Subject Access Requests & other rights
Do the timelines for responding to subject access requests still apply where an organisation is temporarily closed or capacity to handle requests is curtailed because of COVID-19?
We acknowledge the significant impact the Covid-19 health crisis may have on organisations’ ability to respond to requests from individuals exercising any of their rights, including subject access requests. While the timelines for responding to requests from individuals are set down in law and can’t be changed, we recognise that unavoidable delays may arise as a direct result of the impacts of COVID-19.
Advice for Individuals
Members of the public should appreciate that front-line and critical services organisations such as healthcare providers, government departments, in particular the Department of Health and Social Care, The Treasury and The Isle of Man Constabulary, may need to divert resources to priority work areas with consequential impacts on other areas such as the handling of access requests.
Educational bodies and private sector organisations may be closed or have reduced capacity so that responding to requests may be significantly delayed.
- We ask you to bear this in mind in the event that you experience any such understandable delays when dealing with these organisations or considering making a complaint to the Commissioner.
- We also ask you to consider being as specific as possible in relation to the personal data you wish to access if you need to make a request.
Guidance on making requests can be found at: https://inforights.im/individuals/data-protection/how-to-exercise-your-rights/
If you need to make a complaint to the Commissioner, the facts of each case, including any organisation specific extenuating circumstances, will be fully taken into account.
Advice for organisations
We appreciate that many organisations, especially frontline and critical services organisations such as healthcare and social services may need to divert resources to priority work areas with consequential impacts on other areas such as the handling of access requests. We recognise the unprecedented challenges facing organisations and the need for a proportionate regulatory approach in response to these extraordinary circumstances.
Organisations experiencing difficulties in actioning requests should consider whether it is possible to respond to requests in stages. For example, an organisation whose staff are working remotely may have difficulties in accessing hard copy records. In this case, it may be possible to provide the requester with electronic records, with hard copies provided at a later stage. Organisations should communicate clearly with the individuals concerned. Organisations may also want to engage with individuals in order to ensure that the request is as specific as possible in relation to the personal data sought.
Where an organisation, due to the impact of COVID-19, cannot respond to a request in full or in part within the statutory timelines, they remain under an obligation to do so and should ensure that the request is actioned as soon as possible. Although the Applied GDPR provides for an extension of two months to respond to a request, this is where it is "necessary" to do so, taking into account the complexity and number of requests. For accountability and transparency purposes, the reasons for not complying with the timelines should be documented by the organisation and clearly communicated to the affected individuals.
Any organisation experiencing difficulties in responding to requests should communicate with the individuals concerned about the handling of their request, including any extension to the period for responding (if this can be applied) and the reasons for the delay in responding.
The statutory obligations cannot be waived, but, should a complaint be made to the Commissioner, the facts of each case including any organisation specific extenuating circumstances will be fully taken into account.
Guidance on complying with requests exercising any right, including subject access requests is available at: https://inforights.im/organisations/data-protection-law-2018/rights/