Requests for access to personal data (subject access requests, or SARs) could come from clients or third parties. Police Scotland, and other investigatory bodies, can also make requests using a power under data protection laws. An individual is entitled to a copy of the personal data that you hold about them but there are limits to that right. Police Scotland is entitled to request information without a warrant but if this contains personal data then you must decide whether or not you can provide them with the information.

Almost half of the complaints that the ICO receives concern SARs and so it is an area of concern for members of the public and the ICO. The obligations introduced under the GDPR were greater and the timescales for compliance were shortened.

Clients and third parties – subject access requests

Under data protection laws, an individual can ask for a copy of their own personal data and information about how it is being processed. Before you provide that information, you should be satisfied about the identity of that individual and you can ask for verification before dealing with the request if that is necessary. A copy of the personal data and the information must be provided without charge and if the request was made electronically, then it should be responded to electronically. Requests do not require to be made in writing. 

You are expected to respond to the request without undue delay, and within one month of the request being made. Therefore, the deadline falls on the calendar day a month after it was received. It is possible to extend this deadline if the request is complex or your receive high number of requests.

In rare cases you can either charge for sending a copy of the personal data or refuse to provide it, if the requests is manifestly unfounded or excessive. Manifestly unfounded refers to the reason for the request and if it is clear that the individual making request has no intention of exercising this right but is using it as a bargaining tool or to disrupt the business. If could also apply if the individual is making unsubstantiated accusations against you or another employee or where an employee is being targeted where there is a clear grudge. Excessive refers to related requests asking for the same information over and over.

In relation to clients, the process may be relatively straightforward, although you should consider whether they are entitled to all the personal data in their file which relates to other people and whether any other exemptions apply. See the ICO’s website for a fuller summary of the exemptions.

However, dealing with requests made by third parties i.e. non-clients is likely to be more difficult. You should not disclose any information which is legally privileged, but that exemption is not likely to apply to everything in your file. In relation to the other information in your file, you must consider whether it is the personal data of the requester and/or the personal data of your client or another third party. Sometimes personal data can relate to more than one person. If it is the personal data of another individual, then you must consider whether:

  • The other individual has consented to the disclosure, or
  • Whether even without consent, it is reasonable in all the circumstances to comply with the request

You should consider the impact on the individual if the information is disclosed and in particular if your client expects that information that they provided will remain confidential. Although there is still balancing exercise to be made between the right to access to information and the right to privacy, client confidentiality is likely to weigh heavily in favour or withholding the information.

The ICO encourages data controllers to speak to the requester to try and identify the information that they are actually interested in:
“We consider it good practice for you to engage with the applicant, having an open conversation about the information they require. This might help you to reduce the costs and effort that you would otherwise incur in searching for the information.”
However, if the requester asks for access to all the personal data you hold about them, you are obliged to provide it subject the exemptions mentioned here.

It is important to note that the individual is entitled to the information held about them but not necessarily a copy of the actual document containing the information.

Other data subject rights

The UK GDPR provides other rights to data subjects as follows:

  • The right to rectification: if personal data is inaccurate or incomplete then the data subject can ask for it to be changed or added to. Sometimes this involves recording that the data subject has a different opinion rather than changing another opinion.
  • The right to erasure: in limited circumstances the data subject has the right to have personal data deleted, but only if the controller should not have had it in the first place or where the personal data is no longer necessary for the controller’s original purpose.
  • The right to object: in limited circumstances a data subject can object to the processing of their personal data and the controller has to weigh up their interests against the objection. Individuals have an absolute right to object to direct marketing.
  • In certain limited circumstances where there is a dispute about the processing, the data subject can ask that it is not further processed until the dispute is resolved.
Requests from other organisations for personal data

These requests are most likely to be made by the police or other investigatory bodies for the prevention and detection of crime or to help them to apprehend or prosecute offenders. Law firms are not obliged to comply with such a request, which does not have the status of a warrant or court order. Client confidentiality must always be considered in relation to both types of request.

Organisations such as other law firms may also request personal data that they believe they are entitled to. This is because they believe that the data is necessary for legal proceedings or to obtain legal advice, or to establish, exercise or defend legal rights. This can include requests from organisations seeking to recover debts. Again, law firms are not obliged to comply with such a request, which does not have the status of a warrant or court order.