This briefing provides an overview of the Right to Access detailed at section 15 of the Data Protection (Bailiwick of Guernsey) Law, 2017 and describes some key points which organisations may want to consider when receiving and responding to a Data Subject Access Request ("DSAR").
A related briefing on the object of the DPL, some of the key concepts used in the DPL, what the data principles are and the rights of data subjects is available here.
The right to access
An individual has a right to be given the following information – (a) confirmation as to whether or not personal data relating to the individual is being processed in the context of a controller, and (b) if personal data relating to the individual is being processed in the context of a controller – (i) the information specified in Schedule 3 to the DPL, (ii) one copy of the personal data, and (iii) further copies of the personal data.
On request by an individual, the organisation (being the “controller") must give the individual that information. Essentially, the right to access allows a data subject to ask what personal data an organisation holds about them and why, and allows the data subject to receive a copy of the personal data. This right is exercised by way of a DSAR.
What is a DSAR?
DSARs are a cornerstone of the data protection regime, being fundamental in helping individuals to exercise their rights. Broadly speaking, a DSAR outlines a request by an individual in which they ask “what do you know about me?”. Any information identified in response is likely to be the data of that individual. The DSAR captures all of the individual’s personal data and “personal data” is any information relating to an identified or identifiable individual, including opinions expressed about that individual. The DSAR can be made in any format and need not mention “data subject access request” so the organisation’s staff must be able to spot a DSAR when it arrives. Under a DSAR, an individual is only entitled to their own personal data, and not to information relating to other people (unless they are acting on behalf of that person and with appropriate authority).
First steps and identity
IIt is recognised good practice for an organisation to send the requesting individual an acknowledgment of the DSAR and this can be combined with a request for information to verify that the DSAR is genuine. If the request for information by the individual is very wide this is also a chance to invite the individual to narrow their request to see if there is something they are particularly interested in. If the individual does not wish to narrow the scope then this cannot be used to avoid responding to a DSAR.
The first question the organisation (being the “controller”) should ask itself when a DSAR is received is “are we sure this individual is who they say they are?”
In the event that the organisation has any reason to doubt the requestor’s identity, it may request any additional information that is reasonably necessary to provide the verification. When the identity of the requesting individual cannot be verified despite the organisation taking reasonable steps, the individual will not be entitled to exercise any data subject right and the organisation will not be required to give the information. Where a third party is making a DSAR on behalf of a data subject then the organisation must satisfy itself that the request being made is genuinely by the individual whose data is being sought.
Once a DSAR is received and organisation is satisfied that the request is genuinely from the individual, the clock for responding to the DSAR starts. Organisations in Guernsey have one month to respond to the DSAR, although in this can be extended for a period of a further two months (respectively) in certain circumstances.
A DSAR can be made by a third party on another individual’s behalf. Where a third party is used, it is important to confirm with the individual that the third party has authority to act on their behalf. This might be a written authority to make the request, or it might be a more general power of attorney. If an organisation thinks an individual may not understand what information would be disclosed to a third party who has made a DSAR on their behalf, an organisation may send the response directly to the individual rather than to the third party. The individual may then choose to share the information with the third party having had the opportunity to review it.
What information should be provided?
As well as providing the individual with a copy of any personal information held by the organisation (subject to certain exemptions and exceptions – see below), the organisation must provide a statement setting out certain additional information relating to the use of the individual’s personal data (as set out in Schedule 3 to the DPL). The contents of this statement are very similar to the information that must be included in the organisation’s privacy notice and includes:
- the identity and contact details of the controller and, where applicable, any controller's representative;
- the contact details of the data protection officer, where applicable;
- whether any of the personal data is special category data;
- if any of the personal data has not been collected from the data subject by either of the controller or a processor acting on the controller's behalf – (a) the source of the personal data, and (b) if applicable, whether the personal data was obtained from a publicly available source;
- the purposes and the legal basis of the processing;
- where the lawfulness of processing is based on the processing being necessary for the legitimate interests of the controller or a third party, the legitimate interests concerned;
- the recipients or categories of recipients of the personal data, if any;
- if the controller intends to transfer the personal data to a recipient in an unauthorised jurisdiction, reference to the appropriate or suitable safeguards applying to the transfer and the means to obtain a copy of them or where they have been published or otherwise made available; and
- the period for which the personal data is expected to be stored, or if that is not possible, the criteria used to determine that period.
When the organisation provides copies of information to the data subject, this information must be provided free of any charge, except in the case where the individual is asking for further copies, or when the request is frivolous, vexatious, unnecessarily repetitive, or otherwise excessive. Where a fee is charged the organisation must let the individual know about the fee and how much it is before they do the work. If the organisation is not going to comply with all or any part of a request, it must notify the individual of the reasons for the organisation not so complying and that the individual has the right to complain to the Office of the Data Protection Authority (the "ODPA").
The search
Often the key challenge for an organisation responding to a DSAR is ascertaining where to search for the personal data and then subsequently sorting through the data retrieved to extract the information. Electronic storage systems and structured physical filing systems must be searched, including archived and back-up data. This can be a time consuming exercise although IT solutions are available to help with this process. The Law does not allow any extension to the time limit in cases where the organisation has to rely on a processor to provide the information needed to respond. An organisation must carry out a comprehensive review to ensure that all personal data that it processes about the data subject is located. This includes reviewing:
- all paper records;
- all electronic records (including emails, cloud systems, and deleted items);
- all filing systems;
- all archive records; and
- all workplace messaging systems and devices.
