Whilst an individual has had the right to access data held about them for many years, the development of digital technology over the years has led to a significant and rapid expansion in the nature and quantity of data processed in the work place, which in turn makes responding to data subject access requests more complex and time-consuming.
The methods of sharing and storing data (such as via email) present a further challenge by being unorganised and potentially containing data on more than one individual.
Under Article 15 of the GDPR, individuals have the right to make a data subject access request (DSAR). Understanding whether you are processing personal data is vital to knowing whether GDPR applies to your various business activities.
Employers have a duty to facilitate the exercise of a DSAR, to handle the request fairly and transparently and to provide the information in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
What is Personal Data?
Personal data is information that relates to an identified or identifiable living individual (also referred to as a data subject) (Art.4, GDPR). What identifies an individual could be as simple as a name or number or could include other identifiers such as an IP address or a cookie identifier.
The issue of determining what constituted personal data was further explored in Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd. This case reiterated the fact that, if it is possible to identify an individual directly from the information you are processing, then it is likely that that information is personal data. If you cannot directly identify the individual from that information, you still must consider whether the individual is identifiable. This is because if cumulative pieces of data are taken together, it may be possible to identify an individual. If the individual can be identified, directly or indirectly, it is only personal data if it ‘relates to’ the individual concerned. Even inaccurate information about an individual is personal data.
It is important to remember that the concept of what constitutes personal data is not static. Its scope has developed over the years and the Courts, EU and the Information Commissioner's Office all have various interpretations of the term.
Personal data may include:
- Expressions or opinions about the individual and any suggestion of the intentions of another person in relation to the individual
- Personal details about the individual
- Information that focuses and affects the individual
However, any information that is:
- Truly anonymous
- Relates to a deceased person
- About companies
- About public authorities
are not considered to be personal data and is not therefore covered by GDPR.
Simply because an individual’s name is mentioned in a document does not automatically render that document to be that individual’s personal data. There is a requirement for something more. The Court of Appeal in Ittihadieh agreed with a narrower approach in line with the earlier case Durant v FSA. There will certainly be circumstances where it will be difficult to determine whether the data is personal data.
Meaning of ‘relates to’
To relate to an individual, it must do more than simply identify them, the data must concern the individual in some way. The data can reference an identifiable individual and still not be personal data about that individual, if that information does not relate to them.
Consider if information needs redacting or needs to be disclosed. Is it personal data which relates to other individuals but does not relate to the employee? Is it personal data which is information about the employee but also contains personal data about another individual? For example, if it is an email from one individual to another commenting on the poor performance of the employee then that email will be deemed to contain personal data about the employee, but also about the person making the comments.
If there is more than one individual’s personal data involved, then ideally you should seek consent from the other individual to disclose that information. You are not obliged to seek consent of the other individual if it is reasonable to disclose the information without the consent of the other individual. If consent is granted, you must disclose the information. If you do not have consent of the other individual, and you do not believe it is reasonable to act without consent, then consider if you can redact the information.
Additionally, legally professionally privileged documents do not need to be disclosed and forms one of the many exemptions to a DSAR under the GDPR. This equally applies where personal data is processed for the purposes of management forecasting or management planning in relation to business planning.
Identifiers and related factors
An individual is identified or identifiable if they are distinguishable from other individuals. The GDPR provides a non-exhaustive list of identifiers, which include:
- Identification number
- Location data
- An online identifier (e.g. cookie identifiers or IP addresses)
- Any other factor that can identify an individual (e.g. physical, physiological, genetic, mental, economic, cultural or social identity of that natural person)
A combination of identifiers may be needed to identify an individual. Even if you need additional information to be able to identify someone, they may still be identifiable. When considering whether individuals can be identified, you may have to assess the means that could be used by an interested and sufficiently determined person. There is a continuing obligation to consider whether the likelihood of identification has changed over time (e.g. with technological developments).
- As a matter of good practice, employers are encouraged to treat the information with care, ensure that they have a clear purpose for processing the applicable data and to the best of their abilities guarantee that the data is held and disposed of securely.
- Employers should try to reduce the amount of data that they hold. Having a robust system in place, allowing for the retention and deletion of documents will substantially reduce the number of emails and other documents to review.
- Employers should ensure the person responsible for conducting the search request fully understands the definition, meaning and parameters of what constitutes personal data.
- This reduces the risk of non-disclosure and substantially increase the speed at which a DSAR is dealt with.
- Try to narrow the scope of the scope of the request. If the scope of the request is not clear, ask the data subject what specifically they want or whether it can be narrowed.
- Employers need to allow themselves time to conduct the search, make any redactions and to send out the response.
- Consider if any of the many exemption in the GDPR applies.
Coming up next
Our next article in the DSAR mini-series will focus on what to do with third party data and how to properly redact data.