Any organisation that has received a subject access request (SAR) will know just what a nightmare dealing with it can be. As a reminder, any person has a right to require an organisation to provide details of the personal information which that organisation holds about that person by serving a SAR on that organisation. Whilst the organisation can charge the person up to £10 to deal with the SAR, this charge pales into insignificance when compared to the time cost of dealing with a SAR. There is added pressure on the organisation to get it right because about half the complaints to the Information Commissioner’s Office (ICO), the UK data protection law regulator, relate to SARs. Moreover most of these complaints relate to the inadequacy or paucity of the personal information provided.
Given all this, it is hardly surprising that some organisations have adopted a “failsafe” approach to SARs and disclose absolutely everything to the person making the SAR. Good idea? Well as it turns out, no.
In August, a GP practice was fined £40,000 by the ICO, not because it disclosed too little to the person making the SAR but because it disclosed too much to that person!
Briefly, the facts of the case were that a patient served a SAR on the GP practice. The GP practice responded by disclosing its entire patient file. Unfortunately for the GP practice the file contained personal details of a vulnerable third party and also medical details of another patient.
To make matters even harder for an organisation, where personal data relates both to the person making the SAR and another individual, it is not the case that such personal data should automatically be withheld. Whether the organisation should disclose or not requires a difficult balancing act between the right of access of the person making the SAR against the other individual’s right to confidentiality.
We recently advised an organisation in relation to a SAR which faced such a difficult balancing act. Given the complexities of that particular matter, our client did exactly the right thing and asked us to consider each piece of personal data and make an objective decision as to what extent it was disclosable.
It will not always be the case that you need to get legal advice on every single piece of information. We can also help by providing general advice as to what you should consider in deciding whether personal data should be disclosed or not. In addition, we can also provide training on dealing with SARs. As you can see, it isn’t always crystal clear.
For further information, please contact Simon Bates on 0117 918 1210 or email@example.com