In October 2020, the ICO issued an 81 page detailed guidance on Topic Entry Requests. Most individuals won’t have interaction with this till a Topic Entry Request lands on their desk, so Rachael Eyre has picked out the important thing takeaways.
Key takeaways from the ICO’s detailed steerage
The person has a proper to entry their private data
You can not prohibit that by putting processes on making use of or supplying the knowledge. Topic Entry Requests are goal impartial; an individual doesn’t want a motive to ask and any motive doesn’t matter (until manifestly unfounded/extreme).
You’ll want to make sure you adjust to the Equalities Act and provide the knowledge in an accessible and safe approach.
Be ready
- Practice your employees to recognise a Topic Entry Request. It doesn’t matter whether it is verbal, on social media, in a letter or electronic mail. All of them rely.
- Know the place your knowledge is held and how one can entry.
- Guarantee employees know who to go the request onto to cope with.
- Have insurance policies and processes in place, together with how you’ll calculate any charges charged (the place you’re allowed). That approach you may keep away from accusations of prejudice if making use of them in a manifestly unfounded or extreme case.
Know the exceptions
You don’t need to adjust to a request whether it is manifestly unfounded or extreme (e.g. the place somebody gives to withdraw a SAR in trade for compensation, or it’s actually clearly only a enterprise disruption SAR). If you happen to change into conscious somebody has died earlier than you reply, you don’t have to reply (GDPR is for dwelling people).
Abide by the Topic Entry Requests cut-off dates (in the event you can)
- One calendar month (it’s simpler to consider 28 days) to reply.
- Ask for ID, additional data and clarification as quickly as potential. Ready for ID or additional data pauses the clock.
- If the SAR is unusually difficult you may take a additional two months. You can not use this as a blanket response or simply as a result of there’s a number of data. ‘Sophisticated’ could embrace redacting different peoples data from quite a few paperwork). You should inform the person within the unique month you’re doing this.
- If you happen to can’t hold to the time restrict, hold a notice in your log of why. The ICO will likely be understanding of outstanding conditions, corresponding to an organisation with restricted sources receiving 500 SARs on the identical day from a Claims Administration Firm!
Hold Topic Entry Requests data
Any choice you are taking regarding a SAR, document it. E.g.:
- asking for ID
- confirming third social gathering authority
- deciding you wouldn’t have sufficient data to verify whether or not it’s the identical particular person and so they haven’t responded to requests for clarification
That approach, if there’s a grievance, you may display the steps and choices you took to the ICO.
Verify it’s the proper individual
Sure, you may ask for ID. Don’t make a copy, simply notice what you noticed and who checked in your log.
However is ID proportionate to verify that is the proper individual? If somebody is in your advertising and marketing record, you’ve in all probability by no means seen their ID or it will not aid you affirm they’re the proper individual.
Verify the authority of third events. An employer can not make the request.
Key rules
- Be truthful.
- Hold the information secure.
- Hold a log of actions and choice.
