The perils of failing to comply with a SAR can be both financially and reputationally damaging. In August 2016, the ICO issued a fine of £40,000 to a GP practice following a SAR from a father who submitted the request on behalf of his son, asking for details of his son’s medical records.
In preparing its response, the surgery disclosed personal details including those of the child’s mother, who was estranged from the father. This was in spite of explicit instructions to the surgery from the mother to protect her details from the father.
The ICO’s investigation found the GP practice had insufficient systems in place to guard against releasing personal data to people who were not entitled to see it – a breach of data protection legislation itself. The fine was limited to £40,000 because the practice’s partners would be individually liable – most organisations would expect to receive a much larger penalty.
Getting SAR responses wrong is not the only basis upon which an organisation can be subject to attention from the ICO – failing to respond may also result in sanctions. In the past year, data controllers as diverse as Nottingham Forest Football Club and Poundstretcher have been ordered to respond to SARs after the ICO ruled that there had been a failure to comply.
The increase in enforcement action is a likely consequence of an increased exercise of SAR rights, as well-publicised data security breaches raise public interest in how and why personal data is processed.
Under the General Data Protection Regulation (GDPR), changes include removal of the requirement to pay £10 to make a SAR and the time for responding is generally reduced to a month, from the present 40 days.
Supplementary information, including details of any international data transfers and envisaged retention periods, must also be provided to a requestor. This in itself should prompt internal review of existing records retention policies by data controllers, bearing in mind that data should not be kept for longer than is necessary for the purposes it is held.
Given the ICO’s powers to fine data controllers when SARs are incorrectly handled, and the more onerous obligations in dealing with requests and the other privacy obligations introduced following commencement of the GDPR in May 2018, organisations processing personal data need to review and audit their existing handling procedures without delay to ensure compliance with both the current and new regimes.
The most serious violations of the GDPR could lead to fines of up to €20 million, or 4 per cent of global turnover. Given the reputational risks at stake alone, board level awareness of the need to ensure GDPR compliance, including in relation to subject access, should be a key priority for any organisation handling personal data.
James McGachie is legal director at DLA Piper’s Litigation and Regulatory practice