As we discussed in the previous guest blog on Data Protection Law, operators of e-learning sites are likely to obtain and hold all kinds of data about users including names and e-mails addresses at the very least and so it is important to understand the rights that those users have in relation to their data. David Miller, Partner at Flint Bishop Solicitors, expands on this area, bringing clarity to the rights of a site user to access their personal data.
Section 7 of the Data Protection Act 1998 (Act) gives all individuals the right to make a “subject access request”. In this blog we will discuss what a subject access request is and, how you (a data controller) must respond to such requests from your users (or, indeed, others).
Any individual who makes a written subject access request and pays a fee (if applicable) is entitled to be:
- told whether any personal data about them is being processed;
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; and
- given a copy of the information comprising the data.
In most cases you must respond to a subject access request promptly and, in any event, within 40 calendar days of receiving it.
What is a valid subject access request?
For a subject access request to be valid it should be made in writing (this means it could be made via email, fax or hard copy).
There is no requirement for you to respond to a request made verbally but, in some circumstances, it might be reasonable to do so (as long as you are confident about the identity of the person you are talking to).
Where it is clear that the individual is asking for their own personal data, such request should be treated as a subject access request. A request does not need to mention the Act specifically or even say that it is a subject access request.
A request is valid even if the individual has not sent it directly to the person who normally deals with such requests (it is therefore important that you and your employees are able to recognise what a subject access request looks like and ensure that it is treated appropriately).
You cannot require individuals to use a specifically designed form on your site when making a subject access request. Although your organisation may have a standard form that it would like individuals to use, you may only invite individuals to use this form. Any request made for subject access (in writing) must be considered as a valid request, whatever the format.
Contents of the information
The Act requires that any information you provide to an individual is in “intelligible form”. This means that the information you provide should be capable of being understood by the average person. This does not mean that the information you provide must be in a form that it is intelligible to the particular individual making the request.
For example, if you receive a request from someone whose English comprehension skills are quite poor and, they ask you to translate the information that you have sent to them - there is no requirement for you to do this under the Act. However, it would be good practice for you to help them understand the information that you hold about them.
Any organisation receiving a request may (except in certain circumstances relating to health records) charge a fee for dealing with it. If your organisation chooses to charge a fee, you do not need to comply with the request until such time as you have received the fee. The usual maximum fee that you can charge is £10 (however there are different fee arrangements for organisations that hold credit, health or educational records and these should be checked before you levy a fee).
Although you need not comply with a request until you have received a fee, you cannot ignore a request simply because the individual has not sent a fee. If a fee is payable but has not been sent with the request, you should contact the individual promptly and inform them that they need to pay.
The Act allows you to confirm two things before you are obliged to respond to a subject access request:
- you may ask for information to judge whether the person making the request is the individual to whom the personal data relates (this is important as releasing the information to the wrong person would be a breach of the Act); and
- you must be reasonable about what you ask for. Therefore, you should not request lots of information if the identity of the person making the request is obvious to you.
Information regarding children
Many user of e-learning sites will be young but, for the purpose of the Act, there is not a sharp distinction between those who are over 18 and those who are not. Even if a child is too young to understand the implications of subject access rights, data about them is still their personal data and does not belong to others (e.g. a parent or guardian). Therefore it is the child who has a right of access to the information held about them (even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them).
Before responding to a subject access request for information held about a child, you should consider whether the child is mature enough to understand their rights. If you are confident that the child can understand their rights then you should respond to the child rather than a parent. You should take into account the following:
- the child’s level of maturity and their ability to make decisions like this;
- the nature of the personal data;
- any court orders relating to parental access or responsibility that may apply;
- any duty of confidence owed to the child or young person;
- any consequence of allowing those with parental responsibility access to the child’s information (e.g. where there have been allegations of abuse of ill treatment);
- any detriment to the child if individuals with parental responsibility cannot access this information; and
- any views a child or young person has on whether their parent should have access to information about them.
What to do if the data includes information about other people
The Act says you do not have to comply with a request if to do so would mean disclosing information about another individual who can be identified from that information, except where:
- the other individual has consented to the disclosure; or
- it is reasonable in all the circumstances to comply with the request without the individual’s consent.
You will need to balance the data subject’s right of access against the other individual’s rights in respect of their own personal data. If necessary you may be able to redact information referring to others but you should only do this after receiving specialist advice on the issue.
The Act does not limit the number of subject access requests an individual can make to any organisation. However, it does allow some discretion when dealing with requests that are made at unreasonable intervals. Under the Act you are not obliged to comply with an identical or similar request to one you have already dealt with, unless a reasonable interval has elapsed between the first request and any subsequent ones. You should therefore consider the following:
- the nature of the data;
- the purposes of the processing; and
- how often the data is altered.
Given that it’s so brief and general, this blog cannot be considered to be definitive legal advice and you should not rely on it. However we hope that you found it useful and, if you do want some more specific or in-depth advice on dealing with subject access requests or compliance with the data protection regime, please feel free to contact David Miller on 01332 226466 or at firstname.lastname@example.org.
About David and Flint Bishop:
David Miller qualified as a solicitor in 2002 and joined Flint Bishop Solicitors, based in Derby, as Head of Commercial Contracts in January 2011. He advises a wide range of private and public sector clients and commercial contracts, data protection and intellectual property issues. During the course of 2012 David spent several months working as the interim head of UK Legal at publishing giant Lexis Nexis. As well as advising on specific legal issues, David conducts numerous commercial and data protection audits for businesses, ensuring compliance and minimising risk.