be sure which IP addresses and therefore which logs relate to me?
How do you identify the individual making a SAR?
There’s an interesting and often overlooked provision of the UK GDPR under Article 11: if the purposes for which personal data is processed don’t require the identification of an individual, the organisation doesn’t have to maintain additional information to identify them. Furthermore, if the organisation can demonstrate it cannot identify them, the right of access, together with other rights of individuals, doesn’t apply. There’s an exception, however, If the individual provides additional information to identify themselves. They will then have a right to access their data.
Even where Article 11 doesn’t apply, where an organisation has reasonable doubts as to a requestor’s identity, Article 12(6) allows it to ask them for additional information to confirm their identity (before addressing the request).
In unpredictable times, a data strategy is key
Data processes are crucial to guide decisions and drive business growth
On an aside, where there is an issue with identifying someone making a request, I often hear a stock response of “we shall request a copy of the individual’s passport and proof of address”. Indeed, a passport contains several potential identifiers; full name, image, passport number, date of birth, and proof of address would mean you now know where the person lives. But how would that actually help you if your only dealings with them are online, and the records you hold do not include any of the same identifiers? What you have achieved is the collection of additional (possibly more sensitive) personal data leading to greater data protection risks in handling it. Identification checks need to be tailored to the context of your relationship with an individual.
Whilst the company in question did hold certain records by reference to an IP address, it could not at that stage be sure the IP address uniquely identified the person making the request. It needed to consider, in relation to the records held, whether it was in a position to identify an individual, and whether the requestor could provide additional information to enable their identification.
Exemptions to the right of access
Another organisation received a SAR from someone looking for information on decisions made about them. Opinions and decisions about someone are that person’s personal data, as the information “relates to” them. Information about reasons for a decision may also be personal data, again to the extent it relates to the specific individual.
However, the organisation was concerned that releasing all records concerning relevant decisions would reveal confidential and proprietary information about its decision-making techniques. So the question to me was whether it could apply any exemptions.
The bulk of the exemptions can be found in schedules 2 to 4 of the UK Data Protection Act 2018, which complements the UK GDPR. One that pops up a lot is “management forecasts”. This applies where data is used for the purpose of management planning, for example in relation to redundancies, and provision of that data would be likely to prejudice the conduct of the business, which didn’t apply in this case.
Is intellectual property exempt from SARs?
One exception relating to SARs sits under Article 15(4): “The right to obtain a copy… shall not adversely affect the rights and freedoms of others.” The data protection rights of other individuals most commonly spring to mind, but this can also refer to “trade secrets or intellectual property and in particular the copyright protecting the software”.
The purpose of the right of access is transparency, and exemptions are there to protect other businesses or public interests, but they shouldn’t be overused. It’s also important the application of Article 15(4) requires a balancing test between the requesting individual’s right of access to data, IP or rights of the other party. Just because another right exists does not mean that Article 15(4) automatically applies – in some cases the importance of providing access to personal data overrides the other right. In addition, perhaps curiously, it is an exception to the right to receive a copy of the data (under Article 15(3)), but not a general exemption to the right of access.
Taking all this into account, companies should not take an all-or-nothing approach. They need to assess how much personal data they can still provide, and how they can provide it, without unreasonably affecting other rights. A company could, for example, send reduced sets of data, or redact or extract data from records.
What do the data regulators say about intellectual property?
The reference to intellectual property rights in the UK GDPR is another frequently overlooked provision. Indeed, the Information Commissioner’s Office (ICO) guidance on exemptions doesn’t seem to mention it at all. It is touched on, however, within the European Data Protection Board (EDPB) guidelines on the equivalent right of access under the EU GDPR. They give an example of a gamer being denied access to a gaming platform due to allegations of cheating, detected by anti-cheating software.
The gamer makes a SAR, and requests information about the reasons for the decision. The gaming platform should provide some information about the alleged cheating – such as dates and times, what was detected – but may be able to withhold information concerning the technical operation of the anti-cheat software, if this is a trade secret and, presumably, to protect copyright.
Another example in the guidelines relates to a company’s proprietary techniques for a medical assessment. If the person makes a SAR, the company may be able to withhold information about the results of the assessment as it may reveal its techniques.
Regarding the original query, the organisation therefore needed to think about a few things:
- What specific content concerning decisions was the requestor’s personal data, and which decision-making techniques may be revealed by sharing this data
- Whether its decision-making techniques gave rise to intellectual property rights (to be assessed under intellectual property laws
- If so, how to balance those rights with the requestor’s right of access, and then to reach a conclusion: what personal data could and should still be shared, and how?
What about automated decision-making?
Uncover new insights with your data in the cloud
React faster and anticipate change - A guide and assessment for SMBs
Since we’re talking about decision-making, though, that’s not everything. As well as giving individuals a right to access personal data, Article 15(1) UK GDPR requires information to be provided about solely automated decision-making. This means decisions made by technological means without human involvement, such as automated credit scoring.
If these were taking place, the organisation must inform the requestor (amongst other matters) about the logic involved in those decisions. This does not necessarily mean sharing detailed algorithms, which may also prejudice intellectual property rights. But the information must be meaningful for the individual, to enable them to understand how the decision was made.