An organisation must also ensure that any data held by any processors used is searched and included in the response.
Exceptions and exemptions
Schedule 8 to the DPL provides certain, limited and specific exemptions to the right of access and includes:
- where a reference is given (or is to be given) by a controller for education, training or employment purposes, the appointment, or prospective appointment, of the data subject to any office, or the provision, or prospective provision, by the data subject of any service;
- where the data is processed solely for the purpose of assessing any person's suitability for judicial office or the office of king's counsel or the conferring by the crown of any honour or dignity;
- where the disclosure of the personal data is prohibited by any law;
- where the personal data has been recorded by any candidate during an examination;
- where the personal data relates to privileged items;
- where the personal data is processed for a management forecasting or management planning activity; and
- personal data that is processed for the purpose of, or in connection with, a corporate finance service provided by a relevant person.
If any part of a DSAR is "manifestly unfounded", the organisation may refuse to give the information or take the action requested in that part of the request.
Any organisation intending to rely on these exceptions must be certain that it is entitled to do so and must be ready to evidence this to the ODPA.
Mixed data
Often the individual’s personal data is mixed with that of one or more other people and this places the organisation in a more difficult position. The requesting individual is entitled to their own data but not to the personal data of other people. Here the organisation needs to undertake a balancing exercise. To determine if it is reasonable to refuse the request, an organisation should consider the following (known as a "balancing test"):
- if the other individual has consented or expressly refused consent to the disclosure;
- the ability for the other individual to be able to give informed consent;
- the type of personal data involved (remembering that the Law dictates that you should take extra care with special category data);
- the significant interests at stake in the disclosure / non-disclosure of the information for the requestor, and the other individual;
- the reasonable expectations of each individual in relation to the disclosure of that information;
- the persons to which, and the circumstances in which, the disclosure is to be made;
- if storage of that information is or may be involved following disclosure, the period for which that information is or may be stored;
- the existence of appropriate safeguards for the protection of that information, once disclosed;
- the possible consequences for each individual of disclosure of that information.
If an organisation decides to disclose the information it should inform the other individual and clarify the basis for the decision. If an organisation is not giving everything the individual is asking for the organisation will need to tell them why this is the case (except in very limited circumstances where doing so would prejudice the basis upon which it is being withheld). An organisation must document all the decisions it makes as it may be asked by the data subject (or by the ODPA) to justify how it arrived at the decision about what information was disclosed, or withheld, in response to a DSAR.
With appropriate redactions the information might still be shared. Alternatively, it can be appropriate for the organisation to see if the other person would object to their information being disclosed.
Manner of response
With the use of DSAR's becoming increasingly common, it is important that anyone dealing with personal data understands what a DSAR is, when it can be used, how an organisation should respond to the request and the timeframe for its response. Even entities which have had one or more DSARs must reflect on whether their procedures are in line with the required approach. A key trend in decisions by the ODPA relate to failures by organisations to properly respond to DSARs and this has resulted in public reprimands being issued.
Ordinarily, an organisation may not charge a fee for processing a DSAR. If however, any part of the request is frivolous, vexatious, unnecessarily repetitive or otherwise excessive under the Guernsey legislation or manifestly vexatious, the organisation may either refuse to provide the information or may provide the information but charge a reasonable fee for the administrative costs of doing so. Any organisation intending to rely on these exceptions must be certain that it is entitled to do so and must be ready to evidence this to the ODPA.
Walkers' comments
With the use of DSAR's becoming increasingly common, it is important that anyone dealing with personal data understands what a DSAR is, when it can be used, how an organisation should respond to the request and the timeframe for its response. Even entities which have had one or more DSARs must reflect on whether their procedures are in line with the required approach. A key trend in decisions by the ODPA relate to failures by organisations to properly respond to DSARs and this has resulted in public reprimands being issued.
The organisation should keep in mind that a DSAR is ‘purpose blind’, meaning that it is a free standing right of individuals, even where that individual is in conflict with the organisation. Employers in particular have faced criticism from the ODPA where the employer has failed to properly respond to a DSAR from a hostile former employee on the grounds that the information was going to be used in legal proceedings.
When an organisation is considering the application of one or more exemption, the ODPA has stated that exemptions should be applied narrowly, to specific personal data in specific circumstances and should be carefully considered and their use fully justified.
All decisions to rely on an exemption should be documented and the organisation should be prepared to share that documentation with the ODPA if it is asked.
About Walkers’ Guernsey regulatory team
Walkers’ Guernsey regulatory team can advise on all aspects of Guernsey data protection, including data protection policies, procedures, privacy notices, data subject access requests and data protection audits.
We have a team of regulatory experts spanning all practice areas who regularly advise on all aspects of Guernsey regulation, including financial services, AML, sanctions, data protection, consumer protection, competition, tax, economic substance, FATCA and the CRS. Our team can also provide training to staff on a broad range of topic.
This article was updated on 28 November 2024.
