The Data Access Request:
Many companies receive a data request arising from a dispute between the Employer and Employee, or a personal injury incident. Though some requests come from employees for various other reasons, the general response is to ask what are we required to provide?
Firstly, you need to know that:
Individuals have the right to access their personal data.
This is commonly referred to as subject access.
Individuals can make a subject access request verbally or in writing.
You have one month to respond to a request.
You cannot charge a fee to deal with a request in most circumstances.
Secondly, the subject making the request is:
Confirming that you are processing their personal data and other supplementary information.
Thirdly, you need to ensure:
An individual is only entitled to their own personal data, and not to information relating to other people. So, you will need to redact any information or images that include other people.
Under the previous 1988 and 2003 Acts, data controllers could refuse to comply with a data access request if it was of a vexatious or repeated nature. Under GDPR, data controllers will have some grounds for refusing to grant an access request such as where a request is manifestly unfounded or excessive.
Policy for refusing
However, you will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.
Shorter Time Period
You must contact the individual without undue delay and within one month of receipt of the request.
Extending the time period
You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request that you intend to extend the time and explain why the extension is necessary.
If you process a large amount of information about an individual you can ask them for more information to clarify their request. You should only ask for information that you reasonably need to find the personal data covered by the request.
You need to let the individual know as soon as possible that you need more information from them before responding to their request. The period for responding to the request begins when you receive the additional information. However, if an individual refuses to provide any additional information, you must still endeavour to comply with their request. For example: by making reasonable searches for the information covered by the request.
Justification for refusal
You should inform the individual about:
The reasons you are not taking action;
Their right to make a complaint to the Company or the Data Protection Commission; and
Their ability to seek to enforce this right through a judicial remedy.
Request for fees
You should also provide this information if you request a reasonable fee or need additional information to identify the individual.
Proof of Identity
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.
Issue a request for proof
You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period of reply will be extended beyond the 30 days if you are required to seek indemnity.
Why should I seek proof of identity?
If the request comes in form a person no longer in your employment. Normally if the person is in your employment there is no need. Requests from solicitors on behalf of the subject is not adequate proof. While it is often requested following notice that they are acting for and on behalf of the subject, you will need a letter of authorisation from the subject, but not necessary proof of ID.
Requests for CCTV images may be refused if the images show other subjects. “Personal data” shall mean any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity
A request for CCTV by third parties can be refused if the systems are not capable of removing third party images unconnected to the bases of the claim.
A policy for the use of CCTV should include:
The identity of the data controller;
The purposes for which data is processed;
Any third parties to whom the data may be supplied;
How to make an access request;
Security arrangements for CCTV.
While a person, whose image is captured, has a right to seek and be supplied with a copy of their own personal data from the footage, where the image cannot be supplied on electric format still images can be supplied. Again, images of third persons must be redacted.