COVID-19 Practical Considerations: Responding to Data Subject Access and FOI Requests
While organisations are being forced to significantly adapt the way they conduct business, certain regulatory and statutory timeframes continue to apply unchanged.
Click here to view this briefing in PDF format.
This briefing considers the recent guidance of the Data Protection Commission (“DPC”) on how organisations should respond to data subject access requests, and that of the Freedom of Information Central Policy Unit of the Department of Public Expenditure and Reform (the “FOI Unit”) on the handling of FOI requests.
As the situation around COVID-19 evolves daily, it is imperative to keep abreast of up-to-date guidance from these and other relevant bodies.
Subject Access Requests
Article 12(3) of the General Data Protection Regulation (“GDPR”) requires data controllers to provide a response to a data subject access request within one month of receipt. This deadline can be extended by up to two further months as needed, having regard to the complexity and number of requests.
In normal circumstances, providing a timely and complete response to an access request can require significant resources and extensive record review. This is made all the more challenging when organisations that are not classified as “essential services” are working remotely or are closed, such that they do not have the same level of access to records, or the same ability to effectively and efficiently communicate with the relevant data custodians.
Although the DPC has confirmed that the one-month deadline cannot be changed as it is set down in law, it has pragmatically recognised that “unavoidable delays may arise as a direct result of the impacts of COVID-19.”
Any organisation facing difficulties in processing access requests should consider the following key points from the DPC’s recent guidance.
Engage with the Data Subject
Organisations should proactively engage with the requester to communicate the difficulties that they are experiencing and to keep them informed of how they are handling their request.
We would also suggest that organisations ask data subjects to specify the personal data that they would like to access if they did not provide this information in their original request. By asking data subjects to specify the relevant date ranges, types of record and subject matter that they are interested in, organisations can ensure that resources are appropriately allocated, while simultaneously providing the data subject with a meaningful and timely response.
Respond in Stages
Organisations should also consider if it is possible to respond to the request in part. For instance, if offices are temporarily closed, the request could be actioned insofar as certain data is available electronically. This can then be followed with hard copy data as soon as possible thereafter.
When an organisation receives a request, we would suggest that it quickly establishes its current capabilities and evaluates the progress that it can make in the coming days, weeks and months, before communicating its intentions to the requester. Given the ever-changing circumstances faced by organisations, we would caution against committing to definitive dates for a response.
To avoid a data breach, organisations should also ensure that they have the means to securely respond to an access request (e.g. by way of a password-protected electronic file, or by providing remote access to a secure system as expressly encouraged by Recital 63 of the GDPR), and that they have the correct email address of the requester, before issuing a copy of the requester’s data. If a requester specifically asks for their data in hard copy, we would suggest doing so once this is possible, while sending an electronic copy in the interim with a reassurance that a hard copy will follow.
If offices are closed and the organisation has no means of accessing physical or electronic data relating to the request, it must be processed as soon as possible thereafter. In the event of any delays, organisations should ensure that they record the reasons for such delays, and that the individual is kept appropriately informed.
Helpfully, the DPC has confirmed that it will take into consideration any “organisation specific extenuating circumstances” if a complaint is brought to the DPC in respect of a data controller’s response.
Under section 13 of the Freedom of Information Act 2014 (the “2014 Act”), FOI bodies are required to respond to FOI requests within 4 weeks of receiving such requests. In its recent guidance, the FOI Unit has made it clear that, notwithstanding the current challenges faced by FOI bodies, “a decision should issue within the statutory timeframes” as there is no scope for an extension under the 2014 Act due to office closures on health and safety grounds.
As it stands, an FOI body may only extend the response period by up to 4 weeks under section 14 of the 2014 Act if “compliance is not reasonably possible” due to the number of records to which the request relates, or where a number of similar requests have already been made in respect of which a decision has not yet been reached.
With that context, FOI bodies should be mindful of the following key points from the FOI Unit’s guidance.
Organisations must make arrangements to ensure that any requests received by email or post are appropriately monitored and actioned.
The FOI Unit has accepted that it could be argued that a request cannot be “received” by an FOI body in the event that postal collections and deliveries are suspended. However, it has encouraged FOI bodies to facilitate requests by electronic means. In this regard, FOI bodies should update their websites to inform requesters that all requests should be made by email to a specified email address, with a disclaimer (as appropriate) that its normal FOI services may be disrupted due to office closures, reduced staffing, remote working, the prioritisation of critical functions, etc.
Engaging with the Requester
If an FOI body can effectively process a request by way of remote working, the FOI body should issue a response within 4 weeks as normal. To the extent that any relevant information can be provided, FOI bodies should endeavour to provide it in the interests of avoiding any inconvenience to the requester. If it is not possible to access certain records, it should be made clear to the requester that certain searches were not conducted and an explanation should be provided.
Unlike the DPC, the FOI Unit has not endorsed the concept of a “partial” response, adopting an “all-or-nothing” approach. However, it has encouraged bodies to ask the requester to: (i) limit the scope of their request; (ii) or withdraw their request with an option to re-submit it at a later date.
As an independent appeals body, the Office of the Information Commissioner has not issued any guidance as to whether it will account for extenuating circumstances in considering any appeal in relation to a delayed or insufficient request. As such, FOI bodies must operate on the presumption that the same standards will continue to apply.
If All Else Fails, Refuse the Request?
Although FOI bodies cannot extend the deadline or provide a partial response to an FOI request, the FOI Unit has noted that requests may be refused on administrative grounds under section 15 of the 2014 Act.
Section 15(1)(a) provides that a request may be refused where “the record concerned does not exist or cannot be found after all reasonable steps to ascertain its whereabouts have been taken.” The FOI Unit has indicated that limited access to records in the context of the COVID-19 pandemic may be considered in evaluating what steps are “reasonable” in the circumstances.
Section 15(1)(c) may also be pertinent for critical services organisations. It permits the refusal of a request where, “by reason of the number or nature of the records concerned or the nature of the information concerned,” a response would cause “substantial and unreasonable interference with or disruption of work (including disruption of work in a particular functional area.”
Given the relative inflexibility of the FOI regime, organisations should carefully balance the benefits and risks of: (i) negotiating the request; (ii) postponing the request; and (iii) refusing the request. Among other things, many bodies may want to avoid creating a backlog of requests, such that it would be advisable to action all requests to the greatest extent possible.
Where organisations are eager to accede to a request but are unable to do so within the usual timeframe, they may want to consider the merit of providing records on an entirely voluntary basis outside of the 2014 Act, in the interests of complying with the spirit of the legislation.
We would like to thank Sonam Gaitonde for her contribution to this article.