A MoFo Privacy Minute Q&A: How to Avoid Nasty Surprises When Responding to Access Requests in the UK

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question

How should organizations best respond to access requests in the UK in order to avoid hitting the headlines?

Answer

When responding to access requests from individuals (“Access Requests”), organizations are legally obliged, under Article 15 of the UK General Data Protection Regulation 2018 (“UK GDPR”), to tell individuals what personal information such organizations process about them, and to provide the requesting individual with a copy of their personal information and other relevant supplementary information. Access Requests are common in the UK and likely to become increasingly common on the other side of the pond. Often wielded by individuals—particularly in the employment context—Access Requests can be a headache for organizations to manage, especially when used as a method of uncovering internal communications and sensitive information as a negotiation or litigation tool.

In light of the ICO’s recent reminder to organizations about handling Access Requests in the financial sector, organizations should take note of the following:

1. Work speedily and efficiently . . .

Organizations should ensure that their systems for dealing with Access Requests are operating efficiently (taking into account the different channels that individuals can use) to allow them to respond quickly once an Access Request is received. This will include providing training to all appropriate personnel who are likely to receive Access Requests (including outside of the Privacy team), so such employees can promptly recognize and triage an Access Request and route it to the correct department. The ICO takes the timeframes of Access Requests very seriously, requiring organizations to acknowledge an Access Request without undue delay and, at the latest, within one month of receipt. At the very most, organizations may be able to extend this by a further two months where an Access Request is deemed to be “complex” or if the individual has also sent a number of requests to the organization. While an organization may request clarification of an Access Request, particularly if the organization processes a large amount of information about the individual, the ICO will generally not accept excuses for any late responses and has the power to reprimand any organization that has failed to respond to an Access Request within the statutory timeframe.

2. But don’t assume that you have to provide everything . . .

As soon as an Access Request is received, the organization should check the extent to which it needs to provide information to the individual. Of course, the organization will be under pressure to respond as quickly and comprehensively as possible. However, the organization should build into its response process the opportunity to review whether any specific exemptions apply under the UK GDPR and UK Data Protection Act 2018 that permit an organization to refuse to fulfil an Access Request (in part or in full). For example, where complying with an Access Request is likely to require disclosure of information that identifies another individual without their consent, an organization must decide whether, on balance, the request requires this disclosure and whether it is reasonable to disclose without their consent. Similarly, where information to be disclosed includes records of an organization’s intentions in negotiations with an individual, which could prejudice the negotiations, or information concerning management planning (i.e., potential reorganizations or redundancies), then this personal information will be exempt from the Access Request. Where complying with an Access Request would require the disclosure of information subject to legal professional privilege, the organization may additionally be entitled to withhold the relevant privileged information. However, organizations should note that exemptions must be justified, taking into account the specific circumstances of the relevant Access Request.

3. And don’t forget your internal communications!

There is no limit to the communication channels that are in scope for an Access Request; they could include text messages, recorded telephone calls, instant messages, and other messages sent through collaborative team communication tools. Organizations should train employees to avoid sending inappropriate or otherwise improper messages using internal work-related communication channels, particularly channels thought to be “private,” where employees are more likely to “speak freely.” In other words, employees should assume that whatever is said through work channels about an individual can be made public or at least disclosed to the person being discussed. Often, when preparing a response to an Access Request, organizations find that they unearth personal information that they did not expect/know they had collected (and unfortunately information of the type that they would not want to provide).

Brittnie Moss-Jeremiah, London Trainee Solicitor, contributed to the drafting of this alert.