In this article we look at the issue of Subject Access Requests ("SAR") and what these mean for an Office Holder.
What rights are there?
The data protection legislation in the UK, consisting of the Data Protection Act 2018 ("the DPA 2018") and the UK General Data Protection Regulation ("UK GDPR"), regulates the way in which personal data can be used. An important part of this is to give individuals a right to access their own personal data: that means data from which a living individual can be identified, directly or indirectly.
Article 15 of UK GDPR provides an individual with the right to obtain information concerning their personal data from a Data Controller (someone who determines the purposes and means of processing personal data). The case of Southern Pacific Personal Loans Ltd, Re [2013] EWHC 2485 determined that Liquidators will not be considered Data Controllers in respect of the data processed by the company prior to its liquidation and will be considered agents of the company. Under these circumstances Office Holders may not be personally responsible for the provisions of the DPA 2018 or UK GDPR but their duty (as agent) will remain and they must still ensure that a SAR is properly dealt with. However, there may be circumstances on the appointment of a Liquidator or on the making of a bankruptcy order that the Office Holder will become the Data Controller for the information held by the company or bankrupt.
A SAR is not restricted to being made in a specific form nor does it need to refer to legislation - it can be made verbally, in writing or via social media - so an Office Holder should be aware that however a request is made for personal data, it should be treated as a SAR. However, it is important to remember that the legislation provides a right to an individual's personal data only, and not the personal data of third parties, nor is it a right to documents.
Is it personal?
Should an Office Holder receive a valid SAR then the relevant personal data must be provided to the requestor within one month (three months under more complex circumstances). It is important that a SAR is dealt with promptly as non-compliance can lead to various consequences, which may include complaints to, investigations by, and enforcement action from the Information Commissioner's Office ("ICO").
As an Office Holder will only be required to provide an individual with their own personal data, it will be important to understand what information would actually be considered to be personal data in the relevant circumstances. This will depend on:-
- Whether the person is identifiable (directly or indirectly) from the data in question; and
- Whether the information 'relates to' the person as an individual rather than, for example, as referring to them in the context of the company's affairs.
Difficulties often arise in determining what information needs to be disclosed in relation to an individual acting in their capacity as company personnel. It is important to note that the data only needs to identify a natural person either directly or indirectly (for example, through name, address, initials, or other reference). If the individual is identifiable and the information relates to them in their personal capacity, rather than as a representative of the company, the information may constitute personal data and would likely be disclosable.
The ICO has made its stance clear that information about a company is not considered personal data. Should the information relate to the company's finances or the company's decisions made by their personnel then it is unlikely to be considered personal data and would therefore be unlikely to be disclosable in response to a SAR.
However, in circumstances where a SAR has been made by a sole director, then the boundaries between whether data relates to the company or the individual can often be blurred, and much will depend on context.
Can we refuse to comply?
Article 15 (1) to (3) of the UK GDPR provides an exemption to comply with a SAR if disclosing the information would identify another individual except where:
- the other individual has consented to the disclosure; or
- it is reasonable to comply with the request without that individual’s consent.
Therefore, careful consideration must be given not only to the individual who is making the SAR but to third parties whose information might inadvertently be disclosed. We would suggest that all the documents are redacted (where necessary) to ensure that a third parties' information is not disclosed unless there is consent, or it is otherwise reasonable to do so without consent.
Depending on the context, Office Holders may also want to consider whether they can refuse to comply with a SAR where it can be deemed to be manifestly unfounded or manifestly excessive. These exemptions would apply in circumstances where, for example, the SAR is made with malicious intent to harass or cause disruption, or where the SAR is clearly and obviously unreasonable because it is disproportionate to the burden or costs involved in dealing with the request. It is not acceptable to have a blanket policy in these circumstances and these exceptions should only be relied upon if the Office Holder has solid justifications for doing so: a SAR will not be considered excessive simply because a large amount of information has been requested.
