Complying with Subject Access Requests & other rights
We appreciate that many organisations, especially frontline and critical services organisations such as healthcare and social services may need to divert resources to priority work areas with consequential impacts on other areas such as the handling of data subject requests.
Emergency Powers legislation has given additional powers to Tynwald, the police and government departments to manage the COVID-19 crisis, protect the public, maintain essential public services and implement assistance packages for businesses, etc.
Other existing legislation and legal obligations continue to apply and all the provisions obliging controllers to comply with the rights of individuals (including the right of access – ‘subject access requests’) in accordance with Article 12 (modalities for complying with rights) are unchanged.
The following applies to requests made on, or after 11 March 2020 (the date on which the World Health Organisation categorised COVID-19 as a pandemic) until working restrictions implemented under Emergency Powers are lifted in the Island.
Complying with requests
We believe that controllers will generally continue to comply with their statutory obligations to the best of their abilities during the COVID-19 crisis and will evidence the actions they have taken.
Controllers should, in any event, be able to demonstrate the action taken to comply with requests and may wish to note the following recommendations:
- Records demonstrating the actions taken to comply with the request, including dates and times of actions
- Open channels of communication with the data subject, perhaps enquiring whether there is specific information they need at this time (we anticipate that most people will be understanding and co-operative)
- A log of the conversations or correspondence with the data subject
- Request information to identify the data subject unless you need to - You must be able to demonstrate why you were not in a position to identify them.
- A copy of photographic ID at the outset of the request, for example, is of little use unless you can compare it to the person making the request or already have a photograph for comparison.
In the current circumstances, you may also be putting individuals at unnecessary risk of infection if they are required to go out to copy documents, post information to you, or bring a copy of ID to your premises. Individuals may also be subject to isolation rules and be unable to go out at all.
- Ask about the reasons for making the request - it is irrelevant.
Any organisation experiencing difficulties in responding to requests should actively communicate with the individual concerned and consider whether it is possible to respond to requests in stages. For example, an organisation whose staff are working remotely may have difficulties in accessing hard copy records. In this case, it may be possible to provide the requester with electronic records, with hard copies provided at a later stage.
Where an organisation cannot respond to a request in full or in part within the statutory timelines during the COVID-19 crisis, they remain under an obligation to do so and should ensure that the request is actioned as soon as possible. Although the Applied GDPR provides for an extension of two months to respond to a request, this only applies where it is "necessary" to do so, taking into account the complexity and number of requests. For accountability and transparency purposes, the reasons for not complying with the timelines should be documented by the organisation and clearly communicated to the affected individuals.
However, where controllers simply ’decide’ to ignore their statutory obligations this may be considered as intentional infringements of the data protection law. Guidance on the powers of the Commissioner, and relevant offences, are available in the website.
There is guidance about complying with the rights of individuals on the website at: https://inforights.im/organisations/data-protection-law-2018/rights/
Information about exercising rights during the COVID-19 crisis has been provided for the public.
Complaints to the Commissioner
The statutory obligations cannot be waived but a pragmatic, realistic approach will be taken by the Commissioner if complaints are received regarding compliance with requests exercising rights received by controllers on, or after 11 March 2020 (the date on which the World Health Organisation categorised Covid-19 as a pandemic) until working restrictions implemented under Emergency Powers are lifted in the Island. In particular this applies to controllers providing direct frontline services to assist the public where the staff and resources, usually dedicated to compliance with rights, are diverted away from those normal duties.
Any complaint must, however, be considered on its merits and a controller’s efforts in complying with its statutory obligations will, together with any extenuating circumstances, be taken into account. It is important, therefore, that controllers can demonstrate the action taken on the request.